What's new

[Experimental] WireGuard for HND platform (4.1.x kernels)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

You have failed to follow the install instructions in post #1 (Step 1) and missed a crucial step for the Entware auto-startup Wireguard request,, and the User Space Tool nat-start script to work...

View attachment 29983
The problem I am having now is wireguard is no internet. It shows sending of data but that's it.

The RPI is on 193.168.50.3. it has pihole running and the wireguard server.

My wan DNS goes through the pihole.

I have set wireguard as 192.168.51.1.

I get connections and a handshake showing I'm connected and data being sent and received but very small amounts.

I installed the server one with pivpn.

Thanks on advance!
 
Last edited:
some more info for anyone that can help.


peer: xxxxxx
preshared key: (hidden)
endpoint: 192.168.50.3:51820
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 39 seconds ago
transfer: 26.03 KiB received, 1.55 GiB sent
persistent keepalive: every 25 seconds

it shows that it is sending data but not getting it back.


br0 Link encap:Ethernet HWaddr 24:4B:FE:09:97:F8
inet addr:192.168.50.1 Bcast:192.168.50.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:6353 errors:0 dropped:73 overruns:0 frame:0
TX packets:7659 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:957363 (934.9 KiB) TX bytes:7351560 (7.0 MiB)

eth0 Link encap:Ethernet HWaddr 24:4B:FE:09:97:F8
inet addr:xxxxx.174 Bcast:xxx Mask:255.255.0.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:4858942 errors:0 dropped:0 overruns:0 frame:0
TX packets:1202305 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6389505926 (5.9 GiB) TX bytes:192535296 (183.6 MiB)

eth1 Link encap:Ethernet HWaddr 24:4B:FE:09:97:F8
UP BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth2 Link encap:Ethernet HWaddr 24:4B:FE:09:97:F8
UP BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth3 Link encap:Ethernet HWaddr 24:4B:FE:09:97:F8
UP BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth4 Link encap:Ethernet HWaddr 24:4B:FE:09:97:F8
UP BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth5 Link encap:Ethernet HWaddr 24:4B:FE:09:97:F8
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:14861 errors:0 dropped:22 overruns:0 frame:0
TX packets:25835 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1088314 (1.0 MiB) TX bytes:15186503 (14.4 MiB)

eth6 Link encap:Ethernet HWaddr 24:4B:FE:09:97:F8
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:21576777 errors:0 dropped:16 overruns:0 frame:0
TX packets:10668484 errors:0 dropped:250298 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9950912245 (9.2 GiB) TX bytes:5542109507 (5.1 GiB)

eth7 Link encap:Ethernet HWaddr 24:4B:FE:09:97:FC
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:1623368 errors:0 dropped:15 overruns:0 frame:0
TX packets:1485469 errors:0 dropped:175049 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:492002234 (469.2 MiB) TX bytes:1016721233 (969.6 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX packets:275720 errors:0 dropped:0 overruns:0 frame:0
TX packets:275720 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:53911961 (51.4 MiB) TX bytes:53911961 (51.4 MiB)

lo:0 Link encap:Local Loopback
inet addr:127.0.1.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1

ppp0 Link encap:point-to-Point Protocol
inet addr:xxx P-t-P:xxxxxx Mask:255.255.255.255
UP POINTOPOINT RUNNING MULTICAST MTU:1492 Metric:1
RX packets:5580 errors:0 dropped:0 overruns:0 frame:0
TX packets:3452 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:5098642 (4.8 MiB) TX bytes:488304 (476.8 KiB)
 
it shows that it is sending data but not getting it back.
This is usually a sign of masquarading not working properly... test shifting to /16 according to my previous post. I'm not sure Ive understood your system completally but it sounds like you are using different subnets which easaly runs into problems like this. standard WG files only masquareds packages with source adress with same subnet as your local LAN adress.

/Zeb
 
Last edited:
Been running wireguard client on my AC86U now for a month and it is working great! running merlin 386 beta 2.

I have been running on some snags that I would like to share for others maybee experiencing the same problems:

my ordinary LAN is on 192.168.1.x on device br0.
guest wifi is per default on br1 and br2 192.168.101.x and 192.168.102.x

2 problems comes from this:
A) - router has set up firewall for br1, br2 to eth0 (wan) but not to wg0 (vpn) so when the new default routing table kicks in guest wifi will be useless (or any other subnet from the default one).
B) - masquarading on wg0 is set up to only masquarade /24 subnet which will be br0 only.

so to fix this edit wg-up (or wg-policy depending on which you use):
A) - Add these lines somewhere in the end:
Code:
iptables -t filter -D FORWARD -i br1 -o wg0 -j ACCEPT 2>/dev/null
iptables -t filter -D FORWARD -i br2 -o wg0 -j ACCEPT 2>/dev/null
iptables -t filter -I FORWARD -i br1 -o wg0 -j ACCEPT
iptables -t filter -I FORWARD -i br2 -o wg0 -j ACCEPT
The first 2 (the -D ones) should be added in wg-down aswell so the rules are removed when wireguard is stopped.
B) change these 2 lines:
Code:
iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE 2>/dev/null
iptables -t nat -I POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE
to
Code:
iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/16 -o wg0 -j MASQUERADE 2>/dev/null
iptables -t nat -I POSTROUTING -s $(nvram get lan_ipaddr)/16 -o wg0 -j MASQUERADE
The same change should be done in wg-down so the rules are properly removed when wireguard is stopped.

now br1 and br2 is allowed to be routed to wg0 (VPN) and masquarading will work on entire 192.168.x.x
please adjust further to your own need.

/Zeb
where would you add these? i have tried my client wg-policy but doesnt seem to work? what are the full post up and post down commands? thanks!
 
Depending on how you set up your S50wireguard. if you have "Route=default" then you will need to change in [wg-up] but if you have "Route=policy" then you need to change in [wg-policy]. in any case [wg-down] is executed for stop so you need to remove any rules created there.

for simplicity, you could just try to run directly from the terminal:
Code:
iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE #Remove old masq rule

iptables -t nat -I POSTROUTING -s $(nvram get lan_ipaddr)/16 -o wg0 -j MASQUERADE #Add new /16 masq rule

and see if that makes any difference for you. if not, then probably this is not your problem and you need to look elsewhere.
 
Depending on how you set up your S50wireguard. if you have "Route=default" then you will need to change in [wg-up] but if you have "Route=policy" then you need to change in [wg-policy]. in any case [wg-down] is executed for stop so you need to remove any rules created there.

for simplicity, you could just try to run directly from the terminal:
Code:
iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE #Remove old masq rule

iptables -t nat -I POSTROUTING -s $(nvram get lan_ipaddr)/16 -o wg0 -j MASQUERADE #Add new /16 masq rule

and see if that makes any difference for you. if not, then probably this is not your problem and you need to look elsewhere.
thanks for fast reply.

no luck =/ added that to wg-policy and changed s50 to policy mode. it connects and handshakes but nothing else.

do i need to create a route?

DestinationGatewayGenmaskFlagsMetricRefUseIface
IPv4 Routing table
defaultxxx.xxx.xxx0.0.0.0UG000WAN
10.9.0.0*255.255.255.0U000wg0
169.254.0.0*255.255.0.0U000MAN
xxx.xxx.xxx*255.255.255.255UH000WAN
192.168.50.0*255.255.255.0U000LAN
192.168.50.3*255.255.255.255UH000LAN
239.0.0.0*255.0.0.0U000LAN

is this how port forwarding should be done?

System Log - Port Forwarding

SourceProtoPort rangeRedirect toLocal PortChain
Virtual Servers
ALLUDP51820192.168.50.351820VSERVER
 
getting this error when i shut down wireguard on router logs.

Feb 4 14:04:41 lldpd[1310]: removal request for address of 10.6.0.2%76, but no knowledge of it

i am setup for 10.6.0.2 as wireguard client. 192.168.50.3 rpi.

i installed pihole and pivpn to install wireguard.

port forward


Service NameExternal PortInternal PortInternal IP AddressProtocolSource IPEditDelete
Port Forwarding List (Max Limit : 64)


wireguard51820192.168.50.3UDP




routing table. im pretty sure this is where i am going wrong.






DestinationGatewayGenmaskFlagsMetricRefUseIface
IPv4 Routing table
default*128.0.0.0U000wg0
default172.16.16.1710.0.0.0UG000WAN
128.0.0.0*128.0.0.0U000wg0
169.254.0.0*255.255.0.0U000MAN
172.16.16.171*255.255.255.255UH000WAN
192.168.50.0*255.255.255.0U000LAN
192.168.50.3*255.255.255.255UH000LAN
239.0.0.0*255.0.0.0U000LAN
 
Last edited:
can the router be a client while the rpi is behind it as the server? thats what i am trying to achieve.
 
1. Install WireGuard

You need Entware-aarch64-3.10 to use wireguard without a new firmware build.


ㅡ Kernel Module ㅡ

RT-AC86U, GT-AC2900 - 4.1.27
entware-makefile-for-merlin/wireguard-kernel_1.0.20210124-ac_aarch64-3.10.ipk at main · odkrys/entware-makefile-for-merlin · GitHub

Code:
opkg install /path/wireguard-kernel_1.0.20210124-ac_aarch64-3.10.ipk


RT-AX88U - 4.1.51
entware-makefile-for-merlin/wireguard-kernel_1.0.20210124-ax_aarch64-3.10.ipk at main · odkrys/entware-makefile-for-merlin · GitHub

Code:
opkg install /path/wireguard-kernel_1.0.20210124-ax_aarch64-3.10.ipk


RT-AX86U - 4.1.52
entware-makefile-for-merlin/wireguard-kernel_1.0.20210124-ax86_aarch64-3.10.ipk at main · odkrys/entware-makefile-for-merlin · GitHub

Code:
opkg install /path/wireguard-kernel_1.0.20210124-ax86_aarch64-3.10.ipk




ㅡ User space tool ㅡ



Code:
opkg install /path/wireguard-tools_1.0.20200827-1_aarch64-3.10.ipk
cp /opt/etc/wireguard/S50wireguard /opt/etc/init.d



2. as Client configuration setting.

nano /opt/etc/init.d/S50wireguard
Code:
Mode=client

export LocalIP=
Route=default   #default or policy
export wgdns=
export Nipset=wgvpn

Init file has 5 options.
Mode=client

LocalIP is provided by VPN provider (e.g. AzireVPN, Mullvad) or your VPS.

default route will redirect your all internet traffic to VPN server.
policy work like Policy Rules (strict) on Merlin.

wgdns is option to change dns server.
Nipset is the name of ipset for ipset based policy routing.

AzireVPN, Mullvad, IVPN, TorGuard support WireGuard servers.

AzireVPN https://www.azirevpn.com/cfg/wg
Mullvad https://mullvad.net/en/servers/#wireguard
IVPN https://www.ivpn.net/wireguard
TorGuard https://torguard.net/knowledgebase.php?action=displayarticle&id=250

nano /opt/etc/wireguard/wg0.conf (example of AzireVPN)
Code:
[Interface]
PrivateKey = -------
Address = 10.40.12.49/19
DNS = 192.211.0.2

[Peer]
PublicKey = ----------
AllowedIPs = 0.0.0.0/0
Endpoint = IP:PORT

AzireVPN's config file looks like above one.
Fill the Address 10.40.12.49 at LocalIP of init file.
Code:
export LocalIP=10.40.12.49 (without prefix)
export wgdns=192.211.0.2

And comment out Address and DNS in the config file.
Then config file should looks like this. (I highly recommend you add keepalive.)
Code:
[Interface]
PrivateKey = -------
#Address = 10.40.12.49/19
#DNS = 192.211.0.2

[Peer]
PublicKey = -------
AllowedIPs = 0.0.0.0/0
Endpoint = IP:PORT
PersistentKeepalive = 25

Done. Start WireGuard.
Code:
/opt/etc/init.d/S50wireguard start


3. Advanced client settings.

For using Route=policy, wg-policy script has some rules.
Adjust to your situation.
Default table is 117.

nano /opt/etc/wireguard/wg-policy
Code:
#
##For ipset based Policy Routing
#

#ipset -N $Nipset hash:ip

#ip rule del prio 9997 2>/dev/null
#ip rule add fwmark 0x7000 table 117 prio 9997
#iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null
#iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000

#service restart_dnsmasq


4. as Server configuration setting.

Code:
(umask 077 && printf "[Interface]\nPrivateKey = " | tee /opt/etc/wireguard/wg1.conf > /dev/null)
wg genkey | tee -a /opt/etc/wireguard/wg1.conf | wg pubkey | tee /opt/etc/wireguard/server-publickey

nano /opt/etc/init.d/S50wireguard (example)
Code:
Mode=server

export Subnet=10.50.50.1/24   #e.g.)10.50.50.1/24
export wgport=51820

nano /opt/etc/wireguard/wg1.conf (Server uses wg1)
Code:
[Interface]
PrivateKey = ----------
ListenPort = 51820

[Peer]
PublicKey = ----------
AllowedIPs = 10.50.50.2/32

Done. Start WireGuard.
Code:
/opt/etc/init.d/S50wireguard start


4.5 Generate client QRcode.

Generator script will generate QRcode image for Android or iOS.
You need to install qrencode first.
Code:
opkg install qrencode

If you want to use your host address (192.168.50.1) as DNS server,
you have to add wg interface to Dnsmasq listening interface list.
Code:
sed -i '1s/^/interface=wg* \n/' /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

This script will ask you 3 options.
1. client name 2. client address 3. client DNS server



-------------------------------------------------------------------------
WireGuard use iptables so when the firewall is restarted, the rules will gone.
Please add this in nat-start script.

nano /jffs/scripts/nat-start
Code:
#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
        logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
        /opt/etc/init.d/S50wireguard restart
fi


5. Remove WireGuard
Code:
/opt/etc/init.d/S50wireguard stop
opkg remove wireguard-kernel wireguard-tools
rm -r /opt/etc/wireguard
rm /opt/etc/init.d/S50wireguard


Scripts are not beautiful. They just work. Sorry, this is my best.
They have some rules to prevent duplicate.
The error messages (e.g. iptables) are not real error.
Don't worry.


Edit: iperf benchmark result.

WireGuard server on RT-AC86U. Windows 10 Tunsafe client. (https://tunsafe.com/download)
WireGuard author does not assure Tunsafe security. I just used it for benchmark purpose.

C:\iperf-2.0.9-win64>iperf -c 192.168.50.246 -N -M 1400 -t 20 -w 2M -P 5
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
------------------------------------------------------------
Client connecting to 192.168.50.246, TCP port 5001
TCP window size: 2.00 MByte
------------------------------------------------------------
[ 5] local 10.50.50.2 port 1911 connected with 192.168.50.246 port 5001
[ 7] local 10.50.50.2 port 1913 connected with 192.168.50.246 port 5001
[ 4] local 10.50.50.2 port 1910 connected with 192.168.50.246 port 5001
[ 6] local 10.50.50.2 port 1912 connected with 192.168.50.246 port 5001
[ 3] local 10.50.50.2 port 1909 connected with 192.168.50.246 port 5001
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-20.0 sec 220 MBytes 92.4 Mbits/sec
[ 7] 0.0-20.0 sec 205 MBytes 86.1 Mbits/sec
[ 4] 0.0-20.1 sec 230 MBytes 96.1 Mbits/sec
[ 6] 0.0-20.0 sec 227 MBytes 95.2 Mbits/sec
[ 3] 0.0-20.0 sec 212 MBytes 89.1 Mbits/sec
[SUM] 0.0-20.1 sec 1.07 GBytes 457 Mbits/sec
Hello,
I have an error at installation:

RT-AX86U-B088:/tmp/home/root# opkg install wireguard-kernel_1.0.20210124-ax86_aarch64-3.10.ipk
Collected errors:
* pkg_init_from_file: Malformed package file wireguard-kernel_1.0.20210124-ax86_aarch64-3.10.ipk.

Could you please advise what I'm doing wrong?
 
Hello,
I have an error at installation:

RT-AX86U-B088:/tmp/home/root# opkg install wireguard-kernel_1.0.20210124-ax86_aarch64-3.10.ipk
Collected errors:
* pkg_init_from_file: Malformed package file wireguard-kernel_1.0.20210124-ax86_aarch64-3.10.ipk.

Could you please advise what I'm doing wrong?
Corrupted download? Download the files on a computer and put on USB before amtm install
 
Corrupted download? Download the files on a computer and put on USB before amtm install

Corrupted download? Download the files on a computer and put on USB before amtm install
Hi, the download is ok. I have tried different ways also with usb. Something is wrong with file compatibility and router software. I'm using the latest asus-merlin firmware RT-AX86U - 386.1.
 
Last edited:
The kernel module is updated and need to be download from the first page with the latest version of Asus Merlin
 
I'm using latest asus-merlin and latest kernel wireguard-kernel_1.0.20210124-ax86_aarch64-3.10.ipk

Have you been able to download and install wireguar? If not try these links for the RT-AX86U.

ssh your_username@your_router_ip

Type: "wget" space (copy and past one links each time) on you terminal.

https://github.com/odkrys/entware-m...ard-kernel_1.0.20210124-ax86_aarch64-3.10.ipk

https://github.com/odkrys/entware-m...reguard-tools_1.0.20200827-1_aarch64-3.10.ipk

The size for the wireguard-kernel should be: (57,387)
The size for the wireguard-tools should be: (46,309)

To install:

opkg install wireguard-kernel_1.0.20210124-ax86_aarch64-3.10.ipk

opkg install wireguard-tools_1.0.20200827-1_aarch64-3.10.ipk

Complete the installation following @Odkrys instructions.

I like to Thank You @Odkrys for all the great work, my installation has been rock solid for months on my RT-AX88U.
 
Last edited:
Thank you for reply,

As I mentioned in my first post, I performed all installation steps and for some reason, kernel installation is not working.
I have an error:

RT-AX86U-B088:/tmp/home/root# opkg install wireguard-kernel_1.0.20210124-ax86_aarch64-3.10.ipk
Collected errors:
* pkg_init_from_file: Malformed package file wireguard-kernel_1.0.20210124-ax86_aarch64-3.10.ipk.

But no errors for wireguard-tools.

Today I decided to upgrade to the 1.0.20210124 kernel for my RT-AX88U, when downloaded using "wget" followed by copying and pasting
the link from post number 1. When I tried to install it returned the same error you got, when I checked the size and compared to the one
I had downloaded on my PC it was more than 30k larger. Then I went to: https://github.com/odkrys/entware-makefile-for-merlin, clicked on
the proper file, on the next page there is a button marked "Download" right clicked on it and chose "Copy Link Location".
Pasted the link after the command "wget" downloaded, checked the size and installed immediately with no problems.
Note that I have been running wireguard for some time, I stopped it to do the upgrade and started it once the upgrade was done.
That error made me think of your post, thought the cause of your problem might be the same.
 
Today I decided to upgrade to the 1.0.20210124 kernel for my RT-AX88U, when downloaded using "wget" followed by copying and pasting
the link from post number 1. When I tried to install it returned the same error you got, when I checked the size and compared to the one
I had downloaded on my PC it was more than 30k larger. Then I went to: https://github.com/odkrys/entware-makefile-for-merlin, clicked on
the proper file, on the next page there is a button marked "Download" right clicked on it and chose "Copy Link Location".
Pasted the link after the command "wget" downloaded, checked the size and installed immediately with no problems.
Note that I have been running wireguard for some time, I stopped it to do the upgrade and started it once the upgrade was done.
That error made me think of your post, thought the cause of your problem might be the same.
Thank you very much!
Wireguard Successfully installed.

Now is a harder question.
I want to use it with NordVPN. But there is no step-by-step instruction for configuration.
The only comment from @Odkrys
Do you have more informaton?
Thank you!
 
Thank you very much!
Wireguard Successfully installed.

Now is a harder question.
I want to use it with NordVPN. But there is no step-by-step instruction for configuration.
The only comment from @Odkrys
Do you have more informaton?
Thank you!

This is what I have done:

 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top