1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Wireguard support to Voxel FW?

Discussion in 'NETGEAR AC Wireless' started by Tume, Oct 28, 2019.

  1. Tume

    Tume Occasional Visitor

    Joined:
    Oct 9, 2018
    Messages:
    15
    Hey!

    Is it possible to add Wireguard support to Voxel FW?

    - Tume
     
  2. kamoj

    kamoj Senior Member

    Joined:
    May 12, 2017
    Messages:
    490
    No

    Not yet - but soon...
     
    Last edited: Jan 18, 2020
  3. Tume

    Tume Occasional Visitor

    Joined:
    Oct 9, 2018
    Messages:
    15
    That was good answer. Can you tell little bit more details, why it's impossible or not coming at all?
     
  4. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,487
    Wireguard requires the changes in Linux kernel. And kernel version should be >= 3.10. My build is using the kernel 3.4.103 from NG GPL sources to provide workable QCA drivers (hardware acceleration etc). So I cannot upgrade the version of kernel.

    3.4.103 < 3.10

    Voxel.
     
    Tume likes this.
  5. Tume

    Tume Occasional Visitor

    Joined:
    Oct 9, 2018
    Messages:
    15
    Okay, that makes sense!
     
  6. KW.

    KW. Occasional Visitor

    Joined:
    Nov 26, 2019
    Messages:
    14
    Hello,
    I want to begin to thank you Voxel for a fantastic firmware. I use it on my R9000 and am so happy I found it. I see people as you that help others with no demands as an inspiration!
    I just wonder would it be a big task to integrate Wireguard with Voxel? It would be a huge boost if that is possible as it will make a big difference in internet speed. Wireguard will be widley adopted in the near future.
     
    anhrzg and Voxel like this.
  7. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,487
    It is practically impossible for R7500/R7800. Because of lacking kernel features. I am not sure re: R9000. On the first view its kernel version is 3.10.20 but it is specific version and I I do not see needed features of this kernel too (in the kernel config menu). The same re: Orbi.

    So as I said: main problem is kernel. I cannot change the kernel version because I do use drivers from QCA (hardware acceleration) and they are in GPL sources of the stock firmware in binary pre-built forms. So If I change the kernel significantly I these drivers will not work (brick).

    I do research this still. FYI: I use WG for my own needs (PC with Debian). So I know all advantages of WG vs e.g. OpenVPN. Much faster.

    Voxel.
     
    anhrzg and KW. like this.
  8. KW.

    KW. Occasional Visitor

    Joined:
    Nov 26, 2019
    Messages:
    14
    Thank you for your reply and I am very happy to hear that you are looking in to Wireguard. I wish you all luck in your research.

    I am impressed that you made a better firmware then a large company does. Allready with your firmware my openvpn connection went from around 80 Mbit/s to around 120-130 Mbit/s when i use DNS-crypt and your setup for Openvpn.
     
    Kingp1n, Voxel and kamoj like this.
  9. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,487
    Seems it is working. I mean WireGuard on R9000. I have prepared beta version with WG kernel object and "wg" binary. So I was able to connect my R9000 as a client to my remote PC with WG server (different place, it is not LAN) manually using ip, iptables, wg commands. Just manual running proper commands from console.

    But what the next? I mean what you guys expect from WG? Connection to WireGuard provider as a client or server or just leave it all as "make-yourself kit"?

    P.S.

    Forgot to say: speed is very good if running e.g. iperf3 with multi threading. Almost the same as w/o WireGuard.

    Voxel.
     
    KW., anhrzg and kamoj like this.
  10. anhrzg

    anhrzg New Around Here

    Joined:
    Jan 18, 2018
    Messages:
    5
    "make-yourself kit" is good enough.
    Thanks for your work.
     
    KW. and kamoj like this.
  11. KW.

    KW. Occasional Visitor

    Joined:
    Nov 26, 2019
    Messages:
    14
    Hello! I saw these fantastic news right now. You are hero. I will try your new build later today.
    I guess I would use wireguard as a client for a paid VPN-provider as I use Openvpn.

    My dream would be... I understand I may come out as a guy who always asks for more but I was so very impressed how you handled openvpn. You just plug it in. It is art.

    If you could do that with wireguard it would be very cool, if not that is okey too offcaurse but I think I'll need some sort of tutorial how to install it. But as i said i've not even installed your new version of the firmware yet so dont know yet. It will be like christmas to try out.

    Thank you! You have a fan.
     
    kamoj likes this.
  12. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,487
    Funnily :) Thanks. It is just a fun for me.

    WireGuard. It is interesting for me too. I really was able to use it. And speed was very good. But I did not deal with real WG providers. So... I really do not know (yet) what to do else...

    Please check this:

    https://www.snbforums.com/threads/c...r-r9000-r8900-v-1-0-4-36hf.60635/#post-534558

    and this

    https://www.snbforums.com/threads/c...0-r8900-v-1-0-4-36hf.60635/page-2#post-535882

    I am interested to make from this something like "product level". If somebody need a help with this you are free to contact me e.g. in P.M. I stress: it is interesting for me. WG capabilities are really impressive...

    Voxel.
     
    anhrzg, KW. and kamoj like this.
  13. kamoj

    kamoj Senior Member

    Joined:
    May 12, 2017
    Messages:
    490
    Voxel and KW. like this.
  14. KW.

    KW. Occasional Visitor

    Joined:
    Nov 26, 2019
    Messages:
    14
    I now have config file from my VPN-provider made for Wireguard. Is that something that would help you if you see, I am happy to send it to you. I am starting from the wrong step as Im a bit to eager now. I cant start to work with my router before the family activites starts to calm down. But Im not really sure what to do with the config file later, is it like the setup with openvpn that you just copy paste a script in a document file and put it on usb to the router?
     
  15. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,487
    No. Sorry, bit not so easy. WG is on the initial investigation stage.

    Let us postpone this a bit. I am a bit busy with my family duties. Kids, girls, friends, beer etc. Holidays.

    Let us do the following. I'll contact you a bit later. When I have a time. And you have a time too. And in P.M. only. But not right now. I can check your WG config. Also please do not worry: I will not share your WG config details and I'll not use your config for my own needs. Well... It is up to you of course. No any offences if you keep this as your own secret. I understand and accept this. It is interesting for me, but (for example) I also do not share my own secrets/passwords etc. :) And I'll not do this. Obvious.

    Voxel.
     
    L&LD, kamoj and KW. like this.
  16. anhrzg

    anhrzg New Around Here

    Joined:
    Jan 18, 2018
    Messages:
    5
    Happy New Year to all!


    Here is R9000 Wire guard client example(site o site)

    Here is content of custom /etc/init.d/wireguard script for R9000 wirguard client:
    #!/bin/sh /etc/rc.common
    # @(#)andonl 1.0.0
    START=99
    STOP=99
    PATH=/bin:/sbin:/usr/bin:/usr/sbin
    CONFIG=/bin/config
    AP_MODE=$($CONFIG get ap_mode)
    BRIDGE_MODE=$($CONFIG get bridge_mode)
    EXTENDER_MODE=$($CONFIG get extender_mode)
    CHECK_HOST=www.microsoft.com
    WGDEV=wg0
    WGDEVIPADDR=$($CONFIG get vpn_wg_ipaddr)
    WGDEVNET=$($CONFIG get vpn_wg_net)
    WGDEVGW=$($CONFIG get vpn_wg_gw)
    LOG_FILE=/var/log/wirequard.log
    start() {
    echo "`date` Wireguard start script has been started!" >>$LOG_FILE
    # Check if not in router mode
    if [ "$AP_MODE" == "1" ] || [ "$BRIDGE_MODE" == "1" ] || [ "$EXTENDER_MODE" == "1" ]; then
    echo "`date` Error, not in router mode!" | tee -a $LOG_FILE
    exit 1
    fi
    # Check if network parameters are configured
    if [ "$WGDEVIPADDR=" == "1" ] || [ "$WGDEVNET" == "1" ] || [ "$WGDEVGW" == "1" ]; then
    echo "`date` Error, network parameters are not configured!" | tee -a $LOG_FILE
    exit 3
    fi
    # Check if wireguard is supported and kernel module loaded
    if [ -f /lib/modules/3.10.20/wireguard.ko ]; then
    lsmod | grep -q wireguard
    if [ $? -eq 1 ]; then
    insmod /lib/modules/3.10.20/wireguard.ko
    fi
    else
    echo "`date` Error, there is no support for wireguard!" | tee -a $LOG_FILE
    exit 5
    fi
    # Check if config $WGDEV.conf exists
    if [ ! -f /etc/wireguard/$WGDEV.conf ]; then
    echo "`date` Error, there is no config $WGDEV.conf in /etc/wireguard." | tee -a $LOG_FILE
    exit 7
    fi
    # Check if config $WGDEV.conf has correct access rights
    ls -l /etc/wireguard/$WGDEV.conf |grep -q "^-rw------- 1 root root"
    if [ $? -eq 1 ]; then
    chmod 0600 /etc/wireguard/$WGDEV.conf
    chown root.root /etc/wireguard/$WGDEV.conf
    echo "`date` Warning, config $WGDEV.conf access rights have been corrected!" | tee -a $LOG_FILE
    fi
    # Check if $WGDEV interface already exists
    ifconfig $WGDEV 1>/dev/null 2>&1
    if [ $? -eq 1 ]; then
    ip link add dev $WGDEV type wireguard
    else
    echo "`date` Info, interface $WGDEV already exists." | tee -a $LOG_FILE
    fi
    wg setconf $WGDEV /etc/wireguard/$WGDEV.conf
    # Check if $WGDEV interface IP ADDR already set up
    ifconfig $WGDEV | grep -q "inet addr:$WGDEVIPADDR"
    if [ $? -eq 1 ]; then
    ip address add $WGDEVIPADDR/24 dev $WGDEV
    else
    echo "`date` Info, $WGDEV IP addr $WGDEVIPADDR already set up." | tee -a $LOG_FILE
    fi
    ip link set mtu 1420 dev $WGDEV
    # Check if DNS is already working
    count=0
    while [ $count -le 20 ]; do
    ping -q -c 3 $CHECK_HOST 2>/dev/null 1>&2
    if [ $? -eq 0 ]; then
    break
    fi
    sleep 10
    count=$(($count+1))
    done
    # Sleep before starting if delay is set in NVRAM (to allow NTP set date/time)
    DELAY=$($CONFIG get vpn_wgclt_delay)
    if [ ! "$DELAY" = "" ]; then
    sleep $DELAY
    fi
    # Check if $WGDEV interface up and running
    ifconfig $WGDEV | grep -q "UP POINTOPOINT RUNNING"
    if [ $? -eq 1 ]; then
    ip link set $WGDEV up
    else
    echo "`date` Info, $WGDEV is already up and running!" | tee -a $LOG_FILE
    fi
    route add -net $WGDEVNET/24 gw $WGDEVGW
    echo "`date` Wireguard start script has been ended!" >>$LOG_FILE
    }
    stop() {
    echo "`date` Wireguard stop script has been started!" >>$LOG_FILE
    route del -net $WGDEVNET/24 gw $WGDEVGW
    if [ -f /lib/modules/3.10.20/wireguard.ko ]; then
    # Check if $WGDEV interface already exists
    ifconfig $WGDEV 1>/dev/null 2>&1
    if [ $? -eq 0 ]; then
    ip link del dev $WGDEV
    else
    echo "`date` Info, interface $WGDEV does not exist." | tee -a $LOG_FILE
    fi
    lsmod | grep -q wireguard
    if [ $? -eq 0 ]; then
    rmmod /lib/modules/3.10.20/wireguard.ko
    fi
    else
    echo "`date` Error, there is no support for wireguard!" | tee -a $LOG_FILE
    exit 9
    fi
    echo "`date` Wireguard stop script has been ended!" >>$LOG_FILE
    }
    restart() {
    stop
    start
    }
    reload() {
    exit 11
    }

    Copy above lines of code to /etc/init.d/wireguard and make it executable.

    To ceate rc.d startup inks
    cd /etc/init.d
    ./wireguard enable

    Prerequests:
    You need to configure client config file

    cat /etc/wireguard/wg0.conf

    [Interface]
    PrivateKey = ReplacewithClientPrivateKey
    [Peer]
    PublicKey = ReplacewithServerPublicKeyNetwork
    AllowedIPs = 192.168.120.0/24, 192.168.140.0/24
    EndPoint = yourserver.ddns.net:10100
    PersistentKeepalive = 24

    You need to configure some nvram variables used by the server script
    nvram show all | grep vpn_wg
    vpn_wg_ipaddr=192.168.120.2
    vpn_wg_net=192.168.140.0
    vpn_wg_gw=192.168.120.1

    Networks from examples:
    vpn network 192.168.120.0/24
    local network behind R9000 vpn server 192.168.140.0/24

    Please note that firewall part is not covered here and how to create private/public keys.
    You will have to adjust provided here IP addresses/Networks to your needs.

    Thanks,
     
    Starrbuck and KW. like this.
  17. anhrzg

    anhrzg New Around Here

    Joined:
    Jan 18, 2018
    Messages:
    5
    Hi all!
    Here is R9000 Wire guard server example(site o site)
    It is mainly designed for already provided R9000 wireguard client to connect.

    Here is content of custom /etc/init.d/wireguard script for R9000 wirguard server:
    #!/bin/sh /etc/rc.common
    # @(#)andonl 1.0.0
    START=98
    STOP=98
    PATH=/bin:/sbin:/usr/bin:/usr/sbin
    CONFIG=/bin/config
    AP_MODE=$($CONFIG get ap_mode)
    BRIDGE_MODE=$($CONFIG get bridge_mode)
    EXTENDER_MODE=$($CONFIG get extender_mode)
    WGDEV=wg0
    WGDEVIPADDR=$($CONFIG get vpn_wg_ipaddr)
    WGDEVNET=$($CONFIG get vpn_wg_net)
    WGDEVGW=$($CONFIG get vpn_wg_gw)
    LOG_FILE=/var/log/wirequard.log
    start() {
    echo "`date` Wireguard start script has been started!" >>$LOG_FILE
    # Check if not in router mode
    if [ "$AP_MODE" == "1" ] || [ "$BRIDGE_MODE" == "1" ] || [ "$EXTENDER_MODE" == "1" ]; then
    echo "`date` Error, not in router mode!" | tee -a $LOG_FILE
    exit 1
    fi
    # Check if network parameters are configured
    if [ "$WGDEVIPADDR=" == "1" ] || [ "$WGDEVNET" == "1" ] || [ "$WGDEVGW" == "1" ]; then
    echo "`date` Error, network parameters are not configured!" | tee -a $LOG_FILE
    exit 3
    fi
    # Check if wireguard is supported and kernel module loaded
    if [ -f /lib/modules/3.10.20/wireguard.ko ]; then
    lsmod | grep -q wireguard
    if [ $? -eq 1 ]; then
    insmod /lib/modules/3.10.20/wireguard.ko
    fi
    else
    echo "`date` Error, there is no support for wireguard!" | tee -a $LOG_FILE
    exit 5
    fi
    # Check if config $WGDEV.conf exists
    if [ ! -f /etc/wireguard/$WGDEV.conf ]; then
    echo "`date` Error, there is no config $WGDEV.conf in /etc/wireguard." | tee -a $LOG_FILE
    exit 7
    fi
    # Check if config $WGDEV.conf has correct access rights
    ls -l /etc/wireguard/$WGDEV.conf |grep -q "^-rw------- 1 root root"
    if [ $? -eq 1 ]; then
    chmod 0600 /etc/wireguard/$WGDEV.conf
    chown root.root /etc/wireguard/$WGDEV.conf
    echo "`date` Warning, config $WGDEV.conf access rights have been corrected!" | tee -a $LOG_FILE
    fi
    # Check if $WGDEV interface already exists
    ifconfig $WGDEV 1>/dev/null 2>&1
    if [ $? -eq 1 ]; then
    ip link add dev $WGDEV type wireguard
    else
    echo "`date` Info, interface $WGDEV already exists." | tee -a $LOG_FILE
    fi
    wg setconf $WGDEV /etc/wireguard/$WGDEV.conf
    # Check if $WGDEV interface IP ADDR already set up
    ifconfig $WGDEV | grep -q "inet addr:$WGDEVIPADDR"
    if [ $? -eq 1 ]; then
    ip address add $WGDEVIPADDR/24 dev $WGDEV
    else
    echo "`date` Info, $WGDEV IP addr $WGDEVIPADDR already set up." | tee -a $LOG_FILE
    fi
    ip link set mtu 1420 dev $WGDEV
    # Check if $WGDEV interface up and running
    ifconfig $WGDEV | grep -q "UP POINTOPOINT RUNNING"
    if [ $? -eq 1 ]; then
    ip link set $WGDEV up
    else
    echo "`date` Info, $WGDEV is already up and running!" | tee -a $LOG_FILE
    fi
    route add -net $WGDEVNET/24 gw $WGDEVGW
    echo "`date` Wireguard start script has been ended!" >>$LOG_FILE
    }
    stop() {
    echo "`date` Wireguard stop script has been started!" >>$LOG_FILE
    route del -net $WGDEVNET/24 gw $WGDEVGW
    if [ -f /lib/modules/3.10.20/wireguard.ko ]; then
    # Check if $WGDEV interface already exists
    ifconfig $WGDEV 1>/dev/null 2>&1
    if [ $? -eq 0 ]; then
    ip link del dev $WGDEV
    else
    echo "`date` Info, interface $WGDEV does not exist." | tee -a $LOG_FILE
    fi
    lsmod | grep -q wireguard
    if [ $? -eq 0 ]; then
    rmmod /lib/modules/3.10.20/wireguard.ko
    fi
    else
    echo "`date` Error, there is no support for wireguard!" | tee -a $LOG_FILE
    exit 9
    fi
    echo "`date` Wireguard stop script has been ended!" >>$LOG_FILE
    }
    restart() {
    stop
    start
    }
    reload() {
    exit 11
    }
    Copy above lines of code to /etc/init.d/wireguard and make it executable.
    To ceate rc.d startup inks
    cd /etc/init.d
    ./wireguard enable
    Prerequests:
    You need to configure server config file
    cat /etc/wireguard/wg0.conf
    [Interface]
    PrivateKey = ReplacewithServerPrivateKey
    ListenPort = 10100
    [Peer]
    PublicKey = IfUsedReplacewithClientPublicKeyNetwork
    AllowedIPs= 192.168.120.2/32, 192.168.130.0/24
    [Peer]
    PublicKey = IfUsedReplacewithClientPublicKeySingleIP
    AllowedIPs = 192.168.120.121/32
    You need to configure some nvram variables used by the server script
    nvram show all | grep vpn_wg
    vpn_wg_ipaddr=192.168.120.1
    vpn_wg_net=192.168.130.0
    vpn_wg_gw=192.168.120.2
    Networks from examples:
    vpn network 192.168.120.0/24
    local network behind R9000 vpn client 192.168.130.0/24
    Please note that firewall part is not covered here and how to create private/public keys.
    If you are using Internet provider router you fill have to forward udp traffic using port 10100 to your R9000.
    You will have to adjust provided here IP addresses/Networks to your needs.

    Regards,
     
    Starrbuck and KW. like this.
  18. anhrzg

    anhrzg New Around Here

    Joined:
    Jan 18, 2018
    Messages:
    5
    Hi all!

    Here are uploaded init.d/wireguard scripts You will have to rename them.

    Regards,
     

    Attached Files:

    Starrbuck, KW., Voxel and 1 other person like this.
  19. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,487
    Thanks for your development. WG is still under testing (thanks to @KW. ). Results are promising...

    Voxel.
     
    KW. likes this.
  20. KW.

    KW. Occasional Visitor

    Joined:
    Nov 26, 2019
    Messages:
    14
    After VIP treatment and the most undeserved credding I have ever received, but I am grateful for I've had the honor of testing Voxel's implementation of Wireguard. And it exceeds all expectations.

    I pay for 200 mbits/ s internet. With openvpn before I installed wireguard I have 125 up, 111 down and ping 3.16. With nothing on just raw internet 185 down, 220 up, 2.65 ping. With Voxels wireguard setup I have 189 down, 230 up and 3.52 ping.

    And yes I've checked that the VPN is working if you dont belive your eyes.

    Finally the R9000 is up to date and a topnotch router.

    Thank you Voxel!
     
    spocko, anhrzg, Voxel and 3 others like this.