Wireguard support to Voxel FW?

Voxel

Very Senior Member
That was good answer. Can you tell little bit more details, why it's impossible or not coming at all?
Wireguard requires the changes in Linux kernel. And kernel version should be >= 3.10. My build is using the kernel 3.4.103 from NG GPL sources to provide workable QCA drivers (hardware acceleration etc). So I cannot upgrade the version of kernel.

3.4.103 < 3.10

Voxel.
 

KW.

Regular Contributor
Hello,
I want to begin to thank you Voxel for a fantastic firmware. I use it on my R9000 and am so happy I found it. I see people as you that help others with no demands as an inspiration!
I just wonder would it be a big task to integrate Wireguard with Voxel? It would be a huge boost if that is possible as it will make a big difference in internet speed. Wireguard will be widley adopted in the near future.
 

Voxel

Very Senior Member
I just wonder would it be a big task to integrate Wireguard with Voxel? It would be a huge boost if that is possible as it will make a big difference in internet speed. Wireguard will be widley adopted in the near future.
It is practically impossible for R7500/R7800. Because of lacking kernel features. I am not sure re: R9000. On the first view its kernel version is 3.10.20 but it is specific version and I I do not see needed features of this kernel too (in the kernel config menu). The same re: Orbi.

So as I said: main problem is kernel. I cannot change the kernel version because I do use drivers from QCA (hardware acceleration) and they are in GPL sources of the stock firmware in binary pre-built forms. So If I change the kernel significantly I these drivers will not work (brick).

I do research this still. FYI: I use WG for my own needs (PC with Debian). So I know all advantages of WG vs e.g. OpenVPN. Much faster.

Voxel.
 

KW.

Regular Contributor
Thank you for your reply and I am very happy to hear that you are looking in to Wireguard. I wish you all luck in your research.

I am impressed that you made a better firmware then a large company does. Allready with your firmware my openvpn connection went from around 80 Mbit/s to around 120-130 Mbit/s when i use DNS-crypt and your setup for Openvpn.
 

Voxel

Very Senior Member
Thank you for your reply and I am very happy to hear that you are looking in to Wireguard. I wish you all luck in your research.

I am impressed that you made a better firmware then a large company does. Allready with your firmware my openvpn connection went from around 80 Mbit/s to around 120-130 Mbit/s when i use DNS-crypt and your setup for Openvpn.
Seems it is working. I mean WireGuard on R9000. I have prepared beta version with WG kernel object and "wg" binary. So I was able to connect my R9000 as a client to my remote PC with WG server (different place, it is not LAN) manually using ip, iptables, wg commands. Just manual running proper commands from console.

But what the next? I mean what you guys expect from WG? Connection to WireGuard provider as a client or server or just leave it all as "make-yourself kit"?

P.S.

Forgot to say: speed is very good if running e.g. iperf3 with multi threading. Almost the same as w/o WireGuard.

Voxel.
 

KW.

Regular Contributor
Hello! I saw these fantastic news right now. You are hero. I will try your new build later today.
I guess I would use wireguard as a client for a paid VPN-provider as I use Openvpn.

My dream would be... I understand I may come out as a guy who always asks for more but I was so very impressed how you handled openvpn. You just plug it in. It is art.

If you could do that with wireguard it would be very cool, if not that is okey too offcaurse but I think I'll need some sort of tutorial how to install it. But as i said i've not even installed your new version of the firmware yet so dont know yet. It will be like christmas to try out.

Thank you! You have a fan.
 

Voxel

Very Senior Member
You are hero.
Funnily :) Thanks. It is just a fun for me.

WireGuard. It is interesting for me too. I really was able to use it. And speed was very good. But I did not deal with real WG providers. So... I really do not know (yet) what to do else...

Please check this:

https://www.snbforums.com/threads/c...r-r9000-r8900-v-1-0-4-36hf.60635/#post-534558

and this

https://www.snbforums.com/threads/c...0-r8900-v-1-0-4-36hf.60635/page-2#post-535882

I am interested to make from this something like "product level". If somebody need a help with this you are free to contact me e.g. in P.M. I stress: it is interesting for me. WG capabilities are really impressive...

Voxel.
 

KW.

Regular Contributor
I now have config file from my VPN-provider made for Wireguard. Is that something that would help you if you see, I am happy to send it to you. I am starting from the wrong step as Im a bit to eager now. I cant start to work with my router before the family activites starts to calm down. But Im not really sure what to do with the config file later, is it like the setup with openvpn that you just copy paste a script in a document file and put it on usb to the router?
 

Voxel

Very Senior Member
Im not really sure what to do with the config file later, is it like the setup with openvpn that you just copy paste a script in a document file and put it on usb to the router?
No. Sorry, bit not so easy. WG is on the initial investigation stage.

I now have config file from my VPN-provider made for Wireguard. Is that something that would help you if you see, I am happy to send it to you.
Let us postpone this a bit. I am a bit busy with my family duties. Kids, girls, friends, beer etc. Holidays.

Let us do the following. I'll contact you a bit later. When I have a time. And you have a time too. And in P.M. only. But not right now. I can check your WG config. Also please do not worry: I will not share your WG config details and I'll not use your config for my own needs. Well... It is up to you of course. No any offences if you keep this as your own secret. I understand and accept this. It is interesting for me, but (for example) I also do not share my own secrets/passwords etc. :) And I'll not do this. Obvious.

Voxel.
 

anhrzg

Occasional Visitor
Happy New Year to all!


Here is R9000 Wire guard client example(site o site)

Here is content of custom /etc/init.d/wireguard script for R9000 wirguard client:
#!/bin/sh /etc/rc.common
# @(#)andonl 1.0.0
START=99
STOP=99
PATH=/bin:/sbin:/usr/bin:/usr/sbin
CONFIG=/bin/config
AP_MODE=$($CONFIG get ap_mode)
BRIDGE_MODE=$($CONFIG get bridge_mode)
EXTENDER_MODE=$($CONFIG get extender_mode)
CHECK_HOST=www.microsoft.com
WGDEV=wg0
WGDEVIPADDR=$($CONFIG get vpn_wg_ipaddr)
WGDEVNET=$($CONFIG get vpn_wg_net)
WGDEVGW=$($CONFIG get vpn_wg_gw)
LOG_FILE=/var/log/wirequard.log
start() {
echo "`date` Wireguard start script has been started!" >>$LOG_FILE
# Check if not in router mode
if [ "$AP_MODE" == "1" ] || [ "$BRIDGE_MODE" == "1" ] || [ "$EXTENDER_MODE" == "1" ]; then
echo "`date` Error, not in router mode!" | tee -a $LOG_FILE
exit 1
fi
# Check if network parameters are configured
if [ "$WGDEVIPADDR=" == "1" ] || [ "$WGDEVNET" == "1" ] || [ "$WGDEVGW" == "1" ]; then
echo "`date` Error, network parameters are not configured!" | tee -a $LOG_FILE
exit 3
fi
# Check if wireguard is supported and kernel module loaded
if [ -f /lib/modules/3.10.20/wireguard.ko ]; then
lsmod | grep -q wireguard
if [ $? -eq 1 ]; then
insmod /lib/modules/3.10.20/wireguard.ko
fi
else
echo "`date` Error, there is no support for wireguard!" | tee -a $LOG_FILE
exit 5
fi
# Check if config $WGDEV.conf exists
if [ ! -f /etc/wireguard/$WGDEV.conf ]; then
echo "`date` Error, there is no config $WGDEV.conf in /etc/wireguard." | tee -a $LOG_FILE
exit 7
fi
# Check if config $WGDEV.conf has correct access rights
ls -l /etc/wireguard/$WGDEV.conf |grep -q "^-rw------- 1 root root"
if [ $? -eq 1 ]; then
chmod 0600 /etc/wireguard/$WGDEV.conf
chown root.root /etc/wireguard/$WGDEV.conf
echo "`date` Warning, config $WGDEV.conf access rights have been corrected!" | tee -a $LOG_FILE
fi
# Check if $WGDEV interface already exists
ifconfig $WGDEV 1>/dev/null 2>&1
if [ $? -eq 1 ]; then
ip link add dev $WGDEV type wireguard
else
echo "`date` Info, interface $WGDEV already exists." | tee -a $LOG_FILE
fi
wg setconf $WGDEV /etc/wireguard/$WGDEV.conf
# Check if $WGDEV interface IP ADDR already set up
ifconfig $WGDEV | grep -q "inet addr:$WGDEVIPADDR"
if [ $? -eq 1 ]; then
ip address add $WGDEVIPADDR/24 dev $WGDEV
else
echo "`date` Info, $WGDEV IP addr $WGDEVIPADDR already set up." | tee -a $LOG_FILE
fi
ip link set mtu 1420 dev $WGDEV
# Check if DNS is already working
count=0
while [ $count -le 20 ]; do
ping -q -c 3 $CHECK_HOST 2>/dev/null 1>&2
if [ $? -eq 0 ]; then
break
fi
sleep 10
count=$(($count+1))
done
# Sleep before starting if delay is set in NVRAM (to allow NTP set date/time)
DELAY=$($CONFIG get vpn_wgclt_delay)
if [ ! "$DELAY" = "" ]; then
sleep $DELAY
fi
# Check if $WGDEV interface up and running
ifconfig $WGDEV | grep -q "UP POINTOPOINT RUNNING"
if [ $? -eq 1 ]; then
ip link set $WGDEV up
else
echo "`date` Info, $WGDEV is already up and running!" | tee -a $LOG_FILE
fi
route add -net $WGDEVNET/24 gw $WGDEVGW
echo "`date` Wireguard start script has been ended!" >>$LOG_FILE
}
stop() {
echo "`date` Wireguard stop script has been started!" >>$LOG_FILE
route del -net $WGDEVNET/24 gw $WGDEVGW
if [ -f /lib/modules/3.10.20/wireguard.ko ]; then
# Check if $WGDEV interface already exists
ifconfig $WGDEV 1>/dev/null 2>&1
if [ $? -eq 0 ]; then
ip link del dev $WGDEV
else
echo "`date` Info, interface $WGDEV does not exist." | tee -a $LOG_FILE
fi
lsmod | grep -q wireguard
if [ $? -eq 0 ]; then
rmmod /lib/modules/3.10.20/wireguard.ko
fi
else
echo "`date` Error, there is no support for wireguard!" | tee -a $LOG_FILE
exit 9
fi
echo "`date` Wireguard stop script has been ended!" >>$LOG_FILE
}
restart() {
stop
start
}
reload() {
exit 11
}

Copy above lines of code to /etc/init.d/wireguard and make it executable.

To ceate rc.d startup inks
cd /etc/init.d
./wireguard enable

Prerequests:
You need to configure client config file

cat /etc/wireguard/wg0.conf

[Interface]
PrivateKey = ReplacewithClientPrivateKey
[Peer]
PublicKey = ReplacewithServerPublicKeyNetwork
AllowedIPs = 192.168.120.0/24, 192.168.140.0/24
EndPoint = yourserver.ddns.net:10100
PersistentKeepalive = 24

You need to configure some nvram variables used by the server script
nvram show all | grep vpn_wg
vpn_wg_ipaddr=192.168.120.2
vpn_wg_net=192.168.140.0
vpn_wg_gw=192.168.120.1

Networks from examples:
vpn network 192.168.120.0/24
local network behind R9000 vpn server 192.168.140.0/24

Please note that firewall part is not covered here and how to create private/public keys.
You will have to adjust provided here IP addresses/Networks to your needs.

Thanks,
 

anhrzg

Occasional Visitor
Hi all!
Here is R9000 Wire guard server example(site o site)
It is mainly designed for already provided R9000 wireguard client to connect.

Here is content of custom /etc/init.d/wireguard script for R9000 wirguard server:
#!/bin/sh /etc/rc.common
# @(#)andonl 1.0.0
START=98
STOP=98
PATH=/bin:/sbin:/usr/bin:/usr/sbin
CONFIG=/bin/config
AP_MODE=$($CONFIG get ap_mode)
BRIDGE_MODE=$($CONFIG get bridge_mode)
EXTENDER_MODE=$($CONFIG get extender_mode)
WGDEV=wg0
WGDEVIPADDR=$($CONFIG get vpn_wg_ipaddr)
WGDEVNET=$($CONFIG get vpn_wg_net)
WGDEVGW=$($CONFIG get vpn_wg_gw)
LOG_FILE=/var/log/wirequard.log
start() {
echo "`date` Wireguard start script has been started!" >>$LOG_FILE
# Check if not in router mode
if [ "$AP_MODE" == "1" ] || [ "$BRIDGE_MODE" == "1" ] || [ "$EXTENDER_MODE" == "1" ]; then
echo "`date` Error, not in router mode!" | tee -a $LOG_FILE
exit 1
fi
# Check if network parameters are configured
if [ "$WGDEVIPADDR=" == "1" ] || [ "$WGDEVNET" == "1" ] || [ "$WGDEVGW" == "1" ]; then
echo "`date` Error, network parameters are not configured!" | tee -a $LOG_FILE
exit 3
fi
# Check if wireguard is supported and kernel module loaded
if [ -f /lib/modules/3.10.20/wireguard.ko ]; then
lsmod | grep -q wireguard
if [ $? -eq 1 ]; then
insmod /lib/modules/3.10.20/wireguard.ko
fi
else
echo "`date` Error, there is no support for wireguard!" | tee -a $LOG_FILE
exit 5
fi
# Check if config $WGDEV.conf exists
if [ ! -f /etc/wireguard/$WGDEV.conf ]; then
echo "`date` Error, there is no config $WGDEV.conf in /etc/wireguard." | tee -a $LOG_FILE
exit 7
fi
# Check if config $WGDEV.conf has correct access rights
ls -l /etc/wireguard/$WGDEV.conf |grep -q "^-rw------- 1 root root"
if [ $? -eq 1 ]; then
chmod 0600 /etc/wireguard/$WGDEV.conf
chown root.root /etc/wireguard/$WGDEV.conf
echo "`date` Warning, config $WGDEV.conf access rights have been corrected!" | tee -a $LOG_FILE
fi
# Check if $WGDEV interface already exists
ifconfig $WGDEV 1>/dev/null 2>&1
if [ $? -eq 1 ]; then
ip link add dev $WGDEV type wireguard
else
echo "`date` Info, interface $WGDEV already exists." | tee -a $LOG_FILE
fi
wg setconf $WGDEV /etc/wireguard/$WGDEV.conf
# Check if $WGDEV interface IP ADDR already set up
ifconfig $WGDEV | grep -q "inet addr:$WGDEVIPADDR"
if [ $? -eq 1 ]; then
ip address add $WGDEVIPADDR/24 dev $WGDEV
else
echo "`date` Info, $WGDEV IP addr $WGDEVIPADDR already set up." | tee -a $LOG_FILE
fi
ip link set mtu 1420 dev $WGDEV
# Check if $WGDEV interface up and running
ifconfig $WGDEV | grep -q "UP POINTOPOINT RUNNING"
if [ $? -eq 1 ]; then
ip link set $WGDEV up
else
echo "`date` Info, $WGDEV is already up and running!" | tee -a $LOG_FILE
fi
route add -net $WGDEVNET/24 gw $WGDEVGW
echo "`date` Wireguard start script has been ended!" >>$LOG_FILE
}
stop() {
echo "`date` Wireguard stop script has been started!" >>$LOG_FILE
route del -net $WGDEVNET/24 gw $WGDEVGW
if [ -f /lib/modules/3.10.20/wireguard.ko ]; then
# Check if $WGDEV interface already exists
ifconfig $WGDEV 1>/dev/null 2>&1
if [ $? -eq 0 ]; then
ip link del dev $WGDEV
else
echo "`date` Info, interface $WGDEV does not exist." | tee -a $LOG_FILE
fi
lsmod | grep -q wireguard
if [ $? -eq 0 ]; then
rmmod /lib/modules/3.10.20/wireguard.ko
fi
else
echo "`date` Error, there is no support for wireguard!" | tee -a $LOG_FILE
exit 9
fi
echo "`date` Wireguard stop script has been ended!" >>$LOG_FILE
}
restart() {
stop
start
}
reload() {
exit 11
}
Copy above lines of code to /etc/init.d/wireguard and make it executable.
To ceate rc.d startup inks
cd /etc/init.d
./wireguard enable
Prerequests:
You need to configure server config file
cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = ReplacewithServerPrivateKey
ListenPort = 10100
[Peer]
PublicKey = IfUsedReplacewithClientPublicKeyNetwork
AllowedIPs= 192.168.120.2/32, 192.168.130.0/24
[Peer]
PublicKey = IfUsedReplacewithClientPublicKeySingleIP
AllowedIPs = 192.168.120.121/32
You need to configure some nvram variables used by the server script
nvram show all | grep vpn_wg
vpn_wg_ipaddr=192.168.120.1
vpn_wg_net=192.168.130.0
vpn_wg_gw=192.168.120.2
Networks from examples:
vpn network 192.168.120.0/24
local network behind R9000 vpn client 192.168.130.0/24
Please note that firewall part is not covered here and how to create private/public keys.
If you are using Internet provider router you fill have to forward udp traffic using port 10100 to your R9000.
You will have to adjust provided here IP addresses/Networks to your needs.

Regards,
 

Voxel

Very Senior Member
Thanks for your development. WG is still under testing (thanks to @KW. ). Results are promising...

Voxel.
 
  • Like
Reactions: KW.

KW.

Regular Contributor
After VIP treatment and the most undeserved credding I have ever received, but I am grateful for I've had the honor of testing Voxel's implementation of Wireguard. And it exceeds all expectations.

I pay for 200 mbits/ s internet. With openvpn before I installed wireguard I have 125 up, 111 down and ping 3.16. With nothing on just raw internet 185 down, 220 up, 2.65 ping. With Voxels wireguard setup I have 189 down, 230 up and 3.52 ping.

And yes I've checked that the VPN is working if you dont belive your eyes.

Finally the R9000 is up to date and a topnotch router.

Thank you Voxel!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top