What's new

[Experimental] WireGuard for HND platform (4.1.x kernels)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I believe it's kernel related. Merlin stays with the base ASUS code which is using the 2.6.36.4 linux kernel. Wireguard needs at least 3.10. If you install OpenWRT then you can use wireguard but on the ASUS codebase the kernel version is too old.

It's crazy how WireGuard is making me reconsider EVERYTHING about my network and connection to the interwebs.

It's strange we have desktops with similar processing power running kernel 4.xx, yet the routers we connect thru are back, what, a decade? in the code dep't.

I'm on the cusp of a router upgrade and while the (subjectively) faster/better radios are the attractor, I suspect it would likely be better to set up a RasPi as router with the radio stuff handled by a modern AP. that's sad because I love the add-on scripts amtm, diversion, etc and how bloody easy they are.
 
It's strange we have desktops with similar processing power running kernel 4.xx, yet the routers we connect thru are back, what, a decade? in the code dep't.

Main reason is driver support for your desktop is mainlined in the kernel, while for embedded devices it's done by the hardware manufacturer.
 
Main reason is driver support for your desktop is mainlined in the kernel, while for embedded devices it's done by the hardware manufacturer.
Are you suggesting that informed, aware consumers should share their desires with the manufacturers more often? (I agree)
 
Off topic, but even the Raspberry Pi 3B+ is limited to about 300Mb/s over Ethernet - is that fast enough?
For me, yes, and I suspect for most home users as well.
I'm not one to swap technology with each new model (or standard for that matter), preferring to wait until near end of useful life or the absolute need arises.
That doesn't mean that one shouldn't do some comparison shopping between similar machines like the beaglebone or odroid; if the ferrari/lambo is the same price as the corvette/lotus/maserati you can afford/are willing to pay for, you owe it to yourself to compare performance, right?
 
Are you suggesting that informed, aware consumers should share their desires with the manufacturers more often? (I agree)

Won't change much. It all comes down to profitability. Constantly upgrading the kernel is an expensive task. You need to re-test your entire software stack every time you do so. You might need to rewrite portions of your code to handle kernel changes. For instance, the Linux kernel went through locking changes with 2.6.39 which requires a fair amount of driver code to be modified. Iptables changes also occured with 3.10, which breaks compatibility with third party modules as well. This is the reason for instance why I can no longer support IPTraffic on the 4.1-based RT-AC86U - that module no longer works with kernels > 3.10, and would require an almost complete rewrite.

It's much more profitable for manufacturers to develop new products, and drop any active development of previous ones.

So, all routers based on the Broadcom 6.37 and 7.x SDK will always be on kernel 2.6.36, those on the Broadcom HND 5.02 SDK will be on kernel 4.1.

It's the norm for the majority of embedded devices out there. Your Nexus 5X kernel version is the same in Android 8.1 as it was in 6.0.
 
Thanks for all the help with this. With the routing policies this is amazing.
One thing I've noticed is that with the router running wireguard as a client, it seems like the router OpenVPN server can no longer route any traffic (even locally).

Specifically, cell phone can connect to the router that's behind wireguard, but can't route traffic either locally within the intranet, or through the internet, even when the OpenVPN IP range (10.9.x.x) is included or excluded from the policy.
 
Last edited:
Thanks for all the help with this. With the routing policies this is amazing.
One thing I've noticed is that with the router running wireguard as a client, it seems like the router OpenVPN server can no longer route any traffic (even locally).

Specifically, cell phone can connect to the router that's behind wireguard, but can't route traffic either locally within the intranet, or through the internet, even when the OpenVPN IP range (10.9.x.x) is included or excluded from the policy.

Works well here. Did you try reboot?
 
Tried that as well. No joy.
Here's the openvpn.conf and wg-policy if it helps:

ip rule del prio 11000 2>/dev/null
ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null
ip rule add from 192.168.71.125 lookup main prio 11000
ip rule add from 192.168.71.0/24 lookup 117 prio 11111
ip rule add from 10.9.0.0/24 lookup 117 prio 11112
 
Tried that as well. No joy.
Here's the openvpn.conf and wg-policy if it helps:

ip rule del prio 11000 2>/dev/null
ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null
ip rule add from 192.168.71.125 lookup main prio 11000
ip rule add from 192.168.71.0/24 lookup 117 prio 11111
ip rule add from 10.9.0.0/24 lookup 117 prio 11112
sorry, I don't route client to wg server.
try tap mode.
 
Tap didn't work either.
Thing is, I'm not sure it's even a wg issue.
Ran into the same problem when I routed the VPN ip range through main, and even when the router was running through an openvpn client through the same provider.
Only time it seems to work is if the router isn't connected to any form of vpn, even though it can always find and connect to the router, just not route traffic if there's another VPN involved

Edit: I'm dumb. Tap was only configured in client; not on the server. Works great now.
Thanks so much for your help!
 
Last edited:
Hello
I was woundering if it was possible
to get a some help on how to setup wireguard as a server on the router so I can connect client to my home net.
Much appreciated.
PS network is unfortunately not my strong point.
 
Could it have to do with the DNS settings? Since we don't enter any DNS settings in the WireGuard config, so the routering stopps working after some hours?
Now client default route mode supports DNS configuration.
Set wgdns= value.
 
Just FYI, you can easily build your own copy of wireguard with commands below:

Code:
# libmnl, maybe a bit wrong cause I lost the record
CFLAGS="-I/home/sylphia/dists/aarch64-linux/include" LDFLAGS="-L/home/sylphia/dists/aarch64-linux/lib -lmnl" make ARCH=arm64 LD=aarch64-buildroot-linux-gnu-ld CROSS_COMPILE=aarch64-buildroot-linux-gnu- KERNELDIR=/home/sylphia/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1 PREFIX=/home/sylphia/dists

CPU_V7=y CFLAGS="-I/home/sylphia/dists/aarch64-linux/include -O3 -mcpu=cortex-a53+crypto -march=armv8-a+crypto+crc+simd" LDFLAGS="-L/home/sylphia/dists/aarch64-linux/lib -lmnl" make ARCH=arm64 CROSS_COMPILE=aarch64-buildroot-linux-gnu- KERNELDIR=/home/sylphia/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1 PREFIX=/home/sylphia/dists clean

CPU_V7=y CFLAGS="-I/home/sylphia/dists/aarch64-linux/include -O3 -mcpu=cortex-a53+crypto -march=armv8-a+crypto+crc+simd" LDFLAGS="-L/home/sylphia/dists/aarch64-linux/lib -lmnl" make ARCH=arm64 CROSS_COMPILE=aarch64-buildroot-linux-gnu- KERNELDIR=/home/sylphia/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1 PREFIX=/home/sylphia/dists module

cd tools/
CC=arm-buildroot-linux-gnueabi-gcc CFLAGS="-I/home/sylphia/asuswrt-merlin.ng/release/src-rt-5.02hnd/router/libmnl/staged/usr/include" LDFLAGS="-L/home/sylphia/asuswrt-merlin.ng/release/src-rt-5.02hnd/router/libmnl/staged/usr/lib" make WITH_BASHCOMPLETION=no WITH_SYSTEMDUNITS=no

Just copy 'wireguard.ko' and 'wg' to your router's /jffs, 'insmod /jffs/wireguard.ko' and follow other tutorials.
 
I have attached client QRcode generator script.
It will useful when you run WireGuard as server.

Please read 4.5 Generate client QRcode.

P.S The script is not perfect ' -';;
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top