Wireguard Wireguard Server - Backup/Restore/Migrate

[ZebMcKayhan]

This is a continuation of a discussion sparked by @jsbeddow here.

This have been requested a couple of times, by me as well so I figured it is time to write down something to get things going. However, I only have 1 router and Im not planning on doing any factory reset any time soon and I am very dependant on my Wireguard Server so I will not be able to restore any NVRAM variables, instead I am hoping there are people here that have the ability to try it out and report back. I will try to keep these instructions as updated as I can.

Update 5 sept 2025: changed to download already prepared config file from my github, instead of using the sample file and edit it.

This is my understand of what should be needed to get this done:

1. Install @Martinski script for saving subset of NVRAM variables:

mkdir -m 755 -p /jffs/addons/SaveRestoreNVRAM
curl  -kLSs --retry 3 --retry-delay 5 --retry-connrefused https://raw.githubusercontent.com/Martinski4GitHub/CustomMiscUtils/master/NVRAM/SaveRestoreNVRAMvars.sh -o /jffs/addons/SaveRestoreNVRAM/SaveRestoreNVRAMvars.sh && chmod 755 /jffs/addons/SaveRestoreNVRAM/SaveRestoreNVRAMvars.sh

2. Download the prepared config file that only saves nvram variables associated with Wireguard Server config:

curl  -kLSs --retry 3 --retry-delay 5 --retry-connrefused https://raw.githubusercontent.com/ZebMcKayhan/Wiregard-Backup_AsusWRT_Server/main/NVRAM_VarList_wg-server.txt -o /jffs/addons/SaveRestoreNVRAM/NVRAM_VarList.txt

3. Run the script in menu mode:

/jffs/addons/SaveRestoreNVRAM/SaveRestoreNVRAMvars.sh -menu

Check under "dp" option so the path for saving backups are correct and proper. choose something differently if needed by selecting this option.
Check under "fl" that the config file we edited are used, if not, adjust by selecting this option.

4. For backing up your Wireguard server, select option "bk". If everything is alright, the script will output each NVRAM variable its backing up. For sanity check, there should be 10 entries for the server peer itself and additionally 9 entries for each client peer. in my case with the server and 2 client I have 28 entries backed up.
If you ever want to double check which NVRAM variables are included in a backup file, use option "ls".

Please make sure the backup is made on usb drive. If it is placed under /jffs somewhere you will need to manually copy it somewhere since /jffs will be wiped during factory reset.

5. When you need to restore your wireguard server after a factory reset for example, you will need to install the script again (repeat #1-#3).
In the script, make sure option "dp" points to where the backups are from your previous backup.
To start restore, select option "rt". You will be prompted about which backup file in the target you wish to restore.

Reboot your router after a restoration:

service reboot

As I have not been able to do this myself, I cannot tell you for sure it is working so if anyone tries this, please report back with your router model and FW version.

 

[ZebMcKayhan]

Reserved.

 

[jsbeddow]

Awesome work, I am in a similar situation as you though: I am not really in a great position to test this (the restore especially) without cause. Sure, I could probably also recover via BACKUPMON if need be, but don't really want to shut out users that are currently connected via VPN if not strictly necessary.

Looking forward to feedback from other (more brave) testers.

 

[ZebMcKayhan]

Awesome work, I am in a similar situation as you though: I am not really in a great position to test this (the restore especially) without cause. Sure, I could probably also recover via BACKUPMON if need be, but don't really want to shut out users that are currently connected via VPN if not strictly necessary.

I understand, no worries.

other (more brave) testers.

I'm not that worried really. I have already tested with bogus nvram variables backing up, manually changing them, restore backup and they are back. As we only affect Wireguard Server variables the process are very slim and targeted.

What I am curious about is:
1. There are another set of nvram variables only used by the gui to remember last view (afaik). These are not part of the backup currently. Not sure if one needs to click around in the gui to get these updated. We could include these if we wish but its nice to only backup/restore a minimum to keep compability.
2. There are server client config files in /etc/wg/ that will not be there after factory reset and restore. I assume the fw will recreate them, but I don't know.

 

[Martinski]

...
Im not sure if entware needs to be installed or not, perhaps @Martinski could answer if his script have this dependecy?

The shell script has no dependency on Entware. If it's found installed, the script will use the "/opt/var/" directory as the default path for the backup subdirectory; otherwise, it will use "/jffs/configs/" as the default. But you can, of course, change any initial default to any other directory path, including one that's located on a USB-attached drive that has no Entware.

...
2. There are server client config files in /etc/wg/ that will not be there after factory reset and restore. I assume the fw will recreate them, but I don't know.

I can add code to automatically back up the files in the "/etc/wg/" directory. The script already backs up the files in "/jffs/openvpn/" when saving the NVRAM keys for OpenVPN server and/or clients. This allows users to fully restore the OpenVPN functionality after a factory defaults reset.

Would that be useful for WireGuard as well?

 

[ZebMcKayhan]

The shell script has no dependency on Entware. If it's found installed, the script will use the "/opt/var/" directory as the default path for the backup subdirectory; otherwise, it will use "/jffs/configs/" as the default. But you can, of course, change any initial default to any other directory path, including one that's located on a USB-attached drive that has no Entware.

Thats great! this means that this method may work just as well for stock fw as for merlin fw. it may even be used when going from one to the other. Im guessing neither /jffs/scripts, /jffs/configs or /jffs/addons exists on stock but we adjust as we go.

I can add code to automatically back up the files in the "/etc/wg/" directory.

Im not sure it should be needed. Im not even sure /etc/wg is non-volatile as df /etc/wg returns tmpfs it may be recreated each boot. Other files related to wireguard would be the hook scripts /jffs/scripts/wgserver-start and /jffs/scripts/wgserver-stop. but not everyone are using these and the ones who do probably knows to copy these files as needed.

 

[ZebMcKayhan]

I've updated the steps so the user can now download a prepared config file from my github. Sparing the user of the hazzle of editing it. I still kept the file as it is if anyone wants to add more things.