What's new

Wireguard Wireguard GUI on my asus merlin router

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Very excited to hear that WireGuard functionality is coming through the user interface! Will that (GUI) functionality also be available for the RT-AC86U, or only for RT-AX86U?

This post makes me think it’s likely, but I’m not sure. Hope the question isn’t too noobish. Reason for asking is that I’m looking to extend my current RT-AC86u with an AiMesh node, and it might be the right time to upgrade - if the RT-AC86u will not support WireGuard with these updates. I know it’s possible through other means than the GUI, given other posts on this forum, but that’s beyond my skill level I’m afraid o_O
 
Last edited:
Very excited to hear that WireGuard functionality is coming through the user interface! Will that (GUI) functionality also be available for the RT-AC86U, or only for RT-AX86U?
Only ASUS can answer that, or maybe RMerlin if when he adapts the ASUS GUI.
This post makes me think it’s likely, but I’m not sure. Hope the question isn’t too noobish. Reason for asking is that I’m looking to extend my current RT-AC86u with an AiMesh node, and it might be the right time to upgrade - if the RT-AC86u will not support WireGuard with these updates.
WireGuard Manager does (on RMerlin firmware) support the RT-AC86U, and most of the RT-AX5/8/n series etc.
I know it’s possible through other means than the GUI, given other posts on this forum, but that’s beyond my skill level I’m afraid o_O
I'm sure it isn't...

i.e. If you can type these commands
Bash:
amtm

i

wg

1

import your_VPN_ISP_WireGuard_client_profile

start wg11
then you should be up and running with WireGuard.
 
I know it’s possible through other means than the GUI, given other posts on this forum, but that’s beyond my skill level I’m afraid o_O

Don't sell your self short my friend. Even without the wireguard session manager, to get a wireguard server up is not at all that complicated.
 
Only ASUS can answer that, or maybe RMerlin if when he adapts the ASUS GUI.

WireGuard Manager does (on RMerlin firmware) support the RT-AC86U, and most of the RT-AX5/8/n series etc.

I'm sure it isn't...

i.e. If you can type these commands
Bash:
amtm

i

wg

1

import your_VPN_ISP_WireGuard_client_profile

start wg11
then you should be up and running with WireGuard.

Thanks for the info. I think I'll just delay the purchase until I figure out more or more information comes out, since I would really like to pivot away from OpenVPN to WireGuard going forward.

My worry about the skill level is that I never set up anything routing related on the command-line, while I use the VPN Director/Policy functionality to selectively route some machines through client 1 (kill-switch), others through client 2 (non kill-switched), and some without any tunneling at all. So setting up WireGuard and figuring out how to do Policy Routing on the command-line seemed a little too much. But given your hello world it seems that the WireGuard part is actually quite straight-forward using matm. I'll definitely give it a go. Thanks for the info and the example!

Don't sell your self short my friend. Even without the wireguard session manager, to get a wireguard server up is not at all that complicated.

Thanks for the vote of confidence :).
 
I use the VPN Director/Policy functionality to selectively route some machines through client 1 (kill-switch), others through client 2 (non kill-switched), and some without any tunneling at all. So setting up WireGuard and figuring out how to do Policy Routing on the command-line seemed a little too much.
Suppose you have two OpenVPN clients and the VPN Director rules look like

1648042844788.png


Now if you create the equivalent WireGuard 'client' Peers wg11 and wg12, you can use the wireguard_manager command vpndirector clone

e.g.
Code:
e  = Exit Script [?]

E:Option ==> vpndirector clone

    Auto clone VPN Director rules

    peer wg11 rule add wan 172.16.1.111 comment Core Server
    [?] Updated RPDB Selective Routing rule for wg11

    peer wg11 rule add vpn 172.16.1.123 comment Tablet Streaming
    [?] Updated RPDB Selective Routing rule for wg11

    peer wg12 rule add vpn 172.16.1.99 comment Netflix TV USA
    [?] Updated RPDB Selective Routing rule for wg12


    VPN Director Selective Routing RPDB rules

ID  Peer  Interface  Source        Destination  Description
1   wg11  WAN        172.16.1.111  Any          VPN Director: Core Server
2   wg11  VPN        172.16.1.123  Any          VPN Director: Tablet Streaming
3   wg12  VPN        172.16.1.99   Any          VPN Director: Netflix TV USA
and the corresponding cloned rules (as shown) will be applied/used by the WireGuard 'client' Peers once the default Peer type is changed to Policy Rules using peer wg11 auto=p and peer wg12 auto=p
 
Amazing, thanks for the reply and the info on the vpndirector command, that was invaluable to me.

I've gotten a little proof of concept - of tunneling one device through a specific VPN client and the rest through regular WAN - to work thanks to your tips! Awesome that the vpndirector integration is already there, and working. The state is also persisted between reboots, which is great.

When checking out the GitHub page and the module I noticed your name. Appreciate all the work that you put into this and doubly so for helping out this internet stranger.

Will now run a PoC to create a VPN server on the router using WireGuard, and need to still test whether the killswitch per interface functionality works as I expect. Exciting times.
 
Unclear about this, but, should the AC5300 be on the list of routers that will get Wireguard?

As long as the router has a newer kernel, say Version 4 and above, the odds are good. From a SSH shell, run uname -r and see what you get.

You can also, again from a SSH window, execute which wg and see if the user space tool is installed. If it is, you are good.
 
As long as the router has a newer kernel, say Version 4 and above, the odds are good. From a SSH shell, run uname -r and see what you get.

You can also, again from a SSH window, execute which wg and see if the user space tool is installed. If it is, you are good.
Ugh, uname -r shows: 2.6.36.4brcmarm I thought the 5300 was newer, lol. Which wg shows, nada.
 
Well, you can always start to drop hints to the better half about upcoming birthday or Christmas wishes. Or, arrange an accidental floor drop.......
 

WireGuard GUI on Asuswrt​

The graphical user interface can be found in the “Advanced / VPN Configuration” section, in this menu we will have to go to the “WireGuard Server” tab where we will have all the configuration options. Currently it is only possible to configure one instance of this VPN server, although it is possible that we may soon have different VPN servers with different configurations.

The options that ASUS allows us are to activate the VPN, enable the router’s DNS servers and use or not a pre-shared key. We also have the option to configure Keep-alive rel, by default it is 25 seconds and it is what is recommended from the official documentation. Once we have clicked on “Apply”, the private and public keys will be created completely automatically, if we have selected “Use Preshared Key” they will also be generated automatically without us having to do anything.

WireGuard performance on ASUS ZenWiFi XT8 router​

We have tried to put a Jperf server in the local network of the router, with address 192.168.50.0/24. The Jperf client will be in the local network of the 10.11.1.0/24 subnet that belongs to the router’s WAN, in this way, we will be able to verify the real performance that we will be able to achieve in a Gigabit Ethernet environment. We have used 50 concurrent TCP threads in all tests.


In the following image you can see how we have achieved a real speed of 360Mbps upstream, that is, from the client to the Jperf server that is within the local network. You can also see the establishment of the connection with the TunSafe program for Windows.

1648092148044.png


In this other test we have carried out another test to check the speed again, in addition, in this case you can see the upload speed set by the TunSafe program that we have used.

1648092201072.png


As you can see, we have a very high performance in the VPN, achieving almost the real 400Mbps, a very high figure if we take into account that this router does not have the most powerful CPU, other models such as the GT-AX11000 or the RT- AX86U will achieve a better safe performance, therefore, the incorporation of this service is great news.

Other improvements over VPNs​

ASUS developers have incorporated a menu called “Multiple VPN connection”, this allows us to connect in VPN client mode to different remote servers. Currently supports PPTP, L2TP, OpenVPN, HMA (Hide My butt) protocols and also supports WireGuard. Thanks to these menus, we can create different VPN clients and assign them to different computers on the local network, for example, we can configure our Smart TV to go to the Internet through one of these tunnels, ideal for bypassing Netflix regional blocks or similar.

1648092289201.png

1648092309841.png


As you have seen, we have a large number of improvements to come, right now all these functions are in beta phase, so they could have bugs, but in our tests with WireGuard Server everything has worked perfectly.


We tested WireGuard VPN on ASUS official Asuswrt firmware | ITIGIC
 
Is the built-in implementation of Wireguard going to include a server so that router-to-router tunnels over the internet can be setup?
 
Is the built-in implementation of Wireguard going to include a server so that router-to-router tunnels over the internet can be setup?
or cjdns-wireguard-hyperboria meshnets?
 
N00b-question here:
When you talk about "Wireguard Server" stuff here that's for hosting your own VPN-tunnel right?
Whereas setting up the router as a Wireguard Client is more for connecting it to an external VPN service like for example "Mullvad".
Have I understood this correctly?
(probably not :D)
 
When you talk about "Wireguard Server" stuff here that's for hosting your own VPN-tunnel right?
Right - usually you would set up a WireGuard 'server' Peer on your router as you have identified a requirement to safely/securely access your home LAN from another location via the WireGuard VPN-tunnel.
Whereas setting up the router as a Wireguard Client is more for connecting it to an external VPN service like for example "Mullvad".
Have I understood this correctly?
Correct - although it doesn't have to be a commercial WireGuard VPN provider it could be a family member's home LAN.

NOTE: Unlike OpenVPN, WireGuard doesn't actually have a traditional 'server'/'client' hierarchy - WireGuard Peers are deemed equal.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top