[Experimental] WireGuard for HND platform (4.1.x kernels)

[heysoundude]

OMG, that actually works now!

Also: holy hell, that's fast! I'm connecting to the AzireVPN wireguard server in the UK. www.speedtest.net results are a 10ms ping with 368Mb/s downstream speed, and 20.17 upstream. With no VPN connection I can hit 390Mb/s downstream, but that kind of slow-down is essentially invisible. Ping and upstream are unaffected.

By contrast, using OpenVPN over TCP, I get around 150Mb/s downstream, with a 16ms ping. (And for some reason OpenVPN over UDP is even slower, my ISP doesn't seem to like it).

Router CPU core 1 hits 94% during the speed test, core 2 gets to about 75%; so I'm not sure if it's even quite hit the router's limit. Very impressive.

It really would be great if there were a more "official" way of doing this.

Curious how this is working out for you.
Have you tried the script someone over on the Merlin side came up with to further tweak QoS, and if so, has it made any difference for you?

 

[Odkrys]

It looks like TorGuard also started supporting WireGuard.

Now we have 4 providers.

AzireVPN https://www.azirevpn.com/cfg/wg
Mullvad https://mullvad.net/en/servers/#wireguard
IVPN https://www.ivpn.net/wireguard
TorGuard https://torguard.net/knowledgebase.php?action=displayarticle&id=250

 

[Marin]

And it looks like NordVPN is testing it as well.

https://www.takesontech.com/nordvpn-is-testing-the-adoption-of-the-wireguard-protocol


Sent from my iPhone using Tapatalk

 

[unclebuk]

I have tried it on Macbook and android with Torguard which now experimentally supports it. Check with TG, they have the way forward at the moment.

 

[heysoundude]

I'd be interested to see what %age of their customers are running it...5 VPNs now, and some of the top/best/most popular ones at that, but it's probably still a niche/cool kids thing

 

[Geraner]

Hmm.. well then you have finally got the same problem as I had. I'm wondering whether this problem has to do with a firewall restart? Did you see anything in your router logs whats going on at the time the VPN stopped working? I was thinking about entering the commend written in the first post, as a script so Wireguard is restarted once the firewall is restarted. Don't know whether this helps.

Looks like this problem is gone now. Very stable and fast connection now.



WireGuard Version: 0.0.20181218-79b5151
Firmware Version: Merlin 384.8_2
VPN Provider: Mullvad www.mullvad.net
Uptime of WireGuard VPN connection: 108 hours, 40 minutes (4,5 days)
Data transfer: 82.62 GiB received, 7.91 GiB sent

 

[sfx2000]

This armv7 version achieved 180Mbps in my test. (single thread, RT-AC86U)

Even on old-school - MIPS24K on QCA9531 with OpenWRT - single core here... and definitely not ARM...

# iperf3 -c 10.0.10.1
Connecting to host 10.0.10.1, port 5201
[ 4] local 10.0.10.3 port 50784 connected to 10.0.10.1 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 6.43 MBytes 53.9 Mbits/sec 0 123 KBytes
[ 4] 1.00-2.00 sec 6.50 MBytes 54.5 Mbits/sec 0 158 KBytes
[ 4] 2.00-3.00 sec 6.56 MBytes 55.0 Mbits/sec 0 176 KBytes
[ 4] 3.00-4.00 sec 6.44 MBytes 54.1 Mbits/sec 0 186 KBytes
[ 4] 4.00-5.00 sec 6.50 MBytes 54.5 Mbits/sec 0 195 KBytes
[ 4] 5.00-6.00 sec 6.50 MBytes 54.5 Mbits/sec 0 206 KBytes
[ 4] 6.00-7.00 sec 6.62 MBytes 55.5 Mbits/sec 0 206 KBytes
[ 4] 7.00-8.00 sec 6.50 MBytes 54.5 Mbits/sec 0 206 KBytes
[ 4] 8.00-9.00 sec 6.81 MBytes 57.1 Mbits/sec 0 291 KBytes
[ 4] 9.00-10.00 sec 6.44 MBytes 54.0 Mbits/sec 0 291 KBytes

[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 65.3 MBytes 54.8 Mbits/sec 0 sender
[ 4] 0.00-10.00 sec 64.5 MBytes 54.1 Mbits/sec receiver

iperf Done.
# iperf3 -c 10.0.10.1 -R
Connecting to host 10.0.10.1, port 5201
Reverse mode, remote host 10.0.10.1 is sending
[ 4] local 10.0.10.3 port 50788 connected to 10.0.10.1 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 7.79 MBytes 65.2 Mbits/sec
[ 4] 1.00-2.01 sec 8.71 MBytes 72.4 Mbits/sec
[ 4] 2.01-3.00 sec 8.31 MBytes 70.5 Mbits/sec
[ 4] 3.00-4.00 sec 8.69 MBytes 72.9 Mbits/sec
[ 4] 4.00-5.01 sec 8.68 MBytes 72.5 Mbits/sec
[ 4] 5.01-6.01 sec 8.44 MBytes 70.6 Mbits/sec
[ 4] 6.01-7.02 sec 8.78 MBytes 72.7 Mbits/sec
[ 4] 7.02-8.00 sec 8.34 MBytes 71.3 Mbits/sec
[ 4] 8.00-9.00 sec 8.60 MBytes 72.0 Mbits/sec
[ 4] 9.00-10.01 sec 8.44 MBytes 70.2 Mbits/sec

[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.01 sec 86.3 MBytes 72.3 Mbits/sec 0 sender
[ 4] 0.00-10.01 sec 85.3 MBytes 71.4 Mbits/sec receiver

iperf Done.

Wireguard is pretty nifty...

 

[sfx2000]

I'd be interested to see what %age of their customers are running it...5 VPNs now, and some of the top/best/most popular ones at that, but it's probably still a niche/cool kids thing

1) OpenVPN is probably the most in use by a long shot - mostly due to heavy advertising by the VPN Service Providers and the portable nature of the OVPN stack... and even OVPN seems to be working to commercialize/monetize the stack there..

Just too bad that performance is a bit of a challenge with OVPN, but it is damn secure, no doubt, properly configured and all..

2) Shadowsocks - probably number 2 - because of the Great Firewall - size matters, and the mainland is what it is...

3) Wireguard - creeping up, as we get more client platforms now...

4) ZeroTier - this might be the one to keep an eye on - concept wise it's a bit different, as it's an SD-WAN approach - which is a different step, and takes a mind readjustment perhaps to understand what their doing...

Obviously we have legacy and proprietary approaches as well - legacy like PPTP (should just go away, except that's it fast, and private enough for some uses (not everyone in a coffee shop is a blackhat)), and then the business oriented stuff like AnyConnect from Cisco (and similar from Juniper, etc...)

Standalone stuff like L2TP/IPSec - which is supported by many OS's on the client side, is still relevant...

Most interesting stuff to me these days is Wireguard and ZeroTier...

 

[Geraner]

Looks like this problem is gone now. Very stable and fast connection now.



WireGuard Version: 0.0.20181218-79b5151
Firmware Version: Merlin 384.8_2
VPN Provider: Mullvad www.mullvad.net
Uptime of WireGuard VPN connection: 108 hours, 40 minutes (4,5 days)
Data transfer: 82.62 GiB received, 7.91 GiB sent

Just did a new speedtest with iperf3 three.

Connecting to host bouygues.iperf.fr, port 5201
[  5] local 10.99.xx.xxx port 37880 connected to 89.84.1.222 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.01   sec  37.8 MBytes   315 Mbits/sec    1   6.00 MBytes
[  5]   1.01-2.03   sec  57.5 MBytes   472 Mbits/sec    0   6.00 MBytes
[  5]   2.03-3.00   sec  56.0 MBytes   481 Mbits/sec    0   6.00 MBytes
[  5]   3.00-4.00   sec  57.2 MBytes   480 Mbits/sec    0   6.00 MBytes
[  5]   4.00-5.02   sec  58.6 MBytes   483 Mbits/sec    0   6.00 MBytes
[  5]   5.02-6.02   sec  57.5 MBytes   483 Mbits/sec    0   6.00 MBytes
[  5]   6.02-7.01   sec  56.1 MBytes   475 Mbits/sec    0   6.00 MBytes
[  5]   7.01-8.00   sec  57.5 MBytes   487 Mbits/sec    0   6.00 MBytes
[  5]   8.00-9.01   sec  58.8 MBytes   488 Mbits/sec    0   6.00 MBytes
[  5]   9.01-10.00  sec  57.5 MBytes   487 Mbits/sec    0   6.00 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   554 MBytes   465 Mbits/sec    1             sender
[  5]   0.00-10.00  sec   554 MBytes   465 Mbits/sec                  receiver

iperf Done.

Looks like 488 Mbit/s is about the maximum you can get when usinge WireGuard of the RT-AC86U.

 

[Geraner]

New tests done, updated WireGuard software version 0.0.20190123, and using Merlin 384_9_Beta1. Getting partly over 600 Mbit/s transfer speed.

Connecting to host speedtest.serverius.net, port 5002
[  5] local 10.99.xx.xxx port 57217 connected to 178.21.16.76 port 5002
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.01   sec  54.4 MBytes   451 Mbits/sec    0   2.71 MBytes
[  5]   1.01-2.00   sec  73.6 MBytes   623 Mbits/sec    0   2.72 MBytes
[  5]   2.00-3.01   sec  77.5 MBytes   649 Mbits/sec    0   2.72 MBytes
[  5]   3.01-4.00   sec  76.2 MBytes   643 Mbits/sec    0   2.72 MBytes
[  5]   4.00-5.00   sec  76.2 MBytes   637 Mbits/sec    0   2.72 MBytes
[  5]   5.00-6.00   sec  69.5 MBytes   584 Mbits/sec    3   2.00 MBytes
[  5]   6.00-7.00   sec  63.8 MBytes   534 Mbits/sec    5   1.52 MBytes
[  5]   7.00-8.01   sec  47.6 MBytes   396 Mbits/sec    1   1.14 MBytes
[  5]   8.01-9.01   sec  41.0 MBytes   343 Mbits/sec    0   1.21 MBytes
[  5]   9.01-10.01  sec  44.8 MBytes   376 Mbits/sec    0   1.26 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.01  sec   625 MBytes   523 Mbits/sec    9             sender
[  5]   0.00-10.01  sec   623 MBytes   522 Mbits/sec                  receiver

iperf Done.

 

[heysoundude]

You almost hit 650 Mbps, but Merlin 384_9 is now the most current stable version...please update and refresh your results.

 

[Geraner]

You almost hit 650 Mbps, but Merlin 384_9 is now the most current stable version...please update and refresh your results.

Shouldn't really make any differences. There are no big changes between Merlin's BETA and Stable firmware versions, mainly just small bugfixes.
Will try to update during the next days and make some new tests then.

 

[Geraner]

You almost hit 650 Mbps, but Merlin 384_9 is now the most current stable version...please update and refresh your results.

I made the upgrade to Merlin 384_9 stable this morning and was then playing with iperf3 once again.

Interestingly, below there are the results of a test while just using my native internet connection. No VPN or any WireGuard connection enabled.

Connecting to host speedtest.serverius.net, port 5002
[  5] local 92.XX.XX.XX port 51546 connected to 178.21.16.76 port 5002
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.01   sec  54.4 MBytes   452 Mbits/sec    7   1.78 MBytes
[  5]   1.01-2.01   sec  70.0 MBytes   585 Mbits/sec    0   1.78 MBytes
[  5]   2.01-3.00   sec  68.7 MBytes   581 Mbits/sec    0   1.79 MBytes
[  5]   3.00-4.00   sec  67.1 MBytes   564 Mbits/sec    0   1.79 MBytes
[  5]   4.00-5.01   sec  70.4 MBytes   584 Mbits/sec    0   1.79 MBytes
[  5]   5.01-6.01   sec  69.0 MBytes   578 Mbits/sec    0   1.87 MBytes
[  5]   6.01-7.01   sec  64.0 MBytes   537 Mbits/sec    2   1.91 MBytes
[  5]   7.01-8.00   sec  66.6 MBytes   565 Mbits/sec    0   1.91 MBytes
[  5]   8.00-9.00   sec  66.3 MBytes   556 Mbits/sec    0   1.91 MBytes
[  5]   9.00-10.01  sec  66.2 MBytes   553 Mbits/sec    0   1.91 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.01  sec   663 MBytes   556 Mbits/sec    9             sender
[  5]   0.00-10.01  sec   663 MBytes   556 Mbits/sec                  receiver

iperf Done.

Then I activated WireGuard again, and was running the same test. - You see the speed is even faster then without VPN/WireGuard. Also it is hitting again over 600 Mbit/s several times.

Connecting to host speedtest.serverius.net, port 5002
[  5] local 10.XX.XX.XX port 50267 connected to 178.21.16.76 port 5002
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.01   sec  51.4 MBytes   428 Mbits/sec    9   2.60 MBytes
[  5]   1.01-2.01   sec  73.3 MBytes   611 Mbits/sec    0   2.61 MBytes
[  5]   2.01-3.00   sec  75.0 MBytes   635 Mbits/sec    0   2.62 MBytes
[  5]   3.00-4.01   sec  76.2 MBytes   633 Mbits/sec    0   2.62 MBytes
[  5]   4.01-5.01   sec  76.2 MBytes   644 Mbits/sec    0   2.63 MBytes
[  5]   5.01-6.01   sec  76.2 MBytes   636 Mbits/sec    0   2.67 MBytes
[  5]   6.01-7.01   sec  76.2 MBytes   640 Mbits/sec    0   2.68 MBytes
[  5]   7.01-8.00   sec  75.0 MBytes   636 Mbits/sec    3   2.68 MBytes
[  5]   8.00-9.01   sec  76.2 MBytes   636 Mbits/sec    0   2.68 MBytes
[  5]   9.01-10.01  sec  77.5 MBytes   645 Mbits/sec    0   2.68 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.01  sec   733 MBytes   614 Mbits/sec   12             sender
[  5]   0.00-10.01  sec   733 MBytes   614 Mbits/sec                  receiver

iperf Done.

The transfer speed is even faster while having WireGuard activated than while running with just my native internet connection without VPN/WireGuard.
So I think the results are very much related to the performance of the iperf3 servers as well.

 

[Shasarak]

The transfer speed is even faster while having WireGuard activated than while running with just my native internet connection without VPN/WireGuard.

What sort of numbers do you get using www.speedtest.net ?

 

[helio58]

Tha

WireGuard still work in progress, therefore, using it at your own risk.


1. Install WireGuard

https://drive.google.com/open?id=1F1bs0Hx-CMaCdILV1ybDZIw7Jr_uEwHs

You need Entware-aarch64-3.10 to use wireguard without a new firmware build.

opkg install /path/wireguard_0.0.20190123-40eaf20_aarch64-3.10.ipk

2. as Client configuration setting.

nano /opt/etc/init.d/S50wireguard

Mode=client

export LocalIP=
Route=default   #default or policy
export wgdns=
export Nipset=wgvpn

Init file has 5 options.
Mode=client

LocalIP is provided by VPN provider (e.g. AzireVPN, Mullvad) or your VPS.

default route will redirect your all internet traffic to VPN server.
policy work like Policy Rules (strict) on Merlin.

wgdns is option to change dns server.
Nipset is the name of ipset for ipset based policy routing.

AzireVPN, Mullvad, IVPN, TorGuard support WireGuard servers.

AzireVPN https://www.azirevpn.com/cfg/wg
Mullvad https://mullvad.net/en/servers/#wireguard
IVPN https://www.ivpn.net/wireguard
TorGuard https://torguard.net/knowledgebase.php?action=displayarticle&id=250

nano /opt/etc/wireguard/wg0.conf (example of AzireVPN)

[Interface]
PrivateKey = -------
Address = 10.40.12.49/19
DNS = 192.211.0.2

[Peer]
PublicKey = ----------
AllowedIPs = 0.0.0.0/0
Endpoint = IP:PORT

AzireVPN's config file looks like above one.
Fill the Address 10.40.12.49 at LocalIP of init file.

export LocalIP=10.40.12.49 (without prefix)
export wgdns=192.211.0.2

And comment out Address and DNS in the config file.
Then config file should looks like this. (I highly recommend you add keepalive.)

[Interface]
PrivateKey = -------
#Address = 10.40.12.49/19
#DNS = 192.211.0.2

[Peer]
PublicKey = -------
AllowedIPs = 0.0.0.0/0
Endpoint = IP:PORT
PersistentKeepalive = 25

Done. Start WireGuard.

/opt/etc/init.d/S50wireguard start

3. Advanced client settings.

For using Route=policy, wg-policy script has some rules.
Adjust to your situation.
Default table is 117.

nano /opt/etc/wireguard/wg-policy

#
##For ipset based Policy Routing
#

#ipset -N $Nipset hash:ip

#ip rule del prio 9997 2>/dev/null
#ip rule add fwmark 0x7000 table 117 prio 9997
#iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null
#iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000

#service restart_dnsmasq

4. as Server configuration setting.

(umask 077 && printf "[Interface]\nPrivateKey = " | tee /opt/etc/wireguard/wg1.conf > /dev/null)
wg genkey | tee -a /opt/etc/wireguard/wg1.conf | wg pubkey | tee /opt/etc/wireguard/server-publickey

nano /opt/etc/init.d/S50wireguard (example)

Mode=server

export Subnet=10.50.50.1/24   #e.g.)10.50.50.1/24
export wgport=51820

nano /opt/etc/wireguard/wg1.conf (Server uses wg1)

[Interface]
PrivateKey = ----------
ListenPort = 51820

[Peer]
PublicKey = ----------
AllowedIPs = 10.50.50.2/32

Done. Start WireGuard.

/opt/etc/init.d/S50wireguard start

4.5 Generate client QRcode.

Generator script will generate QRcode image for Android or iOS.
You need to install qrencode first.

opkg install qrencode

If you want to use your host address (192.168.50.1) as DNS server,
you have to add wg interface to Dnsmasq listening interface list.

sed -i '1s/^/interface=wg* \n/' /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

This script will ask you 3 options.
1. client name 2. client address 3. client DNS server



-------------------------------------------------------------------------
WireGuard use iptables so when the firewall is restarted, the rules will gone.
Please add this in nat-start script.

nano /jffs/scripts/nat-start

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if Wireguard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
        logger -s -t "($(basename $0))" $$ "**Warning Wireguard is UP.... restarting Wireguard"
        /opt/etc/init.d/S50wireguard restart
fi

5. Remove WireGuard

/opt/etc/init.d/S50wireguard stop
opkg remove wireguard
rm -r /opt/etc/wireguard

Scripts are not beautiful. They just work. Sorry, this is my best.
They have some rules to prevent duplicate.
The error messages (e.g. iptables) are not real error.
Don't worry.


Edit: iperf benchmark result.

WireGuard server on RT-AC86U. Windows 10 Tunsafe client. (https://tunsafe.com/download)
WireGuard author does not assure Tunsafe security. I just used it for benchmark purpose.

Spoiler

C:\iperf-2.0.9-win64>iperf -c 192.168.50.246 -N -M 1400 -t 20 -w 2M -P 5
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
------------------------------------------------------------
Client connecting to 192.168.50.246, TCP port 5001
TCP window size: 2.00 MByte
------------------------------------------------------------
[ 5] local 10.50.50.2 port 1911 connected with 192.168.50.246 port 5001
[ 7] local 10.50.50.2 port 1913 connected with 192.168.50.246 port 5001
[ 4] local 10.50.50.2 port 1910 connected with 192.168.50.246 port 5001
[ 6] local 10.50.50.2 port 1912 connected with 192.168.50.246 port 5001
[ 3] local 10.50.50.2 port 1909 connected with 192.168.50.246 port 5001
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-20.0 sec 220 MBytes 92.4 Mbits/sec
[ 7] 0.0-20.0 sec 205 MBytes 86.1 Mbits/sec
[ 4] 0.0-20.1 sec 230 MBytes 96.1 Mbits/sec
[ 6] 0.0-20.0 sec 227 MBytes 95.2 Mbits/sec
[ 3] 0.0-20.0 sec 212 MBytes 89.1 Mbits/sec
[SUM] 0.0-20.1 sec 1.07 GBytes 457 Mbits/sec

Tanks for the guide.
I will like to use Wireguard as a server.
Could you please point out how to on Asus_merlin?
Thanks

 

[Marin]

Tha


Tanks for the guide.
I will like to use Wireguard as a server.
Could you please point out how to on Asus_merlin?
Thanks

See # 4 of the post you quoted.


Sent from my iPhone using Tapatalk

 

[helio58]

Thanks Marin , I was blind. thanks

 

[Xentrk]

I'm a TorGuard subscriber. They currently support four WireGuard servers in NYC. They have instructions on how to install on the gl-inet travel router. I currently own the AR-300M model.

Had issues with their instructions as I was on the current production 2.27 firmware and their instructions use the Beta firmware. I did some searching and found the beta link here https://docs.gl-inet.com/en/3/release_notes/gl-ar300m/. I had to install the tar file on this page http://download.gl-inet.com/firmware/ar300m/nand/testing/

Once, I upgraded the firmware, the configuration was a snap.

Unfortunately, I can't report great speeds when compared to the AC86U. The travel router is probably constrained by the Qualcomm QCA9531 SoC, 650MHz CPU along with the location of the servers in NYC, which is half way across the globe from my location. However, notable difference when compared to OpenVPN.

            WireGuard  OVPN aes-128-gcm
Down        32.97               5.96
Up          18.59               8.27
Latency    316.00             305.00

Still, good to see some progress being made and it will be interesting to see how things progress.

 

[sfx2000]

Unfortunately, I can't report great speeds when compared to the AC86U. The travel router is probably constrained by the Qualcomm QCA9531 SoC, 650MHz CPU along with the location of the servers in NYC, which is half way across the globe from my location. However, notable difference when compared to OpenVPN

Your numbers seem low for the AR300M - are you using WiFi as the WAN connection? The numbers you're seeing are similar to what I see with USB150 (review soon) using WiFi as the WAN side...

I host WG internally on a NUC7i5 (Kaby Lake NUC running Ubuntu 18.06) as the host, and AR300M cabled up...

 

[Xentrk]

Your numbers seem low for the AR300M - are you using WiFi as the WAN connection? The numbers you're seeing are similar to what I see with USB150 (review soon) using WiFi as the WAN side...

I host WG internally on a NUC7i5 (Kaby Lake NUC running Ubuntu 18.06) as the host, and AR300M cabled up...

I did the test using a CAT 5e cable Ethernet connection. I will do another test using a CAT 7 cable. The CAT 5e may have been the issue. Also, I am a very long way from the servers in New York.