What's new

RT-AX58U Wireguard under Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Siouxsie

Occasional Visitor
Odkrys' thread about Wireguard is older than six months, so I can't ask this question there, otherwise I would.
The thread mainly concerns RT-AC86U and RT-AX88U but they recently added RT-AX58U (armv7l, 4.1.52) files to the first post, which I would be willing to test.
I'm not quite sure how to go about it, though, as I'm not super used to Linux. I don't mind it, I'm just not that experienced, but willing to learn.

I do have Merlin 384.19 installed on my RT-AX58U, with amtm 3.1.8 and entware 1.0-2 installed using the splendid guide by L&LD.

I gather that the .ko module could be imported using insmod, but is this the proper way? Would that make it survive a reboot (together with the nat-start script in jffs)?
Where would I place the compiled wg tool, unless there is a command for installing those? Does it go in the jffs partition somewhere, or is there a standard place like /opt/bin to store tools without packages?
After that, would I just add/create the .conf files manually, or do I need additional user space tools (not included in the wg file)?

Alternatively, would I be better off compiling an .ipk on my own, and if so -- could I do that by installing the linux headers for 4.1.52 on an Ubuntu VM and compiling wireguard there, or would I need the asuswrt-merlin repo as well? I don't mind doing this, I'm just a bit lost as to what is the right way to go about things.

Sorry this turned into a general support request, but if anyone could clarify for me which things I need to do, and which things I shouldn't do, I might be able to google my way to the details regarding how. Thankful for any pointers!
 
I would think that you're a few steps ahead of Asus and Merlin where it comes to Wireguard...so until they decide they want to catch up...
you may appreciate this:
I believe that's open/customizable enough for your purposes... if it works well, you might even considering calling it a fork and putting it up on your github for the rest of us to help test
 
@heysoundude That does look interesting, and I might look into it further down the line, thanks for the tip!

@Odkrys Thanks for the .ipks, they installed fine, and I think I followed the configuration instructions properly, but I might have missed something.
When running S50wireguard start I get the following:
insmod: can't insert '/opt/lib/modules/wireguard.ko': unknown symbol in module, or unknown parameter
RTNETLINK answers: Operation not supported
Unable to modify interface: Protocol not supported
Error: ??? prefix is expected rather than "(IPv4,IPv6)"


The only obvious changes I've made to the configurations are that I've renamed the .conf file (but also modified wg-up to create wg0 using the renamed .conf file), as well as the fact that my VPN provider supplies both [Interface] Address and DNS as comma separated lists rather than single IPs. Do you know if any of this might be problematic? I'm not sure how to interpret the insmod error message.
 
Last edited:
insmod: can't insert '/opt/lib/modules/wireguard.ko': unknown symbol in module, or unknown parameter

There appears to be a problem with the wireguard.ko module.
I don't have a unit so it's impossible to test.
Can you take the above files, move them to /opt/lib/modules and test them once?


insmod /opt/lib/modules/wireguard-no-strip.ko
rmmod wireguard

insmod /opt/lib/modules/wireguard-strip-debug.ko
rmmod wireguard

insmod /opt/lib/modules/wireguard-entware.ko
rmmod wireguard
 
I did dmesg | tail and saw the following, in case that is of interest:
wireguard: Unknown symbol kernel_neon_begin (err 0)
wireguard: Unknown symbol kernel_neon_end (err 0)


The same messages were triggered by each of the three additional .ko-files.
insmod /opt/lib/modules/wireguard-[version].ko
insmod: can't insert '/opt/lib/modules/wireguard-[version].ko': unknown symbol in module, or unknown parameter

with the same listed unknown symbols as above.

I'm out of my depth here, with no idea what kernel_neon is? I'll gladly try more things, if you have any ideas.
 
Code:
processor       : 0
model name      : ARMv7 Processor rev 5 (v7l)
BogoMIPS        : 100.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc07
CPU revision    : 5

processor       : 1
model name      : ARMv7 Processor rev 5 (v7l)
BogoMIPS        : 100.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc07
CPU revision    : 5

processor       : 2
model name      : ARMv7 Processor rev 5 (v7l)
BogoMIPS        : 100.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc07
CPU revision    : 5

Hardware        : Generic DT based system
Revision        : 0000
Serial          : 0000000000000000
 
@Siouxsie
It seems that module had a problem when building in-tree kernel module.
Please wait while doing a clean build.
It will take about 10 to 15 minutes.
 
Sure, I'm reading up on neon in the meantime. I was going to try and confirm the CONFIG_NEON flag, do you know where/how I can read the used configurations in my running Merlin installation?

Edit: Never mind, I found /proc/config.gz and confirmed that CONFIG_NEON=y
 
Well, it got a bit further!

I did opkg remove wireguard-kernel followed by opkg install for your new .ipk, which seemed to work fine.
On /opt/etc/init.d/S50wireguard start this time, I got
Error: ??? prefix is expected rather than "(IPv4,IPv6)". immediately, so it didn't run into the unknown symbol error.

However, soon after running this command the router entered a reboot loop, with a small window of opportunity right after boot for me to log in.
I did so, and ran opkg remove wireguard-kernel, after which it rebooted a final time, and since then we're back to normal (but with no wireguard-kernel installed).


I found this in the system log, and I assume it's representative of each reboot, even though I have not confirmed this.

Code:
May  5 07:05:08 crashlog: LOG
May  5 07:05:08 crashlog: pgd = c0014000
May  5 07:05:08 crashlog: [00004638] *pgd=00000000
May  5 07:05:08 crashlog: Internal error: Oops: 17 [#1] PREEMPT SMP ARM
May  5 07:05:08 kernel: klogd started: BusyBox v1.25.1 (2020-08-14 15:19:16 EDT)
May  5 07:05:08 crashlog: CPU: 1 PID: 6 Comm: kworker/u6:0 Tainted: P           O    4.1.52 #1
May  5 07:05:08 crashlog: Hardware name: Generic DT based system
May  5 07:05:08 crashlog: Workqueue: wg-kex-wg0 _118 [wireguard]
May  5 07:05:08 crashlog: task: df426400 ti: df44e000 task.ti: df44e000
May  5 07:05:08 crashlog: PC is at skb_release_data+0xb0/0xd0
May  5 07:05:08 kernel: Linux version 4.1.52 (merlin@ubuntu-dev) (gcc version 5.5.0 (Buildroot 2017.11.1) ) #1 SMP PREEMPT Fri Aug 14 15:32:27 EDT 2020
May  5 07:05:08 crashlog: LR is at __kfree_skb+0x3c/0x10c
May  5 07:05:08 crashlog: pc : [<c02e81a8>]    lr : [<c02e8204>]    psr: 200e0013
May  5 07:05:08 crashlog: sp : df44fc48  ip : 0000000e  fp : 00000022
May  5 07:05:08 crashlog: r10: d281e068  r9 : 00002000  r8 : 00130000
May  5 07:05:08 crashlog: r7 : d58ed340  r6 : d281e9b0  r5 : 00000000  r4 : d58ed340
May  5 07:05:08 crashlog: r3 : 000000b4  r2 : 00000000  r1 : 0000000e  r0 : 00004638
May  5 07:05:08 crashlog: Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
May  5 07:05:08 crashlog: Control: 10c5387d  Table: 1414804a  DAC: 00000015
May  5 07:05:08 crashlog: Process kworker/u6:0 (pid: 6, stack limit = 0xdf44e210)
May  5 07:05:08 crashlog: Modules linked in: wireguard init_addr(  (null) -   (null)), core_addr(bfd28000 - bfd40b18)
May  5 07:05:08 kernel: Kernel command line: isolcpus=2 root=ubi:rootfs_ubifs ubi.mtd=0 rootfstype=ubifs console=ttyAMA0 earlyprintk debug irqaffinity=0 cma=0M
May  5 07:05:08 crashlog:  xt_set init_addr(  (null) -   (null)), core_addr(bfd23000 - bfd23e5c)
May  5 07:05:08 crashlog:  ip_set init_addr(  (null) -   (null)), core_addr(bfd18000 - bfd1b53c)
May  5 07:05:08 crashlog:  nf_nat_sip init_addr(  (null) -   (null)), core_addr(bfd13000 - bfd146d0)
May  5 07:05:08 kernel: Virtual kernel memory layout:
[...]
May  5 07:05:08 kernel: print_rst_status: Last RESET due to SW reset
May  5 07:05:08 crashlog:
May  5 07:05:08 kernel: print_rst_status: RESET reason: 0x80000000
May  5 07:05:08 kernel: DYING GASP IRQ Initialized and Enabled

Any idea if I did anything wrong, for example missing some step required before S50wireguard start when the wireguard-kernel package had been removed and re-installed, or a configuration error (I still got the "??? prefix" message)?
 
Do we at least know whether comma separated IP addresses are supported for ip address add dev wg0 $LocalIP and server=$wgdns in resolv.dnsmasq?

The wireguard .conf file supports that under [Interface], but if the places where $LocalIP and $wgdns from S50wireguard are used do not, I'm not surprised that things go wrong. All examples I've seen only use a single Address and DNS, do you know if this is required?

Edit: I just noticed I'm not supposed to include the CIDR prefix in the S50wireguard file, as you had already pointed out in the original thread -- so that's likely a partial cause, I didn't realize that was the referred prefix from the error message. Still unclear whether comma-separation is supported or not. I'd like to confirm before trying, since I'd like to avoid the reboot loop if at all possible.
 
Do we at least know whether comma separated IP addresses are supported for ip address add dev wg0 $LocalIP and server=$wgdns in resolv.dnsmasq?

The wireguard .conf file supports that under [Interface], but if the places where $LocalIP and $wgdns from S50wireguard are used do not, I'm not surprised that things go wrong. All examples I've seen only use a single Address and DNS, do you know if this is required?

Edit: I just noticed I'm not supposed to include the CIDR prefix in the S50wireguard file, as you had already pointed out in the original thread -- so that's likely a partial cause, I didn't realize that was the referred prefix from the error message. Still unclear whether comma-separation is supported or not. I'd like to confirm before trying, since I'd like to avoid the reboot loop if at all possible.
Only support one local ip.
The configuration files they provide are for the wg-quick bash script tool used by wireguard, but cannot be used by asuswrt.
 
So I should put a single LocalIP (without CIDR prefix) and use a DNS over TLS like Quad9 instead of the DNS specified by my VPN provider?
Is there a specific reason I shouldn't use my VPN provider's DNS list? Couldn't I add it manually (as separate entries) in /tmp/resolv.dnsmasq and let S50wireguard contain just a DoT address?
 
So I should put a single LocalIP (without CIDR prefix) and use a DNS over TLS like Quad9 instead of the DNS specified by my VPN provider?
Is there a specific reason I shouldn't use my VPN provider's DNS list? Couldn't I add it manually (as separate entries) in /tmp/resolv.dnsmasq and let S50wireguard contain just a DoT address?
one local ip and one provier's dns as I remember.
 
So, with one LocalIP (without CIDR prefix), and one DNS server, I did not get the "??? prefix" error, but the router still rebooted with a crashlog:
Code:
Nov  7 16:38:19 admin: Starting WireGuard service.
May  5 07:05:08 kernel: klogd started: BusyBox v1.25.1 (2020-08-14 15:19:16 EDT)
May  5 07:05:08 crashlog: LOG
May  5 07:05:08 crashlog: pgd = c0014000
May  5 07:05:08 crashlog: [00009c00] *pgd=00000000
May  5 07:05:08 crashlog: Internal error: Oops: 17 [#1] PREEMPT SMP ARM
May  5 07:05:08 kernel: Linux version 4.1.52 (merlin@ubuntu-dev) (gcc version 5.5.0 (Buildroot 2017.11.1) ) #1 SMP PREEMPT Fri Aug 14 15:32:27 EDT 2020
May  5 07:05:08 crashlog: CPU: 1 PID: 535 Comm: kworker/u6:2 Tainted: P           O    4.1.52 #1
May  5 07:05:08 crashlog: Hardware name: Generic DT based system
May  5 07:05:08 crashlog: Workqueue: wg-kex-wg0 _118 [wireguard]

The /opt/etc/init.d/S50wireguard start command didn't show any output at all, and I never got my next prompt.
This time I removed wireguard-kernel immediately, so I cannot confirm that it would have kept crashing in a reboot loop.

cat /tmp/resolv.dnsmasq shows that the $wgdns did replace my existing entries, so /opt/etc/wireguard/wg-up must have started, but may not have completed?
Any ideas what this might mean, or where I should look next? I do appreciate all your help.
 
he router still rebooted with a crashlog:
The kernels of ac56u and ax58u appear to have compatibility issues with wireguard.
Broadcom did a lot of patching to the kernel, so it's not unusual.
I don't have a unit so I can't debug in more detail.
Sorry.
 
Too bad, but hopefully this thread can be enlightening to someone else.

I did finally try to step through the commands of wg-up one by one manually, and noticed that while

ip link add dev wg0 type wireguard
wg setconf wg0 /opt/etc/wireguard/15charactername.conf

both seemed to work, a subsequent wg showconf wg0 (or wg show wg0) never returned.

I don't know why setconf completed but showconf did not. Probably not an issue with my .conf file, since wg show doesn't complete even immediately after ip link add dev wg0 type wireguard.
Perhaps this can be a lead to someone investigating this further.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top