Is wireguard available on RT-AC86U ?

[theinfinityjoe]

Ive seen some posts about wireguard around the forums but just wondered if it's usable on RT-AC86U. i'm currently running asus merlin on firmware
386.4

 

[Jeffrey Young]

EDIT: I just checked the changelog - the wireguard kernel module and workspace tool was added to the 386.4 firmware, so you are good.

I forget when the wireguard kernel module was added to the AC86U, but I am pretty sure it was after v386.4, so you will need to update your firmware a bit. But, yes, the newer firmware has the wireguard kernel module and the workspace tool (wg).

Depending on your knowledge of wireguard and what you want to do with it, you can set up yourself or use AMTM and install the wireguard-manager addon that will allow to to setup pretty well any setup configuration you want. I went with the DYI route as I did not want a lot of bloat taking up room on the jffs partition. My server and client needs were pretty simple.

Just a note, wireguard and NAT acceleration do not get along, so you must disbale that. You can use iptables and mark the wireguard traffic to be exempt from NAT acceleration (that is what I use). It is unpredictable through as some report that the iptable trick does not work on some newer HND routers. It worked for me both on the AC86U and the AX88U.

 

[bennor]

Ive seen some posts about wireguard around the forums but just wondered if it's usable on RT-AC86U. i'm currently running asus merlin on firmware
386.4

You will need to use something like the Wireguard Manager add-on. See the Add-On subforum and use the filter option to find more discussion on using Wireguard on the AC series routers. Note: You may need to update your firmware however since 386.4 is almost a year old. Latest version is 386.7_2.

Wireguard - Session Manager (4th) thread

Another 6 months are up (thanks to SNB forum member @greenspanner for the heads-up); details of WireGuard® Manager can be found @the following: https://github.com/MartineauUK/wireguard and @ZebMcKayhan's invaluable Hint's and Tips Guide...

www.snbforums.com

The AC series routers will not be getting the 388.x firmware which includes Wireguard. The 388.x firmware is for the AX series of routers only. RMerlin has several posts about the AC routers not getting the 388.x firmware.

[Dev] Asuswrt-Merlin 388.1 development

That's unfortunate You already have everything included in 388 in Asuswrt-Merlin 386 plus extras.

www.snbforums.com

Beta - Asuswrt-Merlin 388.1 Beta is available for select models

Asuswrt-Merlin 388.1 Beta is now available for all Wifi 6 (AX) models. This release marks the merge with the new 388 code base from Asus. I don't want to list every 388-specific changes made by Asus, so I recommend checking Asus' own changelogs for more details. I will highlight the most...

www.snbforums.com

 

[archiel]

You can use iptables and mark the wireguard traffic to be exempt from NAT acceleration (that is what I use). It is unpredictable through as some report that the iptable trick does not work on some newer HND routers. It worked for me both on the AC86U and the AX88U.

How did you setup the iptable 'trick' - are there notes on this? Thanks Archiel

 

[Jeffrey Young]

How did you setup the iptable 'trick' - are there notes on this? Thanks Archiel

It is the mark directives in my server script below.

#!/bin/sh

KERNEL=$(uname -r)
WGaddress=10.100.10.1/24
WGport=51006

modprobe xt_set
insmod /lib/modules/${KERNEL}/kernel/net/wireguard/wireguard.ko

ip link del dev wg1 2>/dev/null
ip link add dev wg1 type wireguard
wg setconf wg1 /jffs/addons/wireguard/wg1.conf
ip address add dev wg1 $WGaddress
ip link set up dev wg1
#ifconfig wg1 mtu 1380 # origional set by setup script
ifconfig wg1 mtu 1380
ifconfig wg1 txqueuelen 1000

iptables -t mangle -D PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null

iptables -D INPUT -p udp --dport $WGport -j ACCEPT 2>/dev/null
iptables -D INPUT -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -o wg1 -j ACCEPT 2>/dev/null
iptables -D OUTPUT -o wg1 -j ACCEPT 2>/dev/null
iptables -t nat -D PREROUTING -p udp --dport $WGport -j ACCEPT 2>/dev/null

iptables -t mangle -I FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7
iptables -t mangle -I PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7

iptables -I INPUT -p udp --dport $WGport -j ACCEPT
iptables -I INPUT -i wg1 -j ACCEPT
iptables -I FORWARD -i wg1 -j ACCEPT
iptables -I FORWARD -o wg1 -j ACCEPT
iptables -I OUTPUT -o wg1 -j ACCEPT
iptables -t nat -I PREROUTING -p udp --dport $WGport -j ACCEPT

 

[theinfinityjoe]

Thank you all for the info, i may upgrade to the AX series to avail of the 388.x firmware

 

[archiel]

It is the mark directives in my server script below.

#!/bin/sh

KERNEL=$(uname -r)
WGaddress=10.100.10.1/24
WGport=51006

modprobe xt_set
insmod /lib/modules/${KERNEL}/kernel/net/wireguard/wireguard.ko

ip link del dev wg1 2>/dev/null
ip link add dev wg1 type wireguard
wg setconf wg1 /jffs/addons/wireguard/wg1.conf
ip address add dev wg1 $WGaddress
ip link set up dev wg1
#ifconfig wg1 mtu 1380 # origional set by setup script
ifconfig wg1 mtu 1380
ifconfig wg1 txqueuelen 1000

iptables -t mangle -D PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null

iptables -D INPUT -p udp --dport $WGport -j ACCEPT 2>/dev/null
iptables -D INPUT -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -o wg1 -j ACCEPT 2>/dev/null
iptables -D OUTPUT -o wg1 -j ACCEPT 2>/dev/null
iptables -t nat -D PREROUTING -p udp --dport $WGport -j ACCEPT 2>/dev/null

iptables -t mangle -I FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7
iptables -t mangle -I PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7

iptables -I INPUT -p udp --dport $WGport -j ACCEPT
iptables -I INPUT -i wg1 -j ACCEPT
iptables -I FORWARD -i wg1 -j ACCEPT
iptables -I FORWARD -o wg1 -j ACCEPT
iptables -I OUTPUT -o wg1 -j ACCEPT
iptables -t nat -I PREROUTING -p udp --dport $WGport -j ACCEPT

Thanks for this, but it is way above my level of understanding. I am using Wireguard Manager for both 'server' and 'client' (AzireVPN) so ideally I would like to have NAT acceleration engaged, but excluding traffic on wg1 and wg2 - I think I may have a lot a reading up to do in 2023

 

[Jeffrey Young]

Thanks for this, but it is way above my level of understanding. I am using Wireguard Manager for both 'server' and 'client' (AzireVPN) so ideally I would like to have NAT acceleration engaged, but excluding traffic on wg1 and wg2 - I think I may have a lot a reading up to do in 2023

The client side is not much different. Just need to add the routing information. Here is my client script below (I have two Oracle Free Tier servers that I extend my local network too). The added routes in my script just send local lan data to my Oracle network. I start this script from the wan-event script on a "connected" event where as the serv er can get started from services-start.

You also need to add a check in nat-start as the iptable rules get zapped each time the fire wall service gets restarted by Asus.

#!/bin/sh
set -x

KERNEL=$(uname -r)

LocalIP="10.100.20.1" 

modprobe xt_set
insmod /lib/modules/${KERNEL}/kernel/net/wireguard/wireguard.ko

ip link del dev wg0 2>/dev/null
ip link add dev wg0 type wireguard
wg setconf wg0 /jffs/addons/wireguard/wg0.conf
ip address add dev wg0 $LocalIP
ip link set up dev wg0
ifconfig wg0 mtu 1380
ifconfig wg0 txqueuelen 1000

ip route add 10.100.20.0/24 dev wg0
ip route add 10.0.0.0/24 dev wg0

iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg0 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -D INPUT -i wg0 -j ACCEPT 2>/dev/null
iptables -D FORWARD -i wg0 -j ACCEPT 2>/dev/null
iptables -D FORWARD -o wg0 -j ACCEPT 2>/dev/null
iptables -D OUTPUT -o wg0 -j ACCEPT 2>/dev/null

iptables -I FORWARD -i wg0 -j ACCEPT
iptables -I FORWARD -o wg0 -j ACCEPT
iptables -I OUTPUT -o wg0 -j ACCEPT
iptables -I INPUT -i wg0 -j ACCEPT
iptables -t mangle -I FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -o wg0 -j MARK --set-xmark 0x01/0x7
iptables -t mangle -I PREROUTING -i wg0 -j MARK --set-xmark 0x01/0x7

And the corresponding wg0.conf file is

#
# Use this configuration with WireGuard client
#
[Interface]
PrivateKey = {Private Key}

[Peer]
PublicKey = {Peer (server) Public Key}
PresharedKey = {preshare key, if used}
AllowedIPs = 10.100.20.2/32, 10.0.0.0/24
Endpoint = {End Point IP}:{Port}
PersistentKeepalive = 25

 

[doczenith1]

Just a note, wireguard and NAT acceleration do not get along, so you must disbale that. You can use iptables and mark the wireguard traffic to be exempt from NAT acceleration (that is what I use). It is unpredictable through as some report that the iptable trick does not work on some newer HND routers. It worked for me both on the AC86U and the AX88U.

Not 100 percent accurate. The AC86U is one of the few models where WireGuard is compatible with NAT acceleration. I am currently running my AC86U this way. No need for doing anything with iptables.

 

[theinfinityjoe]

Coming back to this i just bought an AX router and flashed the 388.1 merlin firmware. openvpn works as normal but when I setup wireguard, it says connected but my ip doesn't change at all , any idea what i've done wrong ?

 

[RMerlin]

Coming back to this i just bought an AX router and flashed the 388.1 merlin firmware. openvpn works as normal but when I setup wireguard, it says connected but my ip doesn't change at all , any idea what i've done wrong ?

You need to select which client to redirect, through VPN Director. This is similar to stock firmware which requires you to configure clients through VPN Fusion.

 

[theinfinityjoe]

Thanks that fixed things,really appreciate it! Was just wondering if there are plans to implement Automatic start at boot time and the killswitch for wireguard? also seemed to be getting dns leaks until i enabled dns director, is there any way of setting DNS Configuration to strict for wireguard? again really appreciate the help and thanks so much !

 

[RMerlin]

implement Automatic start at boot time

That`s what the Enable switch already does.

nd the killswitch for wireguard

Makes little sense with WireGuard because WireGuard is not based on a traditional client/server setup, it's more like a tunnel/route setup. If the route doesn't work, then traffic will be dropped by default.

is there any way of setting DNS Configuration to strict for wireguard

"Strict" does not prevent leaks, you need "Exclusive" mode for that, and that's already what the WG implementation does.

 

[theinfinityjoe]

Thanks for the explanation i'm new to this and appreciate the help!

 

[Jherb]

Hello. I am using an AC86u with OpenVPN without issue, on the latest Merlin 386.9.
I would like to try wireguard without having to use a USB stick for entware, amtm, etc. An earlier post stated it could be done manually. Are there any instructions somewhere for how to do this? Or alternatively, can it be setup with amtm and then used without a USB attached?

Thank you in advance.

 

[Tech9]

I would like to try wireguard without having to use a USB stick for entware, amtm, etc.

USB drive with Entware is required:

GitHub - MartineauUK/wireguard: Manage/Install WireGuard on applicable ASUS routers

Manage/Install WireGuard on applicable ASUS routers - MartineauUK/wireguard

github.com

 

[Jherb]

Thanks, I will look at that.

Do you know what the statement below refers to (taken from post #2 above) where its stated you can set it up yourself, DIY way without amtm?

"Depending on your knowledge of wireguard and what you want to do with it, you can set up yourself or use AMTM and install the wireguard-manager addon that will allow to to setup pretty well any setup configuration you want. I went with the DYI route as I did not want a lot of bloat taking up room on the jffs partition. My server and client needs were pretty simple"

 

[Tech9]

One is automated installation via AMTM, the other manual in CLI. Both require Entware though.

 

[Jherb]

Thank you. I understand now.

Just another related question. If the usb drive with entware is removed, does the router crash, or does the vpn just stop working?

also, can openvpn run simultaneously?

I Appreciate your help.

 

[Tech9]

I never tested this scenario, but I guess on reboot you'll have no more WireGuard.