What's new

[Experimental] WireGuard for HND platform (4.1.x kernels)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Is it possible to Run Wireguard client with policy routing for certain devices at the same time as OpenVPN "client 1" for example with ploicy routing for other devices?
if so, can both start automatic at boot without crashing each other?
thx
 
@Odkrys, is there an easy way to check which version of the kernel or tools is currently installed on my router? I see that you recently updated the kernel to v.20201221 but I wasn't sure if I was already running that version or not.

Some googling suggested running this command:
Code:
sudo modprobe wireguard

Unfortunately that command didn't work for me.

Hi all, just an update to report back that I found an easy way to check the currently installed wireguard kernel or tools versions.

Code:
opkg list-installed
 
hi, been googling and tried the guide so many times. i had it working once but i cant remember what i did. wireguard is running and receiving very small amounts of data but thats it. I get no download or internet at all. as soon as i stop wireguard i get internet again. i can see in my routing table wg0 has been created but theres no gateway?

i think its something to do with my ip tables but its going beyond my knowledge now.

i am using an asus ax88u with diversion installed. the local ip for router is 192.168.50.1 and ips for devices start from 5.

any help appreciated! thanks
 
Last edited:
hi, been googling and tried the guide so many times. i had it working once but i cant remember what i did. wireguard is running and receiving very small amounts of data but thats it. I get no download or internet at all. as soon as i stop wireguard i get internet again. i can see in my routing table wg0 has been created but theres no gateway?

i think its something to do with my ip tables but its going beyond my knowledge now.

i am using an asus ax88u with diversion installed. the local ip for router is 192.168.50.1 and ips for devices start from 5.

any help appreciated! thanks
Missing a lot of information - like which vpn provider for start
 
Missing a lot of information - like which vpn provider for start
Hi thanks for fast reply!

I am trying on mullvad on asus ax88u following instructions from page 1.

what i have been trying to do is below

cd /mnt/USB_STICK/


opkg install wireguard-kernel_1.0.20201221-ax_aarch64-3.10.ipk
opkg install wireguard-tools_1.0.20200827-1_aarch64-3.10.ipk


wg genkey | tee privatekey | wg pubkey > publickey
cat publickey
cat privatekey

pub: xx

priv: xxx

curl https://api.mullvad.net/wg/ -d account=xxxxxxx --data-urlencode pubkey=xxxxxx

nano /opt/etc/wireguard/wg0.conf

[Interface]
PrivateKey = xxxx
#Address = xxx
#Port = 51820
#DNS = 9.9.9.9, 192.168.50.1, 192.168.50.2

[Peer]
Endpoint = gb15-wg.socks5.mullvad.net:1080
PublicKey = MVqe9e9aDwfFuvEhEn4Wd/zWV3cmiCX9fZMWetz+23A=
AllowedIPs = 0.0.0.0/0,::0/0,192.168.50.0/24
Endpoint = gb15-wg.socks5.mullvad.net:1080
PersistentKeepalive = 25

nano /opt/etc/wireguard/S50wireguard

Mode=client
export LocalIP=xxxx
Route=default #default or policy
export wgdns=
export Nipset=wgvpn

nano /jffs/scripts/nat-start

#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
/opt/etc/wireguard/S50wireguard restart
fi


chmod +x /jffs/scripts/nat-start

nano /opt/etc/wireguard/wg-policy

#
##For ipset based Policy Routing
#

#ipset -N $Nipset hash:ip

#ip rule del prio 9997 2>/dev/null
#ip rule add fwmark 0x7000 table 117 prio 9997
#iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null
#iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000

#service restart_dnsmasq


/opt/etc/wireguard/S50wireguard start
/opt/etc/wireguard/S50wireguard stop

it creates the wg0 network but nothing is going throigh it.
i suspect i need more in iptables?
 
The step in the first page working well with the AX88u.

Which server you using for mullvad ?
gb15-wg.socks5.mullvad.net:1080

Everything I have done including any routing is in the previous post. Are there additional steps? Forwarding?

Thanks for your help so far! I've been at it for a couple of days. It was working at one point but I must of messed my notes up! I'm pretty sure it's an iptable rule or a forward in the router but I don't have a clue what to do
 
For those using wireguard with PIA, did you simply used the instructions on the 1st page? I'm trying to setup but an earlier post stated only a few locations work. I only use the east coast DNS servers. Can you provide any additional steps you did to get this working with PIA? Appreciated.
 
gb15-wg.socks5.mullvad.net:1080

Everything I have done including any routing is in the previous post. Are there additional steps? Forwarding?

Thanks for your help so far! I've been at it for a couple of days. It was working at one point but I must of messed my notes up! I'm pretty sure it's an iptable rule or a forward in the router but I don't have a clue what to do

Do you have generated config from mullvad web site ? is an easy step to do that, and do you have respect the correct syntax from first page ?

For those using wireguard with PIA, did you simply used the instructions on the 1st page? I'm trying to setup but an earlier post stated only a few locations work. I only use the east coast DNS servers. Can you provide any additional steps you did to get this working with PIA? Appreciated.

I have using the first page instructions with PIA too, Actually with PIA is unsupported to use wireguard but some location working well like USA East. I have try Montreal and not working. So just be patient when PIA confirm is supported i think or use USA East...
 
Do you have generated config from mullvad web site ? is an easy step to do that, and do you have respect the correct syntax from first page ?



I have using the first page instructions with PIA too, Actually with PIA is unsupported to use wireguard but some location working well like USA East. I have try Montreal and not working. So just be patient when PIA confirm is supported i think or use USA East...
well i feel like an idiot, just tried again this time using the generator. i had to block the dns and address it connects up fine. ive been trying for stupid amount of hours :( i was following the guide


maybe it was because i was using gb15-wg.socks5.mullvad.net:1080 instead of Endpoint = 185.195.232.70:51820?
 
it doesnt survive a reboot on the router tho?
Good news :) have fun ;)
Cheers! Now the problem is rebooting router messes everything up and it doesn't restart! I have set NAT start script up but doesn't seem to be starting it on boot
 
just starting wireguard with /opt/etc/wireguard/S50wireguard start solves the problem but the start script from page 1 doesnt work
 
still struggling to get it started and to check its running. are there any changes i need to make for the nat start script? or is it just copy and paste?
 
still struggling to get it started and to check its running. are there any changes i need to make for the nat start script? or is it just copy and paste?

Try the following commands and post the output
Code:
dos2unix /jffs/scripts/nat-start

ls -lah /jffs/scripts/nat*

/jffs/scripts/nat-start

ls -lah /opt/etc/init.d/

ls -lah /opt/etc/wireguard/
 
Try the following commands and post the output
Code:
dos2unix /jffs/scripts/nat-start

ls -lah /jffs/scripts/nat*

/jffs/scripts/nat-start

ls -lah /opt/etc/init.d/

ls -lah /opt/etc/wireguard/
bb@RT-AX88U-97F8:/tmp/home/root# dos2unix /jffs/scripts/nat-start
jamesborrisfern@RT-AX88U-97F8:/tmp/home/root# ls -lah /jffs/scripts/nat*
-rwxr-xr-x 1 bb root 313 Jan 29 11:53 /jffs/scripts/nat-start
bb@RT-AX88U-97F8:/tmp/home/root# /jffs/scripts/nat-start
(nat-start): 2980 Checking if WireGuard is UP....0.0.0.0/1 dev wg0 scope link 128.0.0.0/1 dev wg0 scope link
(nat-start): 2980 **Warning WireGuard is UP.... restarting WireGuard

Done.
bb@RT-AX88U-97F8:/tmp/home/root# ls -lah /opt/etc/init.d/
drwxr-xr-x 2 bb root 4.0K Jul 19 2020 .
drwxr-xr-x 6 bb root 4.0K Jan 28 12:22 ..
-rwxr-xr-x 1 bb root 1.5K Jan 28 12:18 S80pixelserv-tls
-rw-r--r-- 1 bb root 2.8K Oct 26 17:59 rc.func
-rw-r--r-- 1 bb root 2.5K Jan 28 12:18 rc.func.div
-rwxr-xr-x 1 bb root 966 Oct 26 17:59 rc.unslung
bb@RT-AX88U-97F8:/tmp/home/root# ls -lah /opt/etc/wireguard/
drwxr-xr-x 2 bb root 4.0K Jan 28 12:22 .
drwxr-xr-x 6 bb root 4.0K Jan 28 12:22 ..
-rwxr-xr-x 1 bb root 1.0K Jan 28 12:34 S50wireguard
-rwxr-xr-x 1 bb root 1.8K Jul 19 2020 wg-down
-rwxr-xr-x 1 bb root 2.3K Jul 19 2020 wg-policy
-rwxr-xr-x 1 bb root 1.6K Jul 19 2020 wg-server
-rwxr-xr-x 1 bb root 1.7K Jul 19 2020 wg-up
-rw-rw-rw- 1 bb root 303 Jan 28 12:33 wg0.conf
bb@RT-AX88U-97F8:/tmp/home/root#

thanks for your help!
 
Code:
bb@RT-AX88U-97F8:/tmp/home/root# dos2unix /jffs/scripts/nat-start
[/QUOTE]

[QUOTE="borris, post: 656709, member: 74286"]
jamesborrisfern@RT-AX88U-97F8:/tmp/home/root# ls -lah /jffs/scripts/nat*
-rwxr-xr-x    1 bb root         313 Jan 29 11:53 /jffs/scripts/nat-start
[/QUOTE]

[QUOTE="borris, post: 656709, member: 74286"]
bb@RT-AX88U-97F8:/tmp/home/root# /jffs/scripts/nat-start
(nat-start): 2980 Checking if WireGuard is UP....0.0.0.0/1 dev wg0 scope link 128.0.0.0/1 dev wg0 scope link
(nat-start): 2980 **Warning WireGuard is UP.... restarting WireGuard

Done.
[/QUOTE]

[QUOTE="borris, post: 656709, member: 74286"]
bb@RT-AX88U-97F8:/tmp/home/root# ls -lah /opt/etc/init.d/
[/QUOTE]

[QUOTE="borris, post: 656709, member: 74286"]
drwxr-xr-x    2 bb root        4.0K Jul 19  2020 .
drwxr-xr-x    6 bb root        4.0K Jan 28 12:22 ..
-rwxr-xr-x    1 bb root        1.5K Jan 28 12:18 S80pixelserv-tls
-rw-r--r--    1 bb root        2.8K Oct 26 17:59 rc.func
-rw-r--r--    1 bb root        2.5K Jan 28 12:18 rc.func.div
-rwxr-xr-x    1 bb root         966 Oct 26 17:59 rc.unslung
[/QUOTE]

[QUOTE="borris, post: 656709, member: 74286"]
bb@RT-AX88U-97F8:/tmp/home/root# ls -lah /opt/etc/wireguard/
[/QUOTE]

[QUOTE="borris, post: 656709, member: 74286"]
drwxr-xr-x    2 bb root        4.0K Jan 28 12:22 .
drwxr-xr-x    6 bb root        4.0K Jan 28 12:22 ..
-rwxr-xr-x    1 bb root        1.0K Jan 28 12:34 S50wireguard
-rwxr-xr-x    1 bb root        1.8K Jul 19  2020 wg-down
-rwxr-xr-x    1 bb root        2.3K Jul 19  2020 wg-policy
-rwxr-xr-x    1 bb root        1.6K Jul 19  2020 wg-server
-rwxr-xr-x    1 bb root        1.7K Jul 19  2020 wg-up
-rw-rw-rw-    1 bb root         303 Jan 28 12:33 wg0.conf
bb@RT-AX88U-97F8:/tmp/home/root#

thanks for your help!

You have failed to follow the install instructions in post #1 (Step 1) and missed a crucial step for the Entware auto-startup Wireguard request,, and the User Space Tool nat-start script to work...

1611926417948.png
 
Last edited:
Been running wireguard client on my AC86U now for a month and it is working great! running merlin 386 beta 2.

I have been running on some snags that I would like to share for others maybee experiencing the same problems:

my ordinary LAN is on 192.168.1.x on device br0.
guest wifi is per default on br1 and br2 192.168.101.x and 192.168.102.x

2 problems comes from this:
A) - router has set up firewall for br1, br2 to eth0 (wan) but not to wg0 (vpn) so when the new default routing table kicks in guest wifi will be useless (or any other subnet from the default one).
B) - masquarading on wg0 is set up to only masquarade /24 subnet which will be br0 only.

so to fix this edit wg-up (or wg-policy depending on which you use):
A) - Add these lines somewhere in the end:
Code:
iptables -t filter -D FORWARD -i br1 -o wg0 -j ACCEPT 2>/dev/null
iptables -t filter -D FORWARD -i br2 -o wg0 -j ACCEPT 2>/dev/null
iptables -t filter -I FORWARD -i br1 -o wg0 -j ACCEPT
iptables -t filter -I FORWARD -i br2 -o wg0 -j ACCEPT
The first 2 (the -D ones) should be added in wg-down aswell so the rules are removed when wireguard is stopped.
B) change these 2 lines:
Code:
iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE 2>/dev/null
iptables -t nat -I POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE
to
Code:
iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/16 -o wg0 -j MASQUERADE 2>/dev/null
iptables -t nat -I POSTROUTING -s $(nvram get lan_ipaddr)/16 -o wg0 -j MASQUERADE
The same change should be done in wg-down so the rules are properly removed when wireguard is stopped.

now br1 and br2 is allowed to be routed to wg0 (VPN) and masquarading will work on entire 192.168.x.x
please adjust further to your own need.

/Zeb
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top