Asus Merlin on Asus ZenWIFI Pro XT12 cant install Entware as USB is required but router doesn't have one.

[rayyan]

@Jeffrey Young it works but its kinda unstable like sometimes it connects and sometimes it doesn't also speed is also same 400mbs

 

[rayyan]

Before we start to troubleshoot, I think I see a problem with the wg-client script that might be affecting things. Basically, the DNS is not being handled right. Can you replace the contents of your wg-client file with the following;

Spoiler: wg-client

#!/bin/sh

KERNEL=$(uname -r)

# This is the IP address provided by your VPN provider
LocalIP="10.14.0.2"
wgdns1="162.252.172.57"
wgdns2="149.154.159.92"

modprobe xt_set
insmod /lib/modules/${KERNEL}/kernel/net/wireguard/wireguard.ko

ip link del dev wg0 2>/dev/null
ip link add dev wg0 type wireguard
wg setconf wg0 /jffs/addons/wireguard/wg0.conf
ip address add dev wg0 $LocalIP
ip link set up dev wg0
ifconfig wg0 mtu 1350
ifconfig wg0 txqueuelen 1000

host="$(wg show wg0 endpoints | sed -n 's/.*\t\(.*\):.*/\1/p')"
ip route add $(ip route get $host | sed '/ via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/{s/^\(.* via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*/\1/}' | head -n 1) 2>/dev/null
ip route add 0/1 dev wg0
ip route add 128/1 dev wg0

iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE 2>/dev/null
iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg0 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null

iptables -t mangle -I FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -o wg0 -j MARK --set-xmark 0x01/0x7
iptables -t mangle -I PREROUTING -i wg0 -j MARK --set-xmark 0x01/0x7
iptables -t nat -I POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE

cp /tmp/resolv.dnsmasq /tmp/resolv.dnsmasq_backup 2>/dev/null
echo "server=$wgdns1" > /tmp/resolv.dnsmasq
echo "server=$wgdns2" >> /tmp/resolv.dnsmasq
service restart_dnsmasq

I also changed the MTU to 1350 to see if that improve things as well.

Note to that I have updated the original post

Let me know
(the trouble with not being able to test before hand)

also doing more testing you where right checked the CPU usage while the script is running its all on full load for some reason if there's another way to make is use less CPU usage it would be nice and also in the picture below you can see 405.21 MB free space so another idea would be if we can use atam to install Entware to that area of the router as well as other packages it would be amazing unless I'm talking about ram but there's still free space in the JFFS partition around about 44mb so is it possible to install packages there

 

[Jeffrey Young]

I did adjust the MTU down to 1350 as was suggested in one post I was reading. Putting the MTU back to 1380 may solve some of the instability. We don't really have anything as a good comparison as the script fault yesterday would mean we were not using the DNS servers SurfShark's config file was pointing to. If the script fix today is making the DNS setting stick, then perhaps SurfSharks DNS servers are also the best.

I just want to make sure that dnsmasq is actually keeping the new DNS server settings, would you be able to post the output of the following command;

cat /tmp/resolv.dnsmasq

As far as installing Entware to the JFFS partition, the JFFS is way too small. Not to mention it is a real PITA when it full (as in the router becomes unusable ).

The 405MB of free space you are referring to is free RAM. This space is not static. Turn the router off, or reboot the router, this storage disappears. You can't put Entware there.

I'm afraid that I can not do much more in the way of optimizing. Other than getting the tunnel working, I've never worked with the client side of Wireguard in a commercial VPN provider - just setting up client files for the family to reach my network remotely to access my NAS for backing up stuff.

The CPU usage likely will not be pegged all the time. You are not likely saturating the VPN tunnel all the time (i.e., you are pushing/receiving 400Mbits continually all the time). There may be other inner workings of the XT12 that may be in conflict. I just don't know that router.

 

[rayyan]

I did adjust the MTU down to 1350 as was suggested in one post I was reading. Putting the MTU back to 1380 may solve some of the instability. We don't really have anything as a good comparison as the script fault yesterday would mean we were not using the DNS servers SurfShark's config file was pointing to. If the script fix today is making the DNS setting stick, then perhaps SurfSharks DNS servers are also the best.

I just want to make sure that dnsmasq is actually keeping the new DNS server settings, would you be able to post the output of the following command;

cat /tmp/resolv.dnsmasq

As far as installing Entware to the JFFS partition, the JFFS is way too small. Not to mention it is a real PITA when it full (as in the router becomes unusable ).

The 405MB of free space you are referring to is free RAM. This space is not static. Turn the router off, or reboot the router, this storage disappears. You can't put Entware there.

I'm afraid that I can not do much more in the way of optimizing. Other than getting the tunnel working, I've never worked with the client side of Wireguard in a commercial VPN provider - just setting up client files for the family to reach my network remotely to access my NAS for backing up stuff.

The CPU usage likely will not be pegged all the time. You are not likely saturating the VPN tunnel all the time (i.e., you are pushing/receiving 400Mbits continually all the time). There may be other inner workings of the XT12 that may be in conflict. I just don't know that router.

okay ill do some research on it i heard about someone on Linux disabling ipv6 might help but yea anyways @Jeffrey Young thank you for your help and the command i set it to be using 1.1.1.1 and 1.0.0.1 instead