Wireguard Wireguard Server - Backup/Restore/Migrate

[ZebMcKayhan]

This is a continuation of a discussion sparked by @jsbeddow here.

This have been requested a couple of times, by me as well so I figured it is time to write down something to get things going.

This have been confirmed working on RT-AX86U running 388.9_2. Thanks for reporting @NoName79

There is no need to have Entware installed but its a good idea to have a usb drive connected to store your backups.
Even though the instructions are written for merlin, there is nothing known to me preventing these instructions to work on stock fw.

Update 5 sept 2025: changed to download already prepared config file from my github, instead of using the sample file and edit it.

Update 23 sep 2025: added fix for script not finding the varlist file.

This is my understand of what should be needed to get this done:

1. Install @Martinski script for saving subset of NVRAM variables:

mkdir -m 755 -p /jffs/addons/SaveRestoreNVRAM
curl  -kLSs --retry 3 --retry-delay 5 --retry-connrefused https://raw.githubusercontent.com/Martinski4GitHub/CustomMiscUtils/master/NVRAM/SaveRestoreNVRAMvars.sh -o /jffs/addons/SaveRestoreNVRAM/SaveRestoreNVRAMvars.sh && chmod 755 /jffs/addons/SaveRestoreNVRAM/SaveRestoreNVRAMvars.sh

2. Download the prepared config file that only saves nvram variables associated with Wireguard Server config:

curl  -kLSs --retry 3 --retry-delay 5 --retry-connrefused https://raw.githubusercontent.com/ZebMcKayhan/Wiregard-Backup_AsusWRT_Server/main/NVRAM_VarList_wg-server.txt -o /jffs/addons/SaveRestoreNVRAM/NVRAM_VarList.txt

3. Run the script in menu mode:

/jffs/addons/SaveRestoreNVRAM/SaveRestoreNVRAMvars.sh -menu

Note: you may get this error:

**ERROR**: NVRAM variable list file [ /tmp/home/root/NVRAM_VarList.txt ] is EMPTY or NOT FOUND.
Press <Enter> key to continue...

If that happens, press enter to continue into the script menu. Choose option "fl" to edit the path to the varlist. Paste in this path:

/jffs/addons/SaveRestoreNVRAM/NVRAM_VarList.txt

And press enter. It should now show this as green in the script as it is finding the file. You should only have to do this once.

Check under "dp" option so the path for saving backups are correct and proper. choose something differently if needed by selecting this option.

4. For backing up your Wireguard server, select option "bk". If everything is alright, the script will output each NVRAM variable its backing up. For sanity check, there should be 10 entries for the server peer itself and additionally 9 entries for each client peer. in my case with the server and 2 client I have 28 entries backed up.
If you ever want to double check which NVRAM variables are included in a backup file, use option "ls".

Please make sure the backup is made on usb drive. If it is placed under /jffs somewhere you will need to manually copy it somewhere since /jffs will be wiped during factory reset.

5. When you need to restore your wireguard server after a factory reset for example, you will need to install the script again (repeat #1-#3).
In the script, make sure option "dp" points to where the backups are from your previous backup.
To start restore, select option "rt". You will be prompted about which backup file in the target you wish to restore.

Reboot your router after a restoration:

service reboot

As I have not been able to do this myself, I cannot tell you for sure it is working so if anyone tries this, please report back with your router model and FW version.

 

[ZebMcKayhan]

Reserved.

 

[jsbeddow]

Awesome work, I am in a similar situation as you though: I am not really in a great position to test this (the restore especially) without cause. Sure, I could probably also recover via BACKUPMON if need be, but don't really want to shut out users that are currently connected via VPN if not strictly necessary.

Looking forward to feedback from other (more brave) testers.

 

[ZebMcKayhan]

Awesome work, I am in a similar situation as you though: I am not really in a great position to test this (the restore especially) without cause. Sure, I could probably also recover via BACKUPMON if need be, but don't really want to shut out users that are currently connected via VPN if not strictly necessary.

I understand, no worries.

other (more brave) testers.

I'm not that worried really. I have already tested with bogus nvram variables backing up, manually changing them, restore backup and they are back. As we only affect Wireguard Server variables the process are very slim and targeted.

What I am curious about is:
1. There are another set of nvram variables only used by the gui to remember last view (afaik). These are not part of the backup currently. Not sure if one needs to click around in the gui to get these updated. We could include these if we wish but its nice to only backup/restore a minimum to keep compability.
2. There are server client config files in /etc/wg/ that will not be there after factory reset and restore. I assume the fw will recreate them, but I don't know.

 

[Martinski]

...
Im not sure if entware needs to be installed or not, perhaps @Martinski could answer if his script have this dependecy?

The shell script has no dependency on Entware. If it's found installed, the script will use the "/opt/var/" directory as the default path for the backup subdirectory; otherwise, it will use "/jffs/configs/" as the default. But you can, of course, change any initial default to any other directory path, including one that's located on a USB-attached drive that has no Entware.

...
2. There are server client config files in /etc/wg/ that will not be there after factory reset and restore. I assume the fw will recreate them, but I don't know.

I can add code to automatically back up the files in the "/etc/wg/" directory. The script already backs up the files in "/jffs/openvpn/" when saving the NVRAM keys for OpenVPN server and/or clients. This allows users to fully restore the OpenVPN functionality after a factory defaults reset.

Would that be useful for WireGuard as well?

 

[ZebMcKayhan]

The shell script has no dependency on Entware. If it's found installed, the script will use the "/opt/var/" directory as the default path for the backup subdirectory; otherwise, it will use "/jffs/configs/" as the default. But you can, of course, change any initial default to any other directory path, including one that's located on a USB-attached drive that has no Entware.

Thats great! this means that this method may work just as well for stock fw as for merlin fw. it may even be used when going from one to the other. Im guessing neither /jffs/scripts, /jffs/configs or /jffs/addons exists on stock but we adjust as we go.

I can add code to automatically back up the files in the "/etc/wg/" directory.

Im not sure it should be needed. Im not even sure /etc/wg is non-volatile as df /etc/wg returns tmpfs it may be recreated each boot. Other files related to wireguard would be the hook scripts /jffs/scripts/wgserver-start and /jffs/scripts/wgserver-stop. but not everyone are using these and the ones who do probably knows to copy these files as needed.

 

[ZebMcKayhan]

I've updated the steps so the user can now download a prepared config file from my github. Sparing the user of the hazzle of editing it. I still kept the file as it is if anyone wants to add more things.

 

[NoName79]

Had to factory reset my router – 1 server and 2 clients successfully restored with your script. Thank you!

When starting your script I got this error:

ASUS@RT-AX86U-8860:/tmp/home/root# /jffs/addons/SaveRestoreNVRAM/SaveRestoreNVRAMvars.sh -menu
**ERROR**: NVRAM variable list file [ /tmp/home/root/NVRAM_VarList.txt ] is EMPTY or NOT FOUND.
Press <Enter> key to continue...

I added this into your script:

# Ensure NVRAM variable list is available in /tmp/home/root
if [ ! -s /tmp/home/root/NVRAM_VarList.txt ]; then
    echo "[INFO]: Copying NVRAM_VarList.txt to /tmp/home/root..."
    cp /jffs/addons/SaveRestoreNVRAM/NVRAM_VarList.txt /tmp/home/root/ 2>/dev/null
fi

Now your script starts without the ERROR message, even after reboot.

 

[ZebMcKayhan]

Had to factory reset my router – 1 server and 2 clients successfully restored with your script. Thank you!

Thank you for testing!
Did you use this on your RT-AX86U factory reset fw 388.6_2?

Does everything looks updated in the gui immediately or did you have to click around for everything to get populated?
Can you generate existing client configs and they are the same as they have been?

When starting your script I got this error:

Interesting... so did you get this error both before factory reset and after? Or both? Or always after a reboot?

Sorry, I don't reboot very often so I typically don't see this stuff if its related to reboot:

Pinging @Martinski if he knows why you get this error while NVRAM_VarList.txt is in the same directory as the script... possibly due to context as you are not in the same directory when running the script?

 

[ZebMcKayhan]

When starting your script I got this error:

I think I understand why this error appears now.
When the script starts for the first time it looks for the VARLIST file in the directory you currently are, not in the script directory.
It then creates the config file to remember its setting. So for all future times it starts it will continue to use whatever it was last.

So if you start it the first time with i.e

cd /jffs/addons/SaveRestoreNVRAM && sh SaveRestoreNVRAMvars.sh -menu

Then it will get the right path in its config file and it will be all good for future starts...

@Martinski is the author of the script so he will have to decide if this should be fixed in the script or if I should just update the instructions with this.

 

[NoName79]

Does everything looks updated in the gui immediately or did you have to click around for everything to get populated?
Can you generate existing client configs and they are the same as they have been?

Yes the whole server and clients came up after restore and rebooting the router without clicking around. Your manual is working 100 %.

Firmware version on my RTAX86U is the latest available 3004.388.9_2.

Interesting... so did you get this error both before factory reset and after? Or both? Or always after a reboot?

Both before and after factory reset and after every reboot this error came back.

Couldn't use the script until manual copy the NVRAM_VarList.txt to tmp/home/root and start the script again.

 

[ZebMcKayhan]

Yes the whole server and clients came up after restore and rebooting the router without clicking around. Your manual is working 100 %.

Firmware version on my RTAX86U is the latest available 3004.388.9_2.


Both before and after factory reset and after every reboot this error came back.

Couldn't use the script until manual copy the NVRAM_VarList.txt to tmp/home/root and start the script again.

Thanks!

Instead of changing the script itself to copy the varlist file to where the config tells it should be (as wrongly set during initial run), a quick fix would be to point the script config path correct manually:

press enter to get passed the warning and get into the script. Use option "fl" to enter a new path and set it to

/jffs/addons/SaveRestoreNVRAM/NVRAM_VarList.txt

alternatively manually change the config file:

nano /jffs/addons/SaveRestoreNVRAM/SaveRestoreNVRAMconfig.cfg

And change:

NVRAM_LIST_FILE=whatever

To

NVRAM_LIST_FILE=/jffs/addons/SaveRestoreNVRAM/NVRAM_VarList.txt

In any way it should work for all future starts until next factory reset.

 

[jksmurf]

This looks quite neat (thank you) and I might have occasion to use it sometime, I did need it once IIRC.

This would be a neat script in amtm, any chance of adding it there?

 

[ZebMcKayhan]

Updated the instructions to help the user set the valist path correct if the script does not find it.