@Odkrys Just wanted to say thank you! I got wireguard setup as a server on my AC86U and tested with iOS client and it worked flawlessly.
I'm still a noob when it comes to network routing.. think about trying out Mozilla's wireguard service. I don't want the whole internet traffic be routed to Mozilla, just select devices, this is where I need to read up more on iptables and such.
Does anyone know how to cross compile the wg-tool userspace binary (I have Ubuntu 18.04, I can code but I'm not good with tools and setups)? I would like to build the binary from source myself. Any tip will be tremendously appreciated!
@Odkrys Just wanted to say thank you! I got wireguard setup as a server on my AC86U and tested with iOS client and it worked flawlessly.
I'm still a noob when it comes to network routing.. think about trying out Mozilla's wireguard service. I don't want the whole internet traffic be routed to Mozilla, just select devices, this is where I need to read up more on iptables and such.
Does anyone know how to cross compile the wg-tool userspace binary (I have Ubuntu 18.04, I can code but I'm not good with tools and setups)? I would like to build the binary from source myself. Any tip will be tremendously appreciated!
Figured out the ipk build for wireguard. I downloaded Entware repo and rebuild from source... took hours but now I can build the ipk from source which is good, however, the default source didn't have all the associated scripts from @Odkrys . Is there a fork somewhere I can clone for the wireguard IPK build so it has the same scripts as OP's?
its been a few days, but I can confirm that wireguard works on asus gt-ax11000. It works extremely well! Now if only someone could point me to the script for restoring it when it drops out.
For using Route=policy, wg-policy script has some rules.
Adjust to your situation.
Default table is 117.
nano /opt/etc/wireguard/wg-policy
Code:
#
##For ipset based Policy Routing
#
#ipset -N $Nipset hash:ip
#ip rule del prio 9997 2>/dev/null
#ip rule add fwmark 0x7000 table 117 prio 9997
#iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null
#iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000
#service restart_dnsmasq
4. as Server configuration setting.
Code:
(umask 077 && printf "[Interface]\nPrivateKey = " | tee /opt/etc/wireguard/wg1.conf > /dev/null)
wg genkey | tee -a /opt/etc/wireguard/wg1.conf | wg pubkey | tee /opt/etc/wireguard/server-publickey
Generator script will generate QRcode image for Android or iOS.
You need to install qrencode first.
Code:
opkg install qrencode
If you want to use your host address (192.168.50.1) as DNS server,
you have to add wg interface to Dnsmasq listening interface list.
Code:
sed -i '1s/^/interface=wg* \n/' /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq
This script will ask you 3 options.
1. client name 2. client address 3. client DNS server
-------------------------------------------------------------------------
WireGuard use iptables so when the firewall is restarted, the rules will gone.
Please add this in nat-start script.
nano /jffs/scripts/nat-start
Code:
#!/bin/sh
WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
/opt/etc/init.d/S50wireguard restart
fi
Scripts are not beautiful. They just work. Sorry, this is my best.
They have some rules to prevent duplicate.
The error messages (e.g. iptables) are not real error.
Don't worry.
Edit: iperf benchmark result.
WireGuard server on RT-AC86U. Windows 10 Tunsafe client. (https://tunsafe.com/download)
WireGuard author does not assure Tunsafe security. I just used it for benchmark purpose.
C:\iperf-2.0.9-win64>iperf -c 192.168.50.246 -N -M 1400 -t 20 -w 2M -P 5
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
------------------------------------------------------------
Client connecting to 192.168.50.246, TCP port 5001
TCP window size: 2.00 MByte
------------------------------------------------------------
[ 5] local 10.50.50.2 port 1911 connected with 192.168.50.246 port 5001
[ 7] local 10.50.50.2 port 1913 connected with 192.168.50.246 port 5001
[ 4] local 10.50.50.2 port 1910 connected with 192.168.50.246 port 5001
[ 6] local 10.50.50.2 port 1912 connected with 192.168.50.246 port 5001
[ 3] local 10.50.50.2 port 1909 connected with 192.168.50.246 port 5001
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-20.0 sec 220 MBytes 92.4 Mbits/sec
[ 7] 0.0-20.0 sec 205 MBytes 86.1 Mbits/sec
[ 4] 0.0-20.1 sec 230 MBytes 96.1 Mbits/sec
[ 6] 0.0-20.0 sec 227 MBytes 95.2 Mbits/sec
[ 3] 0.0-20.0 sec 212 MBytes 89.1 Mbits/sec
[SUM] 0.0-20.1 sec 1.07 GBytes 457 Mbits/sec
Did someone get Wireguard working on the AX88U? Seems to be still in the works. I have no clue what forks are or how to get a command line on the router. Am I supposed to SSH into the router? Sorry for the noob questions.
Yes. Please ssh into the router as admin and you password. And follow the instructions on page 1. It works well! I have even managed to get it working with the ax11000 using the ax88u software
Yes. Please ssh into the router as admin and you password. And follow the instructions on page 1. It works well! I have even managed to get it working with the ax11000 using the ax88u software
Yes. Please ssh into the router as admin and you password. And follow the instructions on page 1. It works well! I have even managed to get it working with the ax11000 using the ax88u software
Figured out the ipk build for wireguard. I downloaded Entware repo and rebuild from source... took hours but now I can build the ipk from source which is good, however, the default source didn't have all the associated scripts from @Odkrys . Is there a fork somewhere I can clone for the wireguard IPK build so it has the same scripts as OP's?
Weird situation... any help would be much appreciated.
Totally clean install - build from scratch.
1) RT AX-88U, v384.19, JFFS enabled, 2GB Swap
2) Entware installed; SpeedMerlin installed, NO other amtm components or scripts
Steps undertaken:
Installed Wireguard
Running it as a server
Configured exactly as per instructions in Post 1 (wg1.conf, S50wireguard, dnsmasq.conf.add, nat-start)
Operates as expected; able to connect from clients.
Reboot the router, everything works as expected.
Wireguard server operates as expected; able to connect from clients. No issues.
Repeated Step 5 multiple times, no problems.
Problem starts now:
- Installed Diversion Lite (Medium list, fairly standard configuration - email notifications, etc, - nothing very complicated)
- WireGuard client can still connect, no issues.
- Reboot Router
- Diversion still work as expected
- Wireguard clients can no longer connect.
- Checked SysLog. Wireguard service started (but with time shown as May 5 06:05:xx)
Working Resolution:
- Manually execute command to restart WireGuard /opt/etc/init.d/S50wireguard restart
- Wireguard clients can connect again !!!
It seems that WireGuard server does not start properly after reboot (but only if Diversion installed !)
Any clues; or any script/ method to force WireGuard server to restart on reboot?
Or any other configuration setting that needs to be changed due to Diversion.
Weird situation... any help would be much appreciated.
Totally clean install - build from scratch.
1) RT AX-88U, v384.19, JFFS enabled, 2GB Swap
2) Entware installed; SpeedMerlin installed, NO other amtm components or scripts
Steps undertaken:
Installed Wireguard
Running it as a server
Configured exactly as per instructions in Post 1 (wg1.conf, S50wireguard, dnsmasq.conf.add, nat-start)
Operates as expected; able to connect from clients.
Reboot the router, everything works as expected.
Wireguard server operates as expected; able to connect from clients. No issues.
Repeated Step 5 multiple times, no problems.
Problem starts now:
- Installed Diversion Lite (Medium list, fairly standard configuration - email notifications, etc, - nothing very complicated)
- WireGuard client can still connect, no issues.
- Reboot Router
- Diversion still work as expected
- Wireguard clients can no longer connect.
- Checked SysLog. Wireguard service started (but with time shown as May 5 06:05:xx)
Working Resolution:
- Manually execute command to restart WireGuard /opt/etc/init.d/S50wireguard restart
- Wireguard clients can connect again !!!
It seems that WireGuard server does not start properly after reboot (but only if Diversion installed !)
Any clues; or any script/ method to force WireGuard server to restart on reboot?
Or any other configuration setting that needs to be changed due to Diversion.
Reinstalled everything again from scratch and it all works fine now.
The only thing I guess is that the nat-start script (jffs/scripts/nat-start) had somehow lost its 'executable' (chmod +x) attribute and was probably not being executed at startup.
Really don't know... but WireGuard works fine as a server now and survives a reboot. Happy again.
Hello all,
I have just finished following the instructions on page 1 for my Asus RT-AX88U router with the latest firmware and wireguard is up and running.
I have selected 10.10.10.1 for the WG interface.
I have two clients configured: my phone (10.10.10.2) and a dd-wrt router (10.10.10.3).
When I connect my phone, all is well, I can ssh to a lan ip and get a connection without a problem, and the phone public ip becomes the public ip of the ASUS router (as I was expecting).
The dd-wrt router is connected to the internet with a usb 3g modem (because I want to simulate a remote connection) and I have a laptop connected to that router. The router lan range is 192.168.10.xx. While the ASUS lan range is 192.168.1.xxx
The router gets a connection but I cannot reach anything in the ASUS lan. I cannot even ping the wireguard server ip (100.100.10.1). I can however ping the wireguard dd-wrt router IP (100.100.10.3) ONLY from the ASUS router. Not from ASUS lan.
What I would like to happen is to be able to access the dd-wrt lan from the ASUS lan and vice-versa.
Hi Everyone I'm really interested in getting wire guard going on my 86U. I've seen the instructions on page 1. But, I'm alittle gun shy in trying to get this going without screwing up my router. Does anyone have any easy step by step guide tutorial for a complete noob with scripting?
Hi Everyone I'm really interested in getting wire guard going on my 86U. I've seen the instructions on page 1. But, I'm alittle gun shy in trying to get this going without screwing up my router. Does anyone have any easy step by step guide tutorial for a complete noob with scripting?
This tutorial is written to help people understand some of the basics of shell script programming (aka shell scripting), and hopefully to introduce some of the possibilities of simple but powerful programming available under the Bourne shell. As such, it has been written as a basis for...
www.shellscript.sh
asuswrt-merlin has a built in editor called nano. Get a good SSH client. Web search for "top ssh clients" if you want to use an alternate editor. Some are happy with WinSCP as a starting point.
You need to have a USB formatted in linux format with entware installed. Use the amtm utility to format the USB and install entware.
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
