YazFi Can't make Yazfi working with Wireguard

[Jacky0611]

First of all, here is my current spec.

AX86U running on 3004.388.8_4
YazFi v4.4.4

I know by default Yazfi is not working with Wireguard because of its firewall rules.

After doing extensive search, I found I can make custom firewall rules for Yazfi to work with Wireguard.

I tried but it still didn't work.

Since I'm not familiar with Linux commands, can anyone help me take a look if there is anything wrong on each command?

Here are the steps I tried to make wgc1 to work with Guest Network 1.

1. open a script

nano /jffs/addons/YazFi.d/userscripts.d/wg-yazfi.sh

2. type the following into the script and save

#!/bin/sh
iptables -I YazFiFORWARD -i wl1.1 -o wgc1 -j ACCEPT
iptables -I YazFiFORWARD -i wgc1 -o wl1.1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I YazFiINPUT -i wl1.1 -j ACCEPT

3. make the script executable

chmod +x /jffs/addons/YazFi.d/userscripts.d/wg-yazfi.sh

4. execute the script

/jffs/addons/YazFi.d/userscripts.d/wg-yazfi.sh

5. Add rule in VPN Director to direct traffic from 192.168.5.0/24 to wgc1 (see the attached pic)



These are the steps I tried, but I'm still unable to connect to the internet by using the SSID of Guest Network 1.

 

[bennor]

As a troubleshooting step if you haven't done so already; don't use Guest Network #1, try using Guest Network #2 or #3. The Asus firmware treats Guest Network #1 differently than Guest Network #2 or #3.

PS: Looking at the YazFi code quickly it appears only OpenVPN is supported. A quick search for YazFi and WireGuard seems to show no one has conclusively gotten WireGuard to work with YazFi.

Because Jack Yaz is no longer actively developing YazFi it would require someone else to actively code for it. And user @Martinski who has made some minor updates to YazFi recently indicated the following back in 2023 on the WireGuard/YazFi issue. Don't know if he's indicated anything changing since that post.

Sorry to say, but I cannot help. I don't subscribe to any commercial VPN providers & I don't have any VPN clients set up on my own router. The only VPN Servers I currently use are from the company I work for & the ones on ASUS routers (mine & those from relatives & friends for maintenance purposes) so that I can connect remotely when needed using my work PC or my personal PCs/tablets/phones. The bottom line is that I'm not in a position where I can test & validate any changes made in the YazFi code regarding OpenVPN or Wireguard clients.

 

[eibgrad]

As @bennor suggests, YazFi is no longer supported by the author. So use it at your own risk. Doesn't surprise me in the least it is increasingly subject to issues as the code grows stale over time.

 

[Jacky0611]

As a troubleshooting step if you haven't done so already; don't use Guest Network #1, try using Guest Network #2 or #3. The Asus firmware treats Guest Network #1 differently than Guest Network #2 or #3.

PS: Looking at the YazFi code quickly it appears only OpenVPN is supported. A quick search for YazFi and WireGuard seems to show no one has conclusively gotten WireGuard to work with YazFi.

Because Jack Yaz is no longer actively developing YazFi it would require someone else to actively code for it. And user @Martinski who has made some minor updates to YazFi recently indicated the following back in 2023 on the WireGuard/YazFi issue. Don't know if he's indicated anything changing since that post.

Post in thread 'Use wireguard for Yazfi'
https://www.snbforums.com/threads/use-wireguard-for-yazfi.82160/post-806768

GitHub - ZebMcKayhan/WireguardManager: Manage/Install WireGuard on applicable ASUS routers

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager

github.com

These are the post and guidance I found saying that it is possible to modify Yazfi firewall to allow traffic being directed to Wireguard interface. Although it’s talking about the 3rd part wgm plugin instead of the official wireguard client.

So I’m curious if these methods are still working today since the guidance is 2 years old. And, if they are still working, could someone help me take a look on each step to make sure I didn’t do something wrong.

 

[ZebMcKayhan]

see the attached pic

In the Yazfi setup, the network you want to send to Wireguard should be set as:
Redirect All to VPN: No

Otherwise yazfi would attempt to route this to ovpn which may clash with vpndirector.

Except from that, have you checked so wl1.1 corresponds to your guest network?
You could check by

ifconfig wl1.1

And verify that the ip address is what you setup in yazfi.

As a final note. I'm not sure routes to GN finds it's way to the policy tables which may give dns issues amongst others.
You could add a vpn director rule to see if it affects your issue:
Local IP: leave blank
Remote IP: 192.168.5.0/24
Interface: WAN

This would redirect data to GN to use main route table where routes are found.

 

[bennor]

@Jacky0611, as ZebMcKayhan indicates; don't enable the Redirect all to VPN in YazFi. If you do you are telling YazFi to use OpenVPN client which may conflict with the WireGuard script and it's IPTables rules you are trying to create. And as ZebMcKayhan indicates you may need to setup a new rule (or two) in VPN Director. You may need to do some experimenting with rules to get things to work properly depending on your router configuration. Not sure if the VPN Director rules will handle the YazFi IP addresses which reside outside the main LAN IP address scope/range. May work, may not. Haven't yet tried setting up rules for my YazFi clients.

 

[bennor]

After some quick and dirty experimenting using a smartphone connected to YazFi. Seems it is possible to get YazFi clients to route through WireGuard. This is what seems to have worked for me in a very quick test.
Create the file: /jffs/addons/YazFi.d/userscripts.d/wg-yazfi.sh
In that file put the following, adjusting the WL and WGC to match your settings. In my case I'm using guest network #2 5Ghz (wl1.2). You can get the WL value from the YazFi config file.

#!/bin/sh
iptables -I YazFiFORWARD -i wl1.2 -o wgc1 -j ACCEPT
iptables -I YazFiFORWARD -i wgc1 -o wl1.2 -m state --state RELATED,ESTABLISHED -j ACCEPT

Set the wg-yazfi.sh file permissions to 0755.
Trigger YazFi to reload. (Go to YazFi tab and hit the Apply button.)
Set up two VPN Director Rules.
First Rule:
Interface: WAN
Enable: checked
Description: (give it a name)
Local IP: (blank)
Remote IP: 192.168.7.0/24 *
* Use the IP address range for your YazFi guest network
Second Rule:
Interface: WireGuard 1
Enable: checked
Description: (give it a name)
Local IP: 192.168.7.0/24 *
Remote IP: (blank)
* Use the IP address range for your YazFi guest network

Make sure to hit the apply button after creating the rules to save the rules.
Then enable the WireGuard #1 client tunnel and check if YazFi Guest Network client(s) are being routed through the tunnel (check for WAN IP address at sites like: whatismyip.com)

If you do not want to route the YazFi clients through the WireGuard VPN either don't create rule #2 indicated above or uncheck it's enable box and hit the apply button to save the changes.

Notes: You may need to cycle the WiFi connection for the YazFi client when making the rule changes. One may need to do additional experimentation with the VPN Director rules. If one wants to only route a single client they will need to modify the above information. I didn't try doing that so no idea at the moment as to how to configure the above for a single client versus all the YazFi clients on that guest network band. If one has any issues, remove the rules and wg-yazfi.sh file, and cycle YazFi again (or reboot the router) and hopefully the changes will be removed.

Someone more knowledgeable than I, can probably come up with a better way (or leaner way) to make this work.

 

[Jacky0611]

Thank you all for your help and try.

I’m currently away from home, will try when I’m back!

 

[fourty6and2]

After some quick and dirty experimenting using a smartphone connected to YazFi. Seems it is possible to get YazFi clients to route through WireGuard. This is what seems to have worked for me in a very quick test.
Create the file: /jffs/addons/YazFi.d/userscripts.d/wg-yazfi.sh
In that file put the following, adjusting the WL and WGC to match your settings. In my case I'm using guest network #2 5Ghz (wl1.2). You can get the WL value from the YazFi config file.

#!/bin/sh
iptables -I YazFiFORWARD -i wl1.2 -o wgc1 -j ACCEPT
iptables -I YazFiFORWARD -i wgc1 -o wl1.2 -m state --state RELATED,ESTABLISHED -j ACCEPT

Set the wg-yazfi.sh file permissions to 0755.
Trigger YazFi to reload. (Go to YazFi tab and hit the Apply button.)
Set up two VPN Director Rules.
First Rule:
Interface: WAN
Enable: checked
Description: (give it a name)
Local IP: (blank)
Remote IP: 192.168.7.0/24 *
* Use the IP address range for your YazFi guest network
Second Rule:
Interface: WireGuard 1
Enable: checked
Description: (give it a name)
Local IP: 192.168.7.0/24 *
Remote IP: (blank)
* Use the IP address range for your YazFi guest network

Make sure to hit the apply button after creating the rules to save the rules.
Then enable the WireGuard #1 client tunnel and check if YazFi Guest Network client(s) are being routed through the tunnel (check for WAN IP address at sites like: whatismyip.com)

If you do not want to route the YazFi clients through the WireGuard VPN either don't create rule #2 indicated above or uncheck it's enable box and hit the apply button to save the changes.

Notes: You may need to cycle the WiFi connection for the YazFi client when making the rule changes. One may need to do additional experimentation with the VPN Director rules. If one wants to only route a single client they will need to modify the above information. I didn't try doing that so no idea at the moment as to how to configure the above for a single client versus all the YazFi clients on that guest network band. If one has any issues, remove the rules and wg-yazfi.sh file, and cycle YazFi again (or reboot the router) and hopefully the changes will be removed.

Someone more knowledgeable than I, can probably come up with a better way (or leaner way) to make this work.

Thanks for sharing this, I had a similar question and this solution worked for me.

 

[fourty6and2]

Thanks for sharing this, I had a similar question and this solution worked for me.

Not sure why, but this setup caused my ecobee thermostat to never connect. All other IoT devices worked fine, but never could get this to work.

Reverted back to OpenVPN and it’s working again. Odd.

Thanks again for sharing it though, speeds were a lot better on wireguard.

 

[Jacky0611]

Thank you all for your help!

I finally make it works!

I apologise for another question, how do I make the script starts on boot?

I did some basic search and found 3 possible commands which are service-start, firewall-start & init-start.

Which one should I use if I want to make the rules applied every time I reboot the machine?

 

[bennor]

Generally when YazFi is run at router boot or when YazFi is restarted it should load the wg-yazfi.sh script automatically and insert the IPTables entries which should remain present until they are somehow removed by some other method. You can test if this is the case by rebooting the router and dumping the IPTables commands to see if those wg-yazfi.sh script entries are listed in that dump.

 

[ZebMcKayhan]

Thank you all for your help!

I finally make it works!

I apologise for another question, how do I make the script starts on boot?

I did some basic search and found 3 possible commands which are service-start, firewall-start & init-start.

Which one should I use if I want to make the rules applied every time I reboot the machine?

Just for future reference, what did you have to change to make it work? Was it the To GN to WAN rule?

 

[Jacky0611]

Generally when YazFi is run at router boot or when YazFi is restarted it should load the wg-yazfi.sh script automatically and insert the IPTables entries which should remain present until they are somehow removed by some other method. You can test if this is the case by rebooting the router and dumping the IPTables commands to see if those wg-yazfi.sh script entries are listed in that dump.

You are correct. It automatically loads the script when it restarts.

Just for future reference, what did you have to change to make it work? Was it the To GN to WAN rule?

I just followed all the advice. modified the setting "Redirect All to VPN: No" and add "GN to WAN" rule

However, I did a factory reset before doing everything in order to make sure I have a clean environment.

After seeing your reply, I tried to disable "GN to WAN" rule and reboot the machine. The answer is that everything is still working as usual.

So, I can not conclude "GN to WAN" rule is essential to make it works, probably "Redirect All to VPN: No" is the key, but I don't have time to test it one by one.

I hope this post can also help those have the same problem.

Lastly, thank you everyone for your help!