Is wireguard available on RT-AC86U ?

[Jherb]

Can openvpn server run simultaneously in case wireguard goes down?

 

[Tech9]

Use OpenVPN. It can give you about 160-180Mbps on AC86U with 386 firmware. Not enough?

 

[Jherb]

Use OpenVPN. It can give you about 160-180Mbps on AC86U with 386 firmware. Not enough?

It usually is. But sometimes i have very large files to transfer and they take a long time, so I was curious if wireguard would be faster. I have fast connections on both end >500.
I’m not sure if it would help, but there were some reports of much faster speeds.

 

[Tech9]

WireGuard on this router with current firmware is incompatible with NAT acceleration. It will slow down your entire network.

 

[Jherb]

WireGuard on this router with current firmware is incompatible with NAT acceleration. It will slow down your entire network.

Interesting. Is that the same with the ax86u? I was considering upgrading in the near future.

 

[Tech9]

AX86U has built-in WireGuard support in 388 firmware, it doesn't require USB drive nor Entware, plus performance issues were fixed recently.

If you want AX86U now better go with the newer hardware model AX86U Pro. It has faster hardware, updated radios and will get Pro firmware.

 

[Jherb]

Thanks so much. Very helpful.

 

[Jherb]

AX86U has built-in WireGuard support in 388 firmware, it doesn't require USB drive nor Entware, plus performance issues were fixed recently.

If you want AX86U now better go with the newer hardware model AX86U Pro. It has faster hardware, updated radios and will get Pro firmware.

Thanks. Do you know what “pro” firmware advantages are?

 

[Tech9]

Beta is available showing the new features:

Beta - RT-AX86U_Pro Beta firmware 9.0.0.6.102_3506

This seems to have gone under the radar... https://www.asus.com/networking-iot-servers/wifi-routers/asus-gaming-routers/rt-ax86u-pro/helpdesk_bios/?model2Name=RT-AX86U-Pro ASUS RT-AX86U Pro Firmware version 9.0.0.6.102.3506 Version 9.0.0.6.102.3506 Beta Version 54.47 MB Be noted: This is an...

www.snbforums.com

The final release is not coming any time soon though, months form now.

 

[Jherb]

Beta is available showing the new features:

Beta - RT-AX86U_Pro Beta firmware 9.0.0.6.102_3506

This seems to have gone under the radar... https://www.asus.com/networking-iot-servers/wifi-routers/asus-gaming-routers/rt-ax86u-pro/helpdesk_bios/?model2Name=RT-AX86U-Pro ASUS RT-AX86U Pro Firmware version 9.0.0.6.102.3506 Version 9.0.0.6.102.3506 Beta Version 54.47 MB Be noted: This is an...

www.snbforums.com

The final release is not coming any time soon though, months form now.

Thanks again. Very helpful.

 

[Jeffrey Young]

Hello. I am using an AC86u with OpenVPN without issue, on the latest Merlin 386.9.
I would like to try wireguard without having to use a USB stick for entware, amtm, etc. An earlier post stated it could be done manually. Are there any instructions somewhere for how to do this? Or alternatively, can it be setup with amtm and then used without a USB attached?

Thank you in advance.

The scripts that I posted in post #5 (server config) and #8 (client config) can be both run without entware or a USB stick installed. The AC86U has all the wireguard workspace tools and kernel modules as part of the firmware. I run both a WG server and a WG client outside of entware using just the jffs partition.

You will need to modify your script to meet your needs.

Put the script (and the accompanying config file) into a a file on the /jffs partition. Give it execute permission. Then call your script from the /jffs/scripts/services-start script. You will also have to place a test in the /jffs/nat-start script as well to test for the wireguard interface and restart your wireguard interface should the router restart the firewall or network (both of which will kill your wireguard service. This is what I have in my /jffs/scripts/nat-start script.

#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg1"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
           logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
        /jffs/addons/wireguard/start_wg1.sh
fi

WVPNROUTE=`ip route show | grep -i -a "dev wg0"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
           logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
        /jffs/addons/wireguard/start_wg0.sh
fi

Of course, as @Tech9 pointed out, the 388 code base already has wireguard built into the GUI. Let me know if you run into troubles and I'll see what I can do to help you.

As an FYI, here what my wg1.conf (my server) config looks like;

# Set Up WireGuard VPN on Asus/Merlin By Editing/Creating wg1.conf File ##
# Peer script used by non wg-quick method of bringing up wire guard on router

[Interface]
ListenPort = 51006
PrivateKey = <private key>

[Peer]
## JAYoung Laptop ##
PublicKey = <public key>
PresharedKey = <preshared key - if used>
AllowedIPs = 10.100.10.10/32

 

[Jherb]

The scripts that I posted in post #5 (server config) and #8 (client config) can be both run without entware or a USB stick installed. The AC86U has all the wireguard workspace tools and kernel modules as part of the firmware. I run both a WG server and a WG client outside of entware using just the jffs partition.

You will need to modify your script to meet your needs.

Put the script (and the accompanying config file) into a a file on the /jffs partition. Give it execute permission. Then call your script from the /jffs/scripts/services-start script. You will also have to place a test in the /jffs/nat-start script as well to test for the wireguard interface and restart your wireguard interface should the router restart the firewall or network (both of which will kill your wireguard service. This is what I have in my /jffs/scripts/nat-start script.

WVPNROUTE=`ip route show | grep -i -a "dev wg1"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
           logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
        /jffs/addons/wireguard/start_wg1.sh
fi

WVPNROUTE=`ip route show | grep -i -a "dev wg0"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
           logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
        /jffs/addons/wireguard/start_wg0.sh
fi

Of course, as @Tech9 pointed out, the 388 code base already has wireguard built into the GUI. Let me know if you run into troubles and I'll see what I can do to help you.

As an FYI, here what my wg1.conf (my server) config looks like;

# Set Up WireGuard VPN on Asus/Merlin By Editing/Creating wg1.conf File ##
# Peer script used by non wg-quick method of bringing up wire guard on router

[Interface]
ListenPort = 51006
PrivateKey = <private key>

[Peer]
## JAYoung Laptop ##
PublicKey = <public key>
PresharedKey = <preshared key - if used>
AllowedIPs = 10.100.10.10/32

Thank you. I’ll give it a try

 

[Jherb]

Thank you. I’ll give it a try

Hello and thanks so much for your help. I was able to get it working and now have a few questions as I'm still learning the ins/outs of wireguard.

I am able to successfully connect my phone and my laptop through the wireguard server and can get to the internet, and LAN.

I would like to create a config where the internet traffic goes through the current locations internet, but traffic intended for the LAN goes to the wireguard server.

As an example, if I am away from home, I want internet to go through whatever place I'm at, but I still want to be able to access my LAN without routing internet traffic through it.

I tried changing the Client Allowed IPs to on the windows machine to the home lan addresses, But that didn't work. As I don't fully understand wireguard yet, I need some conceptual help and a how to for this use case.

Thanks for entertaining my learning process.

 

[ZebMcKayhan]

I tried changing the Client Allowed IPs to on the windows machine to the home lan addresses, But that didn't work.

This is the way to do it though. On your Windows client or phone, replace AllowedIPs = 0.0.0.0/0 with
AllowedIPs = <lan ip>/24, <wg server ip>/32

You likely need to restart the Wireguard peer though.

 

[Jeffrey Young]

@ZebMcKayhan beat me to the punch just as I was signing into a real windows computer to respond

Only comment I have is that if you want the various wg clients to also be able to talk with each other, then change <wg server ip/32> to <wg server ip/24> or what ever other CIDR you are using.

 

[Jherb]

@ZebMcKayhan beat me to the punch just as I was signing into a real windows computer to respond

Only comment I have is that if you want the various wg clients to also be able to talk with each other, then change <wg server ip/32> to <wg server ip/24> or what ever other CIDR you are using.

Thank you Both. Another question, I want to have 2 profiles on the same phone: One for full LAN and Internet access through Wireguard and profile 2 would be home Lan access only, and internet through whatever the device is on. Do I need to have new keys for every profile? Or can I use the same keys since its the same device?

 

[ZebMcKayhan]

Thank you Both. Another question, I want to have 2 profiles on the same phone: One for full LAN and Internet access through Wireguard and profile 2 would be home Lan access only, and internet through whatever the device is on. Do I need to have new keys for every profile? Or can I use the same keys since its the same device?

You should be able to use the same server and same keys. But dont know if client sw somehow prevents import of client with same keys but wouldnt think so.

You just cannot connect with both at the same time.

 

[Jherb]

Thank you.
Another question, I noticed that wireguard is not starting when I reboot the router. I have to manually start nat-start.sh which is in jffs.

I do have "/jffs/addons/wireguard/start_wg1.sh" in the services-start located in jffs/scripts. I thought those were the instructions, but is there something else I'm supposed to do?

 

[Jeffrey Young]

Thank you.
Another question, I noticed that wireguard is not starting when I reboot the router. I have to manually start nat-start.sh which is in jffs.

I do have "/jffs/addons/wireguard/start_wg1.sh" in the services-start located in jffs/scripts. I thought those were the instructions, but is there something else I'm supposed to do?

Can you post your services-start script? Also does services-start have execute permission? Does your start_wg1.sh script work when called directly?

 

[Jherb]

Can you post your services-start script? Also does services-start have execute permission? Does your start_wg1.sh script work when called directly?

Hello,
The service-start script is simple as below. I only added the wireguard line and I tried with and without the "sh".

When I call the start_wg1.sh script directly, it does run but give the following warning:
insmod: can't insert '/lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko': File exists

However, it does make the Wireguard start working and all clients able to connect, etc.

The service start script has the following permissions:

-rwxr-xr-x 1 admin root 148 Feb 27 16:07 services-start

The start_wg1.sh has the following permissions
-rwxrwxrwx 1 admin root 1759 Feb 27 12:42 start_wg1.sh


I'm not sure what is happening. Is there a way to see what happens when the router starts. I'm not sure where the log is.

thank you

Contents of service-start script are below

#!/bin/sh

sh /jffs/addons/cake-qos/cake-qos mountui # CakeQOS-Merlin
/jffs/scripts/YazFi startup & # YazFi
sh /jffs/addons/wireguard/start_wg1.sh