[Experimental] WireGuard for HND platform (4.1.x kernels)

[Shasarak]

Hi, this has been super helpful!
What would the policy be if I wanted to exclude an IP rather than include a specific IP?

Yeah, I would also appreciate a bit more documentation on the syntax of the routing-policy file.

 

[heysoundude]

I believe it's kernel related. Merlin stays with the base ASUS code which is using the 2.6.36.4 linux kernel. Wireguard needs at least 3.10. If you install OpenWRT then you can use wireguard but on the ASUS codebase the kernel version is too old.

It's crazy how WireGuard is making me reconsider EVERYTHING about my network and connection to the interwebs.

It's strange we have desktops with similar processing power running kernel 4.xx, yet the routers we connect thru are back, what, a decade? in the code dep't.

I'm on the cusp of a router upgrade and while the (subjectively) faster/better radios are the attractor, I suspect it would likely be better to set up a RasPi as router with the radio stuff handled by a modern AP. that's sad because I love the add-on scripts amtm, diversion, etc and how bloody easy they are.

 

[Shasarak]

I suspect it would likely be better to set up a RasPi as router

Off topic, but even the Raspberry Pi 3B+ is limited to about 300Mb/s over Ethernet - is that fast enough?

 

[RMerlin]

It's strange we have desktops with similar processing power running kernel 4.xx, yet the routers we connect thru are back, what, a decade? in the code dep't.

Main reason is driver support for your desktop is mainlined in the kernel, while for embedded devices it's done by the hardware manufacturer.

 

[Odkrys]

What would the policy be if I wanted to exclude an IP rather than include a specific IP?

ip rule del prio 11000 2>/dev/null
ip rule del prio 11111 2>/dev/null
ip rule add from 192.168.1.x lookup main prio 11000
ip rule add from 192.168.1.0/24 lookup 117 prio 11111

 

[heysoundude]

Main reason is driver support for your desktop is mainlined in the kernel, while for embedded devices it's done by the hardware manufacturer.

Are you suggesting that informed, aware consumers should share their desires with the manufacturers more often? (I agree)

 

[heysoundude]

Off topic, but even the Raspberry Pi 3B+ is limited to about 300Mb/s over Ethernet - is that fast enough?

For me, yes, and I suspect for most home users as well.
I'm not one to swap technology with each new model (or standard for that matter), preferring to wait until near end of useful life or the absolute need arises.
That doesn't mean that one shouldn't do some comparison shopping between similar machines like the beaglebone or odroid; if the ferrari/lambo is the same price as the corvette/lotus/maserati you can afford/are willing to pay for, you owe it to yourself to compare performance, right?

 

[RMerlin]

Are you suggesting that informed, aware consumers should share their desires with the manufacturers more often? (I agree)

Won't change much. It all comes down to profitability. Constantly upgrading the kernel is an expensive task. You need to re-test your entire software stack every time you do so. You might need to rewrite portions of your code to handle kernel changes. For instance, the Linux kernel went through locking changes with 2.6.39 which requires a fair amount of driver code to be modified. Iptables changes also occured with 3.10, which breaks compatibility with third party modules as well. This is the reason for instance why I can no longer support IPTraffic on the 4.1-based RT-AC86U - that module no longer works with kernels > 3.10, and would require an almost complete rewrite.

It's much more profitable for manufacturers to develop new products, and drop any active development of previous ones.

So, all routers based on the Broadcom 6.37 and 7.x SDK will always be on kernel 2.6.36, those on the Broadcom HND 5.02 SDK will be on kernel 4.1.

It's the norm for the majority of embedded devices out there. Your Nexus 5X kernel version is the same in Android 8.1 as it was in 6.0.

 

[aramisathei]

Thanks for all the help with this. With the routing policies this is amazing.
One thing I've noticed is that with the router running wireguard as a client, it seems like the router OpenVPN server can no longer route any traffic (even locally).

Specifically, cell phone can connect to the router that's behind wireguard, but can't route traffic either locally within the intranet, or through the internet, even when the OpenVPN IP range (10.9.x.x) is included or excluded from the policy.

 

[Odkrys]

Thanks for all the help with this. With the routing policies this is amazing.
One thing I've noticed is that with the router running wireguard as a client, it seems like the router OpenVPN server can no longer route any traffic (even locally).

Specifically, cell phone can connect to the router that's behind wireguard, but can't route traffic either locally within the intranet, or through the internet, even when the OpenVPN IP range (10.9.x.x) is included or excluded from the policy.

Works well here. Did you try reboot?

 

[aramisathei]

I did, and it didn't seem to help.
Maybe there's a problem with my OpenServer config?
https://imgur.com/a/mO8fKxb

 

[Odkrys]

I did, and it didn't seem to help.
Maybe there's a problem with my OpenServer config?
https://imgur.com/a/mO8fKxb

disable compression and try again

 

[aramisathei]

Tried that as well. No joy.
Here's the openvpn.conf and wg-policy if it helps:

ip rule del prio 11000 2>/dev/null
ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null
ip rule add from 192.168.71.125 lookup main prio 11000
ip rule add from 192.168.71.0/24 lookup 117 prio 11111
ip rule add from 10.9.0.0/24 lookup 117 prio 11112

 

[Odkrys]

Tried that as well. No joy.
Here's the openvpn.conf and wg-policy if it helps:

ip rule del prio 11000 2>/dev/null
ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null
ip rule add from 192.168.71.125 lookup main prio 11000
ip rule add from 192.168.71.0/24 lookup 117 prio 11111
ip rule add from 10.9.0.0/24 lookup 117 prio 11112

sorry, I don't route client to wg server.
try tap mode.

 

[aramisathei]

Tap didn't work either.
Thing is, I'm not sure it's even a wg issue.
Ran into the same problem when I routed the VPN ip range through main, and even when the router was running through an openvpn client through the same provider.
Only time it seems to work is if the router isn't connected to any form of vpn, even though it can always find and connect to the router, just not route traffic if there's another VPN involved

Edit: I'm dumb. Tap was only configured in client; not on the server. Works great now.
Thanks so much for your help!

 

[Islandspapand]

Hello
I was woundering if it was possible
to get a some help on how to setup wireguard as a server on the router so I can connect client to my home net.
Much appreciated.
PS network is unfortunately not my strong point.

 

[Odkrys]

Hello
I was woundering if it was possible
to get a some help on how to setup wireguard as a server on the router so I can connect client to my home net.
Much appreciated.
PS network is unfortunately not my strong point.

updated

 

[Odkrys]

Could it have to do with the DNS settings? Since we don't enter any DNS settings in the WireGuard config, so the routering stopps working after some hours?

Now client default route mode supports DNS configuration.
Set wgdns= value.

 

[Sylphia]

Just FYI, you can easily build your own copy of wireguard with commands below:

# libmnl, maybe a bit wrong cause I lost the record
CFLAGS="-I/home/sylphia/dists/aarch64-linux/include" LDFLAGS="-L/home/sylphia/dists/aarch64-linux/lib -lmnl" make ARCH=arm64 LD=aarch64-buildroot-linux-gnu-ld CROSS_COMPILE=aarch64-buildroot-linux-gnu- KERNELDIR=/home/sylphia/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1 PREFIX=/home/sylphia/dists

CPU_V7=y CFLAGS="-I/home/sylphia/dists/aarch64-linux/include -O3 -mcpu=cortex-a53+crypto -march=armv8-a+crypto+crc+simd" LDFLAGS="-L/home/sylphia/dists/aarch64-linux/lib -lmnl" make ARCH=arm64 CROSS_COMPILE=aarch64-buildroot-linux-gnu- KERNELDIR=/home/sylphia/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1 PREFIX=/home/sylphia/dists clean

CPU_V7=y CFLAGS="-I/home/sylphia/dists/aarch64-linux/include -O3 -mcpu=cortex-a53+crypto -march=armv8-a+crypto+crc+simd" LDFLAGS="-L/home/sylphia/dists/aarch64-linux/lib -lmnl" make ARCH=arm64 CROSS_COMPILE=aarch64-buildroot-linux-gnu- KERNELDIR=/home/sylphia/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1 PREFIX=/home/sylphia/dists module

cd tools/
CC=arm-buildroot-linux-gnueabi-gcc CFLAGS="-I/home/sylphia/asuswrt-merlin.ng/release/src-rt-5.02hnd/router/libmnl/staged/usr/include" LDFLAGS="-L/home/sylphia/asuswrt-merlin.ng/release/src-rt-5.02hnd/router/libmnl/staged/usr/lib" make WITH_BASHCOMPLETION=no WITH_SYSTEMDUNITS=no

Just copy 'wireguard.ko' and 'wg' to your router's /jffs, 'insmod /jffs/wireguard.ko' and follow other tutorials.

 

[Odkrys]

I have attached client QRcode generator script.
It will useful when you run WireGuard as server.

Please read 4.5 Generate client QRcode.

P.S The script is not perfect ' -';;