[Experimental] WireGuard for HND platform (4.1.x kernels)

[Marin]

I am not sure about Mullvad. But on my NordVPN I had the same problem.
I needed to add the

PresharedKey. See image.
Hope it helps.

Has anyone been able to implement NordVPN’s version of Wireguard (aka Nordlynx) in Asuswrt-Merlin?

If yes, would be able to list the steps you followed to achieve this?

Thank you in advance!

 

[abir1909]

Has anyone been able to implement NordVPN’s version of Wireguard (aka Nordlynx) in Asuswrt-Merlin?

If yes, would be able to list the steps you followed to achieve this?

Thank you in advance!

Not possible as of yet. I have been contacting Nord for over 6 months to get the config files and keep getting the same answer from them that it’s not yet available.
That’s why I still have OpenVPN and Wireguard running at the same time.

 

[Martineau]

I asked the same question before and didn’t get an answer. I hope you will be able to figure it out.

Concurrent WireGuard interfaces are indeed possible, although I am using a Beta custom S50wireguard script which calls a single wg-manager.sh script as the three original scripts wg-up, wg-down and wg-policy are not very scalable.

e.g. Three remote Peers - New York, Hong Kong and Melbourne for testing...

In lieu of WireGuard nvram equivalents of the OpenVPN variables vpn_client?_addr= vpn_client?_desc= vpnc_clientlist= etc.

'/jffs/configs/WireguardVPN_map' contains the remote Peer parameters used by my custom S50wireguard (no longer need to physically hack S50wireguard to define/export variables etc.)

# NOTE: Auto=Y  Command 'S50wireguard start' will auto-start this Peer
#       Auto=P  Command 'S50wireguard start' will auto-start this Peer using it's Selective Routing RPDB Policy rules if defined e.g 'rp13'
#

# VPN      Auto     Local Peer IP       Remote Peer Socket        DNS               Annotation Comment
wg11       Y        1st.xxx.xxx.xxx     peer.USA.xxx.xxx:51820    193.138.218.74    # Mullvad USA New York                                  
wg12       Y        1st.xxx.xxx.xxx     peer.Asia.xxx.xxx:51820   *                 # Mullvad Asia Hong Kong
wg13       P        2nd.xxx.xxx.xxx/32  peer.Oz.xxx.xxx:51820     *                 # Mullvad Oz Melbourne
wg14       N
wg15       N


wg21    Y      10.50.1.1/24                                                         # Router Host Peer 1
wg22    N      10.50.2.1/24                                                         # Router Host Peer 2

# The following default 'wg0'/'wg1' interface retained for backward compatibility! although ambiguous
wg0        N        3rd.xxx.xxx.xxx/32  peer.UK.xxx.xxx:51820     193.138.218.74    # Mullvad UK London
wg1        N

#       RPDB Selection Routing rules same format as 'nvram get vpn_clientX_clientlist'
#       < Desciption > Source IP/CIDR > [Target IP/CIDR] > WAN_or_VPN[...]
rp11    <>
rp12    <Router>192.168.1.0/24>>VPN<LAN>192.168.1.1>>WAN
rp13    <Dummy VPN 3>172.168.1.3>>VPN<Plex>172.168.1.123>1.1.1.1>VPN<Router>172.168.1.1>>WAN<All LAN>172.168.1.0/24>>VPN
rp14 
rp15

# Custom interfaces
SGS8    Y      1.2.3.4            xxx.xxx.xxx.xxx        dns.xxx.xxx.xxx    # A comment here
wg0-client   N 2.5.6.7


# Optionally define the 'server' Peer 'clients' so they can be identified by name in the enhanced WireGuard Peer status report
# Public Key                                      DHCP IP             Annotation Comment
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=      10.50.1.124         # A Cell phone
wML+L6hN7D6wx+E1SA0K675x1cMjlpYzeTOPYww2WSM=      10.50.1.88          # Samsung Galaxy S8
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=      10.50.2.22          # Dummy Device 1
LK5Mfu1iX1puR7+I/njj6Wotr622tDZhuaKppXKM/R4=      10.50.1.89          # Device iPhone12

Initiating the three Peers...

./S50wireguard start client 1
./S50wireguard start client 2
./S50wireguard start client 3

then provide an annotated summary

./S50wireguard check

Using cURL, Mullvad allows up to five IP/Key-pairs to be quickly generated per customer, and there is no issue hosting multiple interfaces for a single IP/Key-pair, nor is it an issue using the same remote port with different servers to create a unique IP socket.

I chose to use a similar naming convention for the WireGuard interfaces

e.g. wg1x for the remote Peers and wg2x for hosting a local Peer, and rather than use table 117, arbitrarily chose Selective Routing tables 121 thru' 125.

Manually managing the state of the Peer connections together with the RPDB Selective Routing rules isn't too painful, as long as you are aware that without the convenience of RMerlin's OpenVPN GUI to correctly prioritise the WAN rules over the Peer rules, then be mindful of the order when migrating/replicating OpenVPN RPDB rules.

 

[abir1909]

Concurrent WireGuard interfaces are indeed possible, although I am using a Beta custom S50wireguard script which calls a single wg-manager.sh script as the three original scripts wg-up, wg-down and wg-policy are not very scalable.

e.g. Three remote Peers - New York, Hong Kong and Melbourne for testing...

In lieu of WireGuard nvram equivalents of the OpenVPN variables vpn_client?_addr= vpn_client?_desc= vpnc_clientlist= etc.

'/jffs/configs/WireguardVPN_map' contains the remote Peer parameters used by my custom S50wireguard (no longer need to physically hack S50wireguard to define/export variables etc.)

# VPN      Local Peer IP       Remote Peer Socket        DNS               Comment
wg11       1st.xxx.xxx.xxx     peer.USA.xxx.xxx:51820    193.138.218.74    # Mullvad USA New York                                     
wg12       1st.xxx.xxx.xxx     peer.Asia.xxx.xxx:51820   *                 # Mullvad Asia Hong Kong
wg13       2nd.xxx.xxx.xxx/32  peer.Oz.xxx.xxx:51820     *                 # Mullvad Oz Melbourne
wg14
wg15

# The following default 'wg0' interface retained for backward compatibility!
wg0        xxx.xxx.xxx.xxx     peer.NY.xxx.xxx:51820    193.138.218.74    # Mullvad New York

Initiating the three Peers...

./S50wireguard start client 1
./S50wireguard start client 2
./S50wireguard start client 3

then provide an annotated summary

./S50wireguard check

View attachment 31316


Using cURL, Mullvad allows up to five IP/Key-pairs to be quickly generated per customer, and there is no issue hosting multiple interfaces for a single IP/Key-pair, nor is it an issue using the same remote port with different servers to create a unique IP socket.

I chose to use a similar naming convention for the WireGuard interfaces

e.g. wg1x for the remote Peers and wg2x for hosting a local Peer, and rather than use table 117, arbitrarily chose Selective Routing tables 121 thru' 125.

Manually managing the state of the Peer connections together with the RPDB Selective Routing rules isn't too painful, as long as you are aware that without the convenience of RMerlin's OpenVPN GUI to correctly prioritise the WAN rules over the Peer rules, then be mindful of the order when migrating/replicating OpenVPN RPDB rules.

Thank you for the detailed explanation. I would love to test that!

 

[Martineau]

Thank you for the detailed explanation. I would love to test that!

Still very crude..

Beta Wireguard Peer manager

So if you currently only have one WireGuard VPN 'client' Peer defined, then the script probably won't give you any added value.

However, if you have multiple WireGuard VPN 'client/server' Peers that need Policy rules to be defined/available across reboots, then it may be useful despite the bugs etc.

Use at your own risk!

 

[ZebMcKayhan]

Found that my system sometimes fails, despite the added restart entry in nat-start. I have not really been able to pin down which type of event that causes this so I wrote a watchguard file to get the system back. It checks the entries in the firewall so they are still there, it checks is routing table so wg entries is still there, checks handshake timer, ping test (commented though)... if any fails wireguard is restarted and if it still fails after 1h the system is rebooted.

The script is a bit rough and I guess it mainly makes sense for users like me which use default routing through wireguard.

After I added this watchdog I haven't had a single fail and according to the logs the script have restarted wireguard several times. For different reasons actually.

Rename the file to wg-watchdog.sh
Put the file in /opt/etc/wireguard/

Start the watchdog by adding this line in wg-up for example:

cru a wireguard-wd "* * * * * /opt/etc/wireguard/wg-watchdog.sh"

The watchdog also needs to be stopped when wireguard is stopped. Add this in wg-down for example:

cru d wireguard-wd

This executes the watchguard check every minute but you can adjust this as you like.

There are probably better ways then this to do this, but this works for me.

//Zeb

 

[Xentrk]

Found that my system sometimes fails, despite the added restart entry in nat-start. I have not really been able to pin down which type of event that causes this so I wrote a watchguard file to get the system back. It checks the entries in the firewall so they are still there, it checks is routing table so wg entries is still there, checks handshake timer, ping test (commented though)... if any fails wireguard is restarted and if it still fails after 1h the system is rebooted.

The script is a bit rough and I guess it mainly makes sense for users like me which use default routing through wireguard.

After I added this watchdog I haven't had a single fail and according to the logs the script have restarted wireguard several times. For different reasons actually.

Rename the file to wg-watchdog.sh
Put the file in /opt/etc/wireguard/

Start the watchdog by adding this line in wg-up for example:

cru a wireguard-wd "* * * * * /opt/etc/wireguard/wg-watchdog.sh"

The watchdog also needs to be stopped when wireguard is stopped. Add this in wg-down for example:

cru d wireguard-wd

This executes the watchguard check every minute but you can adjust this as you like.

There are probably better ways then this to do this, but this works for me.

//Zeb

In the OP, there is code you need to put in nat-start so wg rules get reapplied after a firewall restart/start.

I made a few changes to the script:

!/bin/sh

WVPNROUTE=$(ip route show | grep -i -a "dev wg")
logger -s -t "($(basename "$0"))" $$ "Checking if WireGuard is UP....""$WVPNROUTE"
if [ "$WVPNROUTE" != "" ];then
        logger -s -t "($(basename "$0"))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
        /opt/etc/init.d/S50wireguard restart
fi

 

[Xentrk]

Still very crude..

Beta Wireguard Peer manager

So if you currently only have one WireGuard VPN 'client' Peer defined, then the script probably won't give you any added value.

However, if you have multiple WireGuard VPN 'client/server' Peers that need Policy rules to be defined/available across reboots, then it may be useful despite the bugs etc.

Use at your own risk!

@Martineau Thanks for posting the link. I have been testing off and on the past two days as I've had time. Makes WG more scalable. Before you posted this, I was struggling to get server and client to run together at the same time. I now have that problem fixed with the script you posted. Next step is to configure Android phone as a peer so it can connect to router.

 

[Martineau]

@Martineau Thanks for posting the link. I have been testing off and on the past two days as I've had time. Makes WG more scalable. Before you posted this, I was struggling to get server and client to run together at the same time. I now have that problem fixed with the script you posted. Next step is to configure Android phone as a peer so it can connect to router.

If you download the latest S50wireguard v1.04, you can simply enter

/opt/etc/init.d/S50wireguard genkeys Nokia6310 tag="Best phone ever!"


    Creating Wireguard Private/Public key pair for device 'Nokia6310'

    Device 'Nokia6310' Public key=aS/4yHOHY6q2d2VsmvxrQ+8AI6kddPfymThallXwYn8=

    Press y to ADD device 'Nokia6310' to 'server' Peer (wg21) or press [Enter] to SKIP.
y

    Adding device Peer 'Nokia6310' to RT-AC86U 'server' (wg21) and WireGuard config

#Nokia6310
[Peer]
PublicKey = aS/4yHOHY6q2d2VsmvxrQ+8AI6kddPfymThallXwYn8=
AllowedIPs = 10.50.1.128/32

aS/4yHOHY6q2d2VsmvxrQ+8AI6kddPfymThallXwYn8=      10.50.1.128     # Nokia6310 Best phone ever!

and voila! ....well the server side is now configured (use command aliases wgstart and wgr to check)

wgr

    interface: wg21     ('server' # Martineau Host Peer 1)
         public key: j+aNKC0yA7+rryH7cA9gISJ9+Ms05f/q4kYG/JkBwAU=
         private key: (hidden)
         listening port: 1151

       
        peer: aS/4yHOHY6q2d2VsmvxrQ+8AI6kddPfymThallXwYn8=     ('server client' # Nokia6310 Best phone ever!)
         allowed ips: 10.50.1.128/32

So then all you do is copy the relevant bits into your phone.

 

[Xentrk]

If you download the latest S50wireguard v1.04, you can simply enter

/opt/etc/init.d/S50wireguard genkeys Nokia6310 tag="Best phone ever!"


    Creating Wireguard Private/Public key pair for device 'Nokia6310'

    Device 'Nokia6310' Public key=aS/4yHOHY6q2d2VsmvxrQ+8AI6kddPfymThallXwYn8=

    Press y to ADD device 'Nokia6310' to 'server' Peer (wg21) or press [Enter] to SKIP.
y

    Adding device Peer 'Nokia6310' to RT-AC86U 'server' (wg21) and WireGuard config

#Nokia6310
[Peer]
PublicKey = aS/4yHOHY6q2d2VsmvxrQ+8AI6kddPfymThallXwYn8=
AllowedIPs = 10.50.1.128/32

aS/4yHOHY6q2d2VsmvxrQ+8AI6kddPfymThallXwYn8=      10.50.1.128     # Nokia6310 Best phone ever!

and voila! ....well the server side is now configured (use command aliases wgstart and wgr to check)

wgr

    interface: wg21     ('server' # Martineau Host Peer 1)
         public key: j+aNKC0yA7+rryH7cA9gISJ9+Ms05f/q4kYG/JkBwAU=
         private key: (hidden)
         listening port: 1151

      
        peer: aS/4yHOHY6q2d2VsmvxrQ+8AI6kddPfymThallXwYn8=     ('server client' # Nokia6310 Best phone ever!)
         allowed ips: 10.50.1.128/32

So then all you do is copy the relevant bits into your phone.

That is great news. That will make it much easier. I was just getting ready to make another attempt.

 

[Martineau]

That is great news. That will make it much easier. I was just getting ready to make another attempt.

FYI, for reporting script related issues i.e. bugs or undocumented use of command etc., it may be prudent to post them in the Addons thread.

 

[Jeffrey Young]

Good afternoon all. This is a great thread and I have been watching now for a few months.

I'm currently using SoftEtherVPN as that platform had an excellent NAT traversal scheme that allowed me to run a VPN server behind a NAT. Now that my ISP has finally agreed to forward a set of ports to my internal CGNAT address, I am thinking of switching to WireGuard.

With SE, I was able to simply add the SE interface to router's br0 bridge using brctl. That allowed my SE clients to connect to my server and get an IP address as though they were on my home net. This is what I want (don't want yet another NAT).

So my question is, would I be able to do the same with the WireGuard interface? E.g., once the wg0 interface comes up, issue a "brctl addif br0 wg0"? Of course the proper nvram variable also has to be adjusted as well.

Thanks all for all the great work.

 

[QatarMo]

hi and thanks for this thread,,i have tested the RT-AX86U with wireguard and the implementation works great one thing i noticed for anyone who runs into the same problem

my router has very slow speeds if QOS is disabled but when i enable it speeds are really good so if you run into the same problem try enabling QOS

thanks...

 

[abidarwish]

In the OP, there is code you need to put in nat-start so wg rules get reapplied after a firewall restart/start.

I made a few changes to the script:

!/bin/sh

WVPNROUTE=$(ip route show | grep -i -a "dev wg")
logger -s -t "($(basename "$0"))" $$ "Checking if WireGuard is UP....""$WVPNROUTE"
if [ "$WVPNROUTE" != "" ];then
        logger -s -t "($(basename "$0"))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
        /opt/etc/init.d/S50wireguard restart
fi

Thanks for this, it works..

 

[Ubimo]

@Odkrys
Would you please be so kind and update the kernel and tools to the latest build?
I think, I have some troubles running the current kernel and tools.
Thanks!

 

[Odkrys]

@Odkrys
Would you please be so kind and update the kernel and tools to the latest build?
I think, I have some troubles running the current kernel and tools.
Thanks!

I don't know what your problem is, but I've updated it.

 

[Jeffrey Young]

I don't know what your problem is, but I've updated it.

Thanks @Odkrys for all the hard work in this project. I have given up OpenVPN for WireGaurd as my VPN. I am just curious about the request for you to update your install packages. When I issue a "opkg list-installed | grep wiregaurd", I get the following;

ClientAdmin@RTAC86U:/tmp/home/root# opkg list-installed | grep wireguard

wireguard-kernel - 1.0.20210219-k27
wireguard-tools - 1.0.20210223-1

ClientAdmin@RTAC86U:/tmp/home/root#

Therefore, since the core wireguard components are part of entware, would they not get upgraded anyway when you run a "opkg update/upgrade"?

I understand the router specific scripts that you wrote needing to be upgraded by you.

 

[Ubimo]

I don't know what your problem is, but I've updated it.

Thank you for your work and effort!
I'm trying to use Cloudflare WARP and was hoping, that the updated modules/kernel will solve my problem.
I cannot resolve most domain names like reddit.com or speedtest.net after starting the WARP client/interface.
Some domains, like snbforums.com, are loading fine...

Edit:
I was so desperate to figure out my problem, so I bought a mobile data sim and LTE stick.
I plugged this stick into my AC86U and now I'm using the mobile LTE data sim as my primary WAN.
Now, WARP is working without problems. So I guess the problem is my ISP or the special setup I use. (Router->LTU Pro->LTU Rocket->ISP)

 

[Torson]

hi and thanks for this thread,,i have tested the RT-AX86U with wireguard and the implementation works great one thing i noticed for anyone who runs into the same problem

my router has very slow speeds if QOS is disabled but when i enable it speeds are really good so if you run into the same problem try enabling QOS

thanks...

I posted a similar comment a while ago. Only in regards to RT-AX86U (AC86U does not require that work around). Works like a charm when flow cache is disabled. No QoS - I have no need for that.

I added this line

fc disable

to /jffs/scripts/post-mount script. and 'runner' remains as is - wireless clients will appreciate that.

The systems' performance over Wireguard are between 50-100% better than over any other private networking client. Security concerns? Don't do that!

 

[QatarMo]

I posted a similar comment a while ago. Only in regards to RT-AX86U (AC86U does not require that work around). Works like a charm when flow cache is disabled. No QoS - I have no need for that.

I added this line

fc disable

to /jffs/scripts/post-mount script. and 'runner' remains as is - wireless clients will appreciate that.

The systems' performance over Wireguard are between 50-100% better than over any other private networking client. Security concerns? Don't do that!

thanks for the info,,will try it out soon..