What's new

[Experimental] WireGuard for HND platform (4.1.x kernels)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

As WireGuard will be merged into linux 5.6,
the kernel modules and userspace tools have been split into separate packages.
Is this a good or bad thing for us?
 
Has anyone manged to access internal servers when wireguard is active? I have a ftp server that I would like to be able to access when WireGuard is running on the router.
I have port-forward active in my router but when wireguard is running it seems like it denies all incoming connections unless it is from LAN, when I turn it off I am able to connect to my ftp from LAN and WAN
 
I suspect you need to exclude whatever port you use for FTP from the WireGuard tunnel. Perhaps using iptables.
Poke around on the Merlin forum for help with this. I believe there are tools/scripts that make it easy.


Sent from my iPhone using Tapatalk
 
Thanks for answer. Did not get this to work, I did however thing I got around to the rules that I need. But sadly they did not help me since I still can't access it.

Code:
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT && \
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT && \
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT && \
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT && \
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --sport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT && \
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
 
The opkg install /path/wireguard-kernel_0.0.20200128-ac_aarch64-3.10.ipk does not seem to be installing correctly it is not creating a wireguard directory or installing the config files. If i use this older version it works fine wireguard_0.0.20191012-ac_aarch64-3.10.ipk
 
The opkg install /path/wireguard-kernel_0.0.20200128-ac_aarch64-3.10.ipk does not seem to be installing correctly it is not creating a wireguard directory or installing the config files. If i use this older version it works fine wireguard_0.0.20191012-ac_aarch64-3.10.ipk
You need the user space tools, the kernel package only contains wireguard
 
Has anyone running WireGuard experienced any issues if they’ve upgraded to the latest Merlin v384.15 ?


Sent from my iPhone using Tapatalk
 
odd question, has anyone yet created a Router which supports full WireGuard support......with WireGuard policy routing and WireGuard kill switch via point and click button, newbie friendly style ?
 
Last edited:
Full support meaning both client and server? Scroll this thread...


Sent from my iPhone using Tapatalk
 
Just meant one that's point and click button style, easy to set up and use.

Might be a bit too early, maybe Asus will eventually put it in there officially once WG is more stable and fully released.
 
Just meant one that's point and click button style, easy to set up and use.

Might be a bit too early, maybe Asus will eventually put it in there officially once WG is more stable and fully released.

I rather like that you have to be deliberate in setting it up...but maybe that’s just me.

Asus can’t include it in firmware because not a lot of their hardware is running a modern enough kernel version to support WireGuard. Only 2 do currently as I understand it, the ac86u and the ax88. What would be amazing is if in a few years Merlin and the devs around that fork have more control over factory firmware rather than having to wait to tweak it.
With WireGuard being included in the impending Linus 5.6 kernel, and people becoming much more privacy and security conscious, there could well be an impending confluence of factors bringing wishes/dreams along these lines into fruition. Or not [emoji848][emoji2370][emoji3535]


Sent from my iPhone using Tapatalk
 
change Route to policy and add this to end of wg-policy script.
Code:
ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null
ip rule add from 192.168.1.10 lookup 117 prio 11111
ip rule add from 192.168.1.20 lookup 117 prio 11112
This may enough for you.
Don't touch ##For ipset based Policy Routing part.
This two rules should be added to wg-down script too.

ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null

Hello Odkyrs, thanks for the explanation. I tested it last night and it’s working. Can you explain the logic in here? If I want to add more ips will it look like:
ip rule del prio 11113 2>/dev/null
ip rule add from 192.168.1.30 lookup 117 prio 11113
OR?

one more question: if I want to do “To Address” Do I just change the from to “To” ?

thanks
 
change Route to policy and add this to end of wg-policy script.
Code:
ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null
ip rule add from 192.168.1.10 lookup 117 prio 11111
ip rule add from 192.168.1.20 lookup 117 prio 11112
This may enough for you.
Don't touch ##For ipset based Policy Routing part.
This two rules should be added to wg-down script too.

ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null

First of all, thanks for this awesome package for my router.
I recently changed to policy based since I was locked out from my home network using the regular setup (could not get to allow my ipsec vpn).

But I would like to as why I should not touche the settings bellow? Without modifying it nothing will go via the wg tunnel.

This is how my config looks like, and it works.
Code:
#
##For ipset based Policy Routing
#
modprobe ip_set_hash_ip
ipset -N $Nipset hash:ip

ip rule del prio 9997 2>/dev/null
ip rule add fwmark 0x7000 table 117 prio 9997
iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null
iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000

ip rule del prio 11111 2>/dev/null
ip rule add from 192.168.0.0/24 lookup 117 prio 11111

And also, is there anyway to get my ipsec vpn to go via the wireguard tunnel? Now I get my real ISP ip when I check my ip.
I tried adding
Code:
ip rule del prio 11100 2>/dev/null
ip rule add from 10.10.10.0/24 lookup 117 prio 11100
but that did not work.
Thanks!
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top