Asus Merlin on Asus ZenWIFI Pro XT12 cant install Entware as USB is required but router doesn't have one.

[rayyan]

So today i installed Merlin Fw on my XT12 to get wireguard setup however i need to install entware but it needs to be installed on a usb but the router doesn't have one so what can i do to make this work??

 

[L&LD]

Welcome to the forums @rayyan.

Buy another router?

Or, wait for the 388.xx firmware where WG may be included from Asus.

 

[rayyan]

Welcome to the forums @rayyan.

Buy another router?

Or, wait for the 388.xx firmware where WG may be included from Asus.

just dropped like £700 on this and the version is 386.7_2 and i see no wireguard option in the menu

 

[L&LD]

And where did it state WG would be included, before you bought it?

 

[rayyan]

well it didnt state it anywhere bc i when i do amtm i see wireguard so i tried installing it but it dosnt as it needs a usb

 

[L&LD]

Yes. User error (assumptions) before purchase.

As I said, it may (no guarantee) be included in the 388.xx firmware that is slowly coming out for various models from Asus.

RMerlin may have a version with WG included sometime around the new year.

 

[rayyan]

Yes. User error (assumptions) before purchase.

As I said, it may (no guarantee) be included in the 388.xx firmware that is slowly coming out for various models from Asus.

RMerlin may have a version with WG included sometime around the new year.

ahh i c

 

[Jeffrey Young]

The Wireguard kernel and user space tools are likely already on your router if you have the 386.x Merlin installed. Depending on what you want to do with Wireguard and how comfortable you are in using Wireguard, you can do the scripts yourself in jffs scripts.

The Wireguard utility that Martineau built (that can be installed with AMTM) is a great tool, but it does require Entware because SQLite (among other utilities) are used to manage all the Wireguard configurations. If your setup is simple enough, you can do the work yourself.

I setup a Wireguard Server on my AC86U using just the kernel module and user space tool before the Martineau polished his script.

 

[rayyan]

The Wireguard kernel and user space tools are likely already on your router if you have the 386.x Merlin installed. Depending on what you want to do with Wireguard and how comfortable you are in using Wireguard, you can do the scripts yourself in jffs scripts.

The Wireguard utility that Martineau built (that can be installed with AMTM) is a great tool, but it does require Entware because SQLite (among other utilities) are used to manage all the Wireguard configurations. If your setup is simple enough, you can do the work yourself.

I setup a Wireguard Server on my AC86U using just the kernel module and user space tool before the Martineau polished his script.

and how do i do this btw i know to configure wiregaurd and yea

 

[Jeffrey Young]

OK, so you don't have a USB key, so everything has to go into the /jffs directory. I also start my wireguard server from the Entware startup directory, so we will have to move some commands to your services-start file instead. I've edited my files the best I could to work in your environment, but you may have to do some troubleshooting.

EDIT: For clarity, this setup is for hosting a Wireguard SERVER

First thing into make a wireguard directory in your JFFS partition. I'm assuming /jffs/addons/wireguard

Here is my wireguard.conf file. Yours would be in /jffs/addons/wireguard/wg1.conf

Spoiler: Wireguard conf file

## Set Up WireGuard VPN on Asus/Merlin By Editing/Creating wg1.conf File ##
# Peer script used by non wg-quick method of bringing up wire guard on router

[Interface]
ListenPort = 51006
PrivateKey = ***************

[Peer]
## Client 1 ##
PublicKey = ***********
PresharedKey = *************
AllowedIPs = 10.100.10.10/32

Your wireguard startup script /jffs/addons/wireguard/wg-server

EDIT: Changed a path in the wg-server script to work from jffs

Spoiler: wg-server script

#!/bin/sh

KERNEL=$(uname -r)
WGaddress=10.100.10.1/24 # Use your WG subnet
WGport=51006 # Use your WG Port

modprobe xt_set
insmod /lib/modules/${KERNEL}/kernel/net/wireguard/wireguard.ko

ip link del dev wg1 2>/dev/null
ip link add dev wg1 type wireguard
wg setconf wg1 /jffs/addons/wireguard/wg1.conf
ip address add dev wg1 $WGaddress
ip link set up dev wg1
ifconfig wg1 mtu 1380 # origional set by setup script
# ifconfig wg1 mtu 1440
ifconfig wg1 txqueuelen 1000

iptables -t mangle -D PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null

iptables -D INPUT -p udp --dport $WGport -j ACCEPT 2>/dev/null
iptables -D INPUT -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -o wg1 -j ACCEPT 2>/dev/null
iptables -D OUTPUT -o wg1 -j ACCEPT 2>/dev/null
iptables -t nat -D PREROUTING -p udp --dport $WGport -j ACCEPT 2>/dev/null

iptables -t mangle -I FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7
iptables -t mangle -I PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7

iptables -I INPUT -p udp --dport $WGport -j ACCEPT
iptables -I INPUT -i wg1 -j ACCEPT
iptables -I FORWARD -i wg1 -j ACCEPT
iptables -I FORWARD -o wg1 -j ACCEPT
iptables -I OUTPUT -o wg1 -j ACCEPT
iptables -t nat -I PREROUTING -p udp --dport $WGport -j ACCEPT

You may need to check where the wireguard kernel is stored on your router. In helping another fella get UPS NUT working, we found out that the kernel modules are not in the same spot across all routers.

Since a firewall restart will wipe out iptables rules out, we will need a /jffs/scripts/nat-start file and place the following in it

Spoiler: nat-start

#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
           logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
           /jffs/addons/wireguard/wg-down
           /jffs/addons/wireguard/wg-server
fi

Now, to start your server when the router starts, add the following code to your /jffs/scripts/services-start

Spoiler: services-start

#!/bin/sh

logger "Starting WireGuard service."
/jffs/addons/wireguard/wg-server

Make sure all the files have the proper execute permissions. Good idea to restrict read permission also to just the root user (your router admin).

Also make sure your have scripts enabled in the router GUI.

Lastly, if the wg-down script is

Spoiler: wg-down

#!/bin/sh

WGaddress=10.100.10.1/24 # Use your WG subnet
WGport=51006 # Use your WG Port

rmmod wireguard 2>/dev/null

#server

iptables -t mangle -D PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null

iptables -D INPUT -p udp --dport $WGport -j ACCEPT 2>/dev/null
iptables -D INPUT -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -o wg1 -j ACCEPT 2>/dev/null
iptables -D OUTPUT -o wg1 -j ACCEPT 2>/dev/null
iptables -t nat -D PREROUTING -p udp --dport $WGport -j ACCEPT 2>/dev/null

exit 0

Let me know how things work out. Very much interested. Like I said, I modified these scripts as well as I could for your environment, but I could not test them.

EDIT2: It took me some time to find the author here that helped me set this up, but I finally did. Tons of credit to @Odkrys for his original work on this project.

 

[rayyan]

OK, so you don't have a USB key, so everything has to go into the /jffs directory. I also start my wireguard server from the Entware startup directory, so we will have to move some commands to your services-start file instead. I've edited my files the best I could to work in your environment, but you may have to do some troubleshooting.

First thing into make a wireguard directory in your JFFS partition. I'm assuming /jffs/addons/wireguard

Here is my wireguard.conf file. Yours would be in /jffs/addons/wireguard/wg1.conf

Spoiler: Wireguard conf file

## Set Up WireGuard VPN on Asus/Merlin By Editing/Creating wg1.conf File ##
# Peer script used by non wg-quick method of bringing up wire guard on router

[Interface]
ListenPort = 51006
PrivateKey = ***************

[Peer]
## Client 1 ##
PublicKey = ***********
PresharedKey = *************
AllowedIPs = 10.100.10.10/32

Your wireguard startup script /jffs/addons/wireguard/wg-server

EDIT: Changed a path in the wg-server script to work from jffs

Spoiler: wg-server script

#!/bin/sh

KERNEL=$(uname -r)
WGaddress=10.100.10.1/24 # Use your WG subnet
WGport=51006 # Use your WG Port

modprobe xt_set
insmod /lib/modules/${KERNEL}/kernel/net/wireguard/wireguard.ko

ip link del dev wg1 2>/dev/null
ip link add dev wg1 type wireguard
wg setconf wg1 /jffs/addons/wireguard/wg1.conf
ip address add dev wg1 $WGaddress
ip link set up dev wg1
ifconfig wg1 mtu 1380 # origional set by setup script
# ifconfig wg1 mtu 1440
ifconfig wg1 txqueuelen 1000

iptables -t mangle -D PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null

iptables -D INPUT -p udp --dport $WGport -j ACCEPT 2>/dev/null
iptables -D INPUT -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -o wg1 -j ACCEPT 2>/dev/null
iptables -D OUTPUT -o wg1 -j ACCEPT 2>/dev/null
iptables -t nat -D PREROUTING -p udp --dport $WGport -j ACCEPT 2>/dev/null

iptables -t mangle -I FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7
iptables -t mangle -I PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7

iptables -I INPUT -p udp --dport $WGport -j ACCEPT
iptables -I INPUT -i wg1 -j ACCEPT
iptables -I FORWARD -i wg1 -j ACCEPT
iptables -I FORWARD -o wg1 -j ACCEPT
iptables -I OUTPUT -o wg1 -j ACCEPT
iptables -t nat -I PREROUTING -p udp --dport $WGport -j ACCEPT

You may need to check where the wireguard kernel is stored on your router. In helping another fella get UPS NUT working, we found out that the kernel modules are not in the same spot across all routers.

Since a firewall restart will wipe out iptables rules out, we will need a /jffs/scripts/nat-start file and place the following in it

Spoiler: nat-start

#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
           logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
           /jffs/addons/wireguard/wg-down
           /jffs/addons/wireguard/wg-server
fi

Now, to start your server when the router starts, add the following code to your /jffs/scripts/services-start

Spoiler: services-start

#!/bin/sh

logger "Starting WireGuard service."
/jffs/addons/wireguard/wg-server

Make sure all the files have the proper execute permissions. Good idea to restrict read permission also to just the root user (your router admin).

Also make sure your have scripts enabled in the router GUI.

Lastly, if the wg-down script is

Spoiler: wg-down

#!/bin/sh

WGaddress=10.100.10.1/24 # Use your WG subnet
WGport=51006 # Use your WG Port

rmmod wireguard 2>/dev/null

#server

iptables -t mangle -D PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null

iptables -D INPUT -p udp --dport $WGport -j ACCEPT 2>/dev/null
iptables -D INPUT -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -o wg1 -j ACCEPT 2>/dev/null
iptables -D OUTPUT -o wg1 -j ACCEPT 2>/dev/null
iptables -t nat -D PREROUTING -p udp --dport $WGport -j ACCEPT 2>/dev/null

exit 0

Let me know how things work out. Very much interested. Like I said, I modified these scripts as well as I could for your environment, but I could not test them.

EDIT2: It took me some time to find the author here that helped me set this up, but I finally did. Tons of credit to @Odkrys for his original work on this project.

i cant get it to work i got the dump of the jffs partion is it okay if you can check it out if its okay

backup_jffs (1) – Google Drive

drive.google.com

all im trying to do is set up wireguard as a client to make my network secure with a VPN on

 

[Jeffrey Young]

@rayyan

Some things to check;

1. Verify that the wireguard.ko kernel module actually exists at the path given in the wg-server file. If the module is not there, it may be hiding somewhere else (use find /lib -name wireguard.ko). If the kernel module is not there, then the rest of the exercise is pointless.

2. You have named your wg-server script wg-server.sh in /jffs/addons/wireguard. If you want to keep this file name, you need to edit /jffs/scripts/services-start and change the wg-server name there as well. You will need to change the name in /jffs/scripts/nat-start as well. Otherwise, get rid of the .sh extention.

3. Your nat-start file in /jffs/scripts is misspelled (you have nat-star).

4. The wg-down script should be in /jffs/addons/wireguard (currently you have it in /jffs/scripts).

5. For the wg1.conf file, you have not replaced the preshared key with a properly generated preshared key. If you don't use preshared keys, remove this line from the file.

6. Depending on how you created these files, you may need to use dos2unix utility to change the line feeds characters to unix style (should not be needed if you used nano right in the shell).

7. Make sure you have the execute permission set on the services-start, nat-start, wg-server, and wg-down scripts (chmod u+x <files>)

From the shell prompt, run the wg-server from the command line (./wg-server) and see what errors you get.

 

[rayyan]

@rayyan

Some things to check;

1. Verify that the wireguard.ko kernel module actually exists at the path given in the wg-server file. If the module is not there, it may be hiding somewhere else (use find /lib -name wireguard.ko). If the kernel module is not there, then the rest of the exercise is pointless.

2. You have named your wg-server script wg-server.sh in /jffs/addons/wireguard. If you want to keep this file name, you need to edit /jffs/scripts/services-start and change the wg-server name there as well. You will need to change the name in /jffs/scripts/nat-start as well. Otherwise, get rid of the .sh extention.

3. Your nat-start file in /jffs/scripts is misspelled (you have nat-star).

4. The wg-down script should be in /jffs/addons/wireguard (currently you have it in /jffs/scripts).

5. For the wg1.conf file, you have not replaced the preshared key with a properly generated preshared key. If you don't use preshared keys, remove this line from the file.

6. Depending on how you created these files, you may need to use dos2unix utility to change the line feeds characters to unix style (should not be needed if you used nano right in the shell).

7. Make sure you have the execute permission set on the services-start, nat-start, wg-server, and wg-down scripts (chmod u+x <files>)

From the shell prompt, run the wg-server from the command line (./wg-server) and see what errors you get.

Home@ZenWiFi_Pro_XT12-DD10:/jffs/addons/wireguard# ./wg-server
insmod: can't insert '/lib/modules/4.19.183/kernel/net/wireguard/wireguard.ko': File exists
Home@ZenWiFi_Pro_XT12-DD10:/jffs/addons/wireguard# find /lib -name wireguard.ko
/lib/modules/4.19.183/kernel/net/wireguard/wireguard.ko
Home@ZenWiFi_Pro_XT12-DD10:/jffs/addons/wireguard#

 

[Jeffrey Young]

insmod: can't insert '/lib/modules/4.19.183/kernel/net/wireguard/wireguard.ko': File exists

That just means that the module has already been inserted into the kernel. You can ignore it. The wireguard.ko module either got loaded in your previous troubleshooting efforts, or Asus is now loading it by default. Either way, you got no other errors.

If you run ip addr show | grep wg1, you should see the wg1 interface.

 

[Jeffrey Young]

Something like this;

ClientAdmin@RTAC86U:/tmp/home/root# ip addr show | grep wg1
22: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1380 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.100.10.1/24 scope global wg1

If you don't see that, edit the wg-server script and put the line set -x right after the shebang line (#!/bin/sh) and rerun the script. That will print extra verbose info as the script runs so you can see what is going on

 

[rayyan]

Something like this;

ClientAdmin@RTAC86U:/tmp/home/root# ip addr show | grep wg1
22: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1380 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.100.10.1/24 scope global wg1

If you don't see that, edit the wg-server script and put the line set -x right after the shebang line (#!/bin/sh) and rerun the script. That will print extra verbose info as the script runs so you can see what is going on

ASUSWRT-Merlin XT12 386.7_2 Sun Jul 24 21:37:08 UTC 2022
Home@ZenWiFi_Pro_XT12-DD10:/tmp/home/root# ip addr show | grep wg1
35: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1380 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.100.10.1/24 scope global wg1
Home@ZenWiFi_Pro_XT12-DD10:/tmp/home/root#

yea i got the same thing as you but the main question is how do i connect to a vpn over wg as i have no wg client option on web UI soo how would i connect to a server? aslo i done the set -x thing and the output is below


Home@ZenWiFi_Pro_XT12-DD10:/jffs/addons/wireguard# ./wg-server
+ uname -r
+ KERNEL=4.19.183
+ WGaddress=10.100.10.1/24
+ WGport=51006
+ modprobe xt_set
+ insmod /lib/modules/4.19.183/kernel/net/wireguard/wireguard.ko
insmod: can't insert '/lib/modules/4.19.183/kernel/net/wireguard/wireguard.ko': File exists
+ ip link del dev wg1
+ ip link add dev wg1 type wireguard
+ wg setconf wg1 /jffs/addons/wireguard/wg1.conf
+ ip address add dev wg1 10.100.10.1/24
+ ip link set up dev wg1
+ ifconfig wg1 mtu 1380
+ ifconfig wg1 txqueuelen 1000
+ iptables -t mangle -D PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7
+ iptables -t mangle -D FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7
+ iptables -t mangle -D FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ iptables -t mangle -D FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ iptables -D INPUT -p udp --dport 51006 -j ACCEPT
+ iptables -D INPUT -i wg1 -j ACCEPT
+ iptables -D FORWARD -i wg1 -j ACCEPT
+ iptables -D FORWARD -o wg1 -j ACCEPT
+ iptables -D OUTPUT -o wg1 -j ACCEPT
+ iptables -t nat -D PREROUTING -p udp --dport 51006 -j ACCEPT
+ iptables -t mangle -I FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ iptables -t mangle -I FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ iptables -t mangle -I FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7
+ iptables -t mangle -I PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7
+ iptables -I INPUT -p udp --dport 51006 -j ACCEPT
+ iptables -I INPUT -i wg1 -j ACCEPT
+ iptables -I FORWARD -i wg1 -j ACCEPT
+ iptables -I FORWARD -o wg1 -j ACCEPT
+ iptables -I OUTPUT -o wg1 -j ACCEPT
+ iptables -t nat -I PREROUTING -p udp --dport 51006 -j ACCEPT
Home@ZenWiFi_Pro_XT12-DD10:/jffs/addons/wireguard#

 

[Jeffrey Young]

So, what we have done so far is made your router into a VPN server. You can now VPN into your home network when you are away and access your home resources. You just need to create peer keys for the folks you want to have access. The clients in this case would be wireguard clients on other computers that you want to be able to access your network while away from home.

Now, it sounds like what you really wanted (and maybe I misunderstood your intent in the beginning) is to use Wireguard to actually VPN out from your router to another service right? If this is the case, the basic setup is the same. You just need to set up your peer/server information in wg1.conf to match what your provider has given you. After that, we will have to come up with different firewall and routing rules depending on what exactly you want to do. I would have to do some research myself, but I don't imagine it will be too difficult. It is just a matter of changing the wg-server script to setup the right rules (firewall and routes).

Also, thinking more about this. We may not need the services-start script. As long as the nat-start script gets run on boot up of the router, then the wg-server script is going to get called anyway from nat-start.
EDIT: On review and second thought, the nat-start script checks first if the wg interface is up. So we still need the services-start script to start the wg interface first.

Maybe tell me exactly what you are trying to do with Wireguard and we can see if we can get things set up. I am open to do some learning.

 

[rayyan]

So, what we have done so far is made your router into a VPN server. You can now VPN into your home network when you are away and access your home resources. You just need to create peer keys for the folks you want to have access. The clients in this case would be wireguard clients on other computers that you want to be able to access your network while away from home.

Now, it sounds like what you really wanted (and maybe I misunderstood your intent in the beginning) is to use Wireguard to actually VPN out from your router to another service right? If this is the case, the basic setup is the same. You just need to set up your peer/server information in wg1.conf to match what your provider has given you. After that, we will have to come up with different firewall and routing rules depending on what exactly you want to do. I would have to do some research myself, but I don't imagine it will be too difficult. It is just a matter of changing the wg-server script to setup the right rules (firewall and routes).

Also, thinking more about this. We may not need the services-start script. As long as the nat-start script gets run on boot up of the router, then the wg-server script is going to get called anyway from nat-start.

Maybe tell me exactly what you are trying to do with Wireguard and we can see if we can get things set up. I am open to do some learning.

so what im trying to do is protect every device with a vpn connection for example like i have my pc connected to surfshark so instead of downloading the app on every single device id rather have all trafic going thought the router via a vpn like setting a openvpn client on the router but with wireguard as its faster so i want to add this config file to the router instead u can also use this if u want

 

[Jeffrey Young]

Alright, we can do this. So we are going to have to do some changes. We are going to use this post for some guidance.

[Experimental] WireGuard for HND platform (4.1.x kernels)

1. Install WireGuard You need Entware-aarch64-3.10 to use wireguard without a new firmware build. ㅡ Kernel Module ㅡ RT-AC86U, GT-AC2900 - 4.1.27 https://github.com/odkrys/entware-makefile-for-merlin/raw/main/wireguard-kernel_1.0.20210219-k27_1_aarch64-3.10.ipk opkg install...

www.snbforums.com

Give me a bit to wrap my head around what we need to do to get this working (basiclly, we have to rework things to make it work from jffs partition instead of the Entware.

The file you posted has sensitive info. Please delete it asap so that others can not take advantage of you. I got what I need to help create a setup. You may need to give me a day or two.

 

[rayyan]

Alright, we can do this. So we are going to have to do some changes. We are going to use this post for some guidance.

[Experimental] WireGuard for HND platform (4.1.x kernels)

1. Install WireGuard You need Entware-aarch64-3.10 to use wireguard without a new firmware build. ㅡ Kernel Module ㅡ RT-AC86U, GT-AC2900 - 4.1.27 https://github.com/odkrys/entware-makefile-for-merlin/raw/main/wireguard-kernel_1.0.20210219-k27_1_aarch64-3.10.ipk opkg install...

www.snbforums.com

Give me a bit to wrap my head around what we need to do to get this working (basiclly, we have to rework things to make it work from jffs partition instead of the Entware.

The file you posted has sensitive info. Please delete it asap so that others can not take advantage of you. I got what I need to help create a setup. You may need to give me a day or two.

yea sure man take your time and im here for testing btw i really appreciate it man thanks bro