Wireguard Standalone wg-quick alternative (no Entware/USB Drive required)

[Jeffrey Young]

What do get for output when you run the firewall script and nat-start script directly?

Also, you need to enable scripts on the admin page of the GUI.

 

[NickolauBr]

What do get for output when you run the firewall script and nat-start script directly?

Also, you need to enable scripts on the admin page of the GUI

Scripts are allowed through admin page.

Nickolau@RT-AC86U-7210:/jffs/scripts# nano firewall-start
Nickolau@RT-AC86U-7210:/jffs/scripts# ./firewall-start
Script called to add firewall rules for all wireguard instances
Deleting firewall rules
Adding firewall rules
Nickolau@RT-AC86U-7210:/jffs/scripts# nano nat-start
Nickolau@RT-AC86U-7210:/jffs/scripts# ./nat-start
Script called to add NAT iptables rules for all wireguard interfaces
Deleting NAT Rules
Adding NAT Rules
Nickolau@RT-AC86U-7210:/jffs/scripts# ./nat-start show
Script called to add NAT iptables rules for all wireguard interfaces
Deleting NAT Rules
Adding NAT Rules
Nickolau@RT-AC86U-7210:/jffs/scripts# ./firewall-start show
Script called to add firewall rules for all wireguard instances
Deleting firewall rules
Adding firewall rules
Nickolau@RT-AC86U-7210:/jffs/scripts#

 

[Jeffrey Young]

can you post the output of wg show interfaces

 

[NickolauBr]

Nickolau@RT-AC86U-7210:/jffs/scripts# wg show interfaces
br-sao

 

[Jeffrey Young]

Can you rename your config file so that the - is not there and try again. I am thinking the parser is getting messed up with the hyphen for the firewall and nat restart.

 

[NickolauBr]

did it.

not working.

Output:

Nickolau@RT-AC86U-7210:/tmp/home/root# /jffs/addons/wireguard/wg-tool.sh restart brsao show
[#] ip -4 rule delete table 51820
[#] ip rule delete table main suppress_prefixlength 0
[#] ip link del dev brsao
Wireguard interface brsao successfully deleted
Deleting firewall rules
Deleting NAT Rules
[#] ip link add dev brsao type wireguard
[#] ip -4 address add dev brsao  10.14.0.2/16
[#] ip link set up dev brsao
[#] ip link set mtu 1420 up dev brsao
[#] ip -4 route add 0.0.0.0/0 dev brsao table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
Wireguard interface brsao successfully added
Adding firewall rules
[#] iptables -I INPUT -i brsao -j ACCEPT
[#] iptables -I FORWARD -i brsao -j ACCEPT
[#] iptables -I FORWARD -o brsao -j ACCEPT
[#] iptables -I OUTPUT -o brsao -j ACCEPT
Adding NAT Rules
[#] iptables -t mangle -I FORWARD -o brsao -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[#] iptables -t mangle -I FORWARD -i brsao -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[#] iptables -t mangle -I FORWARD -o brsao -j MARK --set-xmark 0x01/0x7
[#] iptables -t mangle -I PREROUTING -i brsao -j MARK --set-xmark 0x01/0x7
[#] iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -o brsao -j MASQUERADE
[#] iptables -t nat -N DNSbrsao
[#] iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSbrsao
[#] iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSbrsao
[#] iptables -t nat -I OUTPUT -o brsao -p tcp -m tcp --dport 53 -j DNSbrsao
[#] iptables -t nat -I OUTPUT -o brsao -p udp -m udp --dport 53 -j DNSbrsao
[#] iptables -t nat -I DNSbrsao -p tcp -s 10.0.0.0/24 -j DNAT --to-destination 162.252.172.57:53
[#] iptables -t nat -I DNSbrsao -p udp -s 10.0.0.0/24 -j DNAT --to-destination 162.252.172.57:53
[#] iptables -t nat -I DNSbrsao -p tcp -s 10.0.0.0/24 -j DNAT --to-destination 149.154.159.92:53
[#] iptables -t nat -I DNSbrsao -p udp -s 10.0.0.0/24 -j DNAT --to-destination 149.154.159.92:53
[#] iptables -t mangle -A PREROUTING -p udp -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
[#] iptables -t mangle -A POSTROUTING -p udp -m mark --mark 0xca6c -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
[#] iptables -t raw -A PREROUTING -d 10.14.0.2/16 ! -i brsao -m addrtype ! --src-type LOCAL -j DROP
Nickolau@RT-AC86U-7210:/tmp/home/root#

when i comment the services-start line that calls the script and manually call it, it works fine:

Connection to 10.0.0.1 closed.
nickolaubr@MacBook-Air ~ % ssh Nickolau@10.0.0.1
Nickolau@10.0.0.1's password:


ASUSWRT-Merlin RT-AC86U 386.11_0 Sun May 14 16:48:03 UTC 2023
Nickolau@RT-AC86U-7210:/tmp/home/root# cd /jffs/addons/wireguard/
Nickolau@RT-AC86U-7210:/jffs/addons/wireguard#
Nickolau@RT-AC86U-7210:/jffs/addons/wireguard# ./wg-tool.sh restart brsao show
[#] ip -4 rule delete table 51820
[#] ip rule delete table main suppress_prefixlength 0
[#] ip link del dev brsao
Wireguard interface brsao successfully deleted
Deleting firewall rules
Deleting NAT Rules
[#] ip link add dev brsao type wireguard
[#] ip -4 address add dev brsao  10.14.0.2/16
[#] ip link set up dev brsao
[#] ip link set mtu 1420 up dev brsao
[#] ip -4 route add 0.0.0.0/0 dev brsao table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
Wireguard interface brsao successfully added
Adding firewall rules
[#] iptables -I INPUT -i brsao -j ACCEPT
[#] iptables -I FORWARD -i brsao -j ACCEPT
[#] iptables -I FORWARD -o brsao -j ACCEPT
[#] iptables -I OUTPUT -o brsao -j ACCEPT
Adding NAT Rules
[#] iptables -t mangle -I FORWARD -o brsao -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[#] iptables -t mangle -I FORWARD -i brsao -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[#] iptables -t mangle -I FORWARD -o brsao -j MARK --set-xmark 0x01/0x7
[#] iptables -t mangle -I PREROUTING -i brsao -j MARK --set-xmark 0x01/0x7
[#] iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -o brsao -j MASQUERADE
[#] iptables -t nat -N DNSbrsao
[#] iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSbrsao
[#] iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSbrsao
[#] iptables -t nat -I OUTPUT -o brsao -p tcp -m tcp --dport 53 -j DNSbrsao
[#] iptables -t nat -I OUTPUT -o brsao -p udp -m udp --dport 53 -j DNSbrsao
[#] iptables -t nat -I DNSbrsao -p tcp -s 10.0.0.0/24 -j DNAT --to-destination 162.252.172.57:53
[#] iptables -t nat -I DNSbrsao -p udp -s 10.0.0.0/24 -j DNAT --to-destination 162.252.172.57:53
[#] iptables -t nat -I DNSbrsao -p tcp -s 10.0.0.0/24 -j DNAT --to-destination 149.154.159.92:53
[#] iptables -t nat -I DNSbrsao -p udp -s 10.0.0.0/24 -j DNAT --to-destination 149.154.159.92:53
[#] iptables -t mangle -A PREROUTING -p udp -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
[#] iptables -t mangle -A POSTROUTING -p udp -m mark --mark 0xca6c -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
[#] iptables -t raw -A PREROUTING -d 10.14.0.2/16 ! -i brsao -m addrtype ! --src-type LOCAL -j DROP
Nickolau@RT-AC86U-7210:/jffs/addons/wireguard#

 

[Jeffrey Young]

Ok. I am turning in for the night, but this is a client right? If so, it dawned on me that I helped another person with the same issue and the fix was to call the tool from the wan-event script with a delay.

Remove the call to the tool in the services-start script, and create a wan-event script and put in;

#!/bin/sh

if [ "$2" = "connected" ]; then
    sleep 10
    /path/to/wg-tool.sh start brsao
fi

Don't forget to make the fix executable.

 

[NickolauBr]

Ok. I am turning in for the night, but this is a client right? If so, it dawned on me that I helped another person with the same issue and the fix was to call the tool from the wan-event script with a delay.

Remove the call to the tool in the services-start script, and create a wan-event script and put in;

#!/bin/sh

if [ "$2" = "connected" ]; then
    sleep 10
    /path/to/wg-tool.sh start brsao
fi

Don't forget to make the fix executable.

Hmm I remember reading it somewhere... Will give a try.
Thanks and have a good one!


Edit:

It worked fine!

Thank you!

 

[Jeffrey Young]

Hmm I remember reading it somewhere... Will give a try.
Thanks and have a good one!


Edit:

It worked fine!

Thank you!

Perfect. You should probably change start to restart so that the interface gets restarted if the WAN goes down for any reason.