Wireguard Standalone wg-quick alternative (no Entware/USB Drive required)

[ZebMcKayhan]

@Jeffrey Young I had a look through your script and was really glad to se you using the suppress_prefixlength 0 routing rule, I think thats a really great way to do this. But you didnt use this for default route (all) option, how come?

I looked through the ipv6 rules and they look ok for the most part. But I cant seem to find any ipv6 masquarade rule. Without that a ipv6 communication wont work. Or maybe I just dont find it?

 

[Jeffrey Young]

But you didnt use this for default route (all) option, how come?

I choose to use the improved default route option as explained on the wireguard website (https://www.wireguard.com/netns/).

In testing, I found that the classic handling of the default route would get wiped when Asus decided to reset the network or WAN interface. Using the policy based default routing seemed to survive Asus meddling. I figured there was less chance of a leak this way.

EDIT: On second look, the suppress_prefixlength 0 should have been used in the way the default route should have been implamented. I will have to look at that again. I have been tied up with building a website for the parish as of late, but I will try to make some time to look at this.

But I cant seem to find any ipv6 masquarade rule

You did not find it, as there is not one there. Feel free to add it, or give me an idea of where it needs to be added. I have done zero testing with the ipv6 stuff as I don't have any means of testing ipv6.

 

[Jeffrey Young]

But you didnt use this for default route (all) option, how come?

Had a second look, it is there..... Line 377

There are two functions for the default route. Add_Default(), which is not called by anything. I originally did the the default rule this way as it seemed to be the "normal" way. The default policy rule that I chose to use is the function Add_Default_Policy() located at line 357.

 

[ZebMcKayhan]

You did not find it, as there is not one there. Feel free to add it, or give me an idea of where it needs to be added. I have done zero testing with the ipv6 stuff as I don't have any means of testing ipv6.

Right around line 566, but only if peer have ipv6 ip:

cmd ipt6ables -t nat -I POSTROUTING -s "${LAN_SUBNET}" -o "$WGIF" -j MASQUERADE

ofcource $LAN_SUBNET would be br0 ipv6 prefix /64.

using -s "${LAN_SUBNET}" have given me some headache during the years, Asus and merlin both uses "! -s wg_peer_ip" same as for wan for ipv4. This is also convenient in a script as wg peer ip never changes. It will also work if a wg server want to use wg client for internet data which the current rule does not.

It was probably made this way to keep one more level of control, but it also means having to manage more rules from the user.

 

[Jeffrey Young]

Thanks @ZebMcKayhan

I'll keep that info handy for when I can get back at that project. The idea to incorporate the iptables rules was one I had to think about long and hard. The official wg-quick script leaves all the firewall handling up to the user via the post up/down scripts. I should have followed suit (I think). I may yet add a new directive to the conf file to tell the script not to bother with any iptables and leave it to the user to add their own via the post up/down scripts.

 

[ZebMcKayhan]

I may yet add a new directive to the conf file to tell the script not to bother with any iptables and leave it to the user to add their own via the post up/down scripts.

That would probably cut-off a part of the users from this script, especially since it appeal to users which dont want/can/know/bother with installing Entware and WireguardManager. Users today want more integrated solutions with the subsequent less flexible. Its a balancing act indeed. Perhaps with a tutorial on the github Readme with the common setup rules, like I did for wgm?

BTW, I manage to set up a 3 core A1 instance (Ampera arm64) and it behaves much, much better with Wireguard. Running iperf between the vps and my nas on my lan I'm getting constantly 233Mbit/s (I have 250/250 subscription). Trying on my phone which is a wg client to the vps I get 170 Mbit/s but the bottleneck is not the vps or Wireguard, its my lousy phone that won't run faster over 5Ghz wifi (Its a Galaxy S9). When running these tests, I can see small bumps on the load graps, like 20-30% and cores share the load much better. This is a keeper!

 

[NickolauBr]

As I said, @Jeffrey Young, trying to run your tool and got stuck. Newbie here! I will try to explain my steps from where I was:

1. ssh to the router
2. uninstalled Wg manager (remove interfaces and got it uninstalled)
3. Created /jffs/addon/wireguard folder
4. ran the installation code "curl --retry 3 https://raw.githubusercontent.com/Bandsaw12/Asus-Merlin-Wireguard/mai
   n/wg-tool.sh" but nothing happened.
5. created a wg-tool.sh file and copied your scritpt to it.
6. created an interface.conf file with my data into it.

What else should I do to make it work?

 

[Jeffrey Young]

Did you set execute permission on the tool? Also since you did a copy paste, run a dos2unix command on the tool as well

 

[NickolauBr]

Did you set execute permission on the tool? Also since you did a copy paste, run a dos2unix command on the tool as well

Did I do it right?
Well, after running :

./wg-tool.sh start br-sao

I've gotten the:
Wireguard interface br-sao successfully added
Adding firewall rules
Adding NAT Rules


And it works!
Do I need to do something to come back after rebooting?

 

[Jeffrey Young]

You will need to add some scripts as detailed in the instructions that are on the first post of the tool. In all, you will need to put a line into the services-start, firewall-start, and nat-start scripts.

 

[NickolauBr]

yeap, i read that, but where are those scripts located?

 

[visortgw]

yeap, i read that, but where are those scripts located?

/jffs/scripts

 

[Jeffrey Young]

more info here

User scripts

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[NickolauBr]

I have no nat-start and services-start files, should I create them? I found only firewall-start file

 

[Jeffrey Young]

I have no nat-start and services-start files, should I create them? I found only firewall-start file

Yes, normally these files do not exist. You only create them when you need them.

 

[NickolauBr]

Thanks for the help guys! Appreciate it!

So what I have done:

1. cd /jffs/scripts/
2. Edited the firewall-start and added

   #!/bin/sh
   /jffs/addon/wireguard/wg-tool.sh firewall show

3. added with 'nano' the file nat-start with

   #!/bin/sh
   /jffs.../wg-tool.sh nat show

4. added with 'nano' the file services-start with

   #!/bin/sh
   /jffs/.../wg-tool.sh start br-sao show

5. Executed the "chmod a+rx /jffs/scripts/*" to change permissions
6. rebooted.

Not working. No access to internet. I have this error:

Nickolau@RT-AC86U-7210:/tmp# /jffs/addons/wireguard/wg-tool.sh start br-sao show
Wireguard interface br-sao appears to be already up! To restart use the RESTART command
Error reported parsing config file, not adding firewall entries
Nickolau@RT-AC86U-7210:/tmp# /jffs/addons/wireguard/wg-tool.sh restart br-sao show
[#] ip -4 rule delete table 51820
[#] ip rule delete table main suppress_prefixlength 0
[#] ip link del dev br-sao
Wireguard interface br-sao successfully deleted
Deleting firewall rules
Deleting NAT Rules
[#] ip link add dev br-sao type wireguard
[#] ip -4 address add dev br-sao 10.14.0.2/16
[#] ip link set up dev br-sao
[#] ip link set mtu 1420 up dev br-sao
[#] ip -4 route add 0.0.0.0/0 dev br-sao table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
Wireguard interface br-sao successfully added
Adding firewall rules
[#] iptables -I INPUT -i br-sao -j ACCEPT
[#] iptables -I FORWARD -i br-sao -j ACCEPT
[#] iptables -I FORWARD -o br-sao -j ACCEPT
[#] iptables -I OUTPUT -o br-sao -j ACCEPT
Adding NAT Rules
[#] iptables -t mangle -I FORWARD -o br-sao -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[#] iptables -t mangle -I FORWARD -i br-sao -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[#] iptables -t mangle -I FORWARD -o br-sao -j MARK --set-xmark 0x01/0x7
[#] iptables -t mangle -I PREROUTING -i br-sao -j MARK --set-xmark 0x01/0x7
[#] iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -o br-sao -j MASQUERADE
[#] iptables -t nat -N DNSbr-sao
[#] iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSbr-sao
[#] iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSbr-sao
[#] iptables -t nat -I OUTPUT -o br-sao -p tcp -m tcp --dport 53 -j DNSbr-sao
[#] iptables -t nat -I OUTPUT -o br-sao -p udp -m udp --dport 53 -j DNSbr-sao
[#] iptables -t nat -I DNSbr-sao -p tcp -s 10.0.0.0/24 -j DNAT --to-destination 162.252.172.57:53
[#] iptables -t nat -I DNSbr-sao -p udp -s 10.0.0.0/24 -j DNAT --to-destination 162.252.172.57:53
[#] iptables -t nat -I DNSbr-sao -p tcp -s 10.0.0.0/24 -j DNAT --to-destination 149.154.159.92:53
[#] iptables -t nat -I DNSbr-sao -p udp -s 10.0.0.0/24 -j DNAT --to-destination 149.154.159.92:53
[#] iptables -t mangle -A PREROUTING -p udp -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
[#] iptables -t mangle -A POSTROUTING -p udp -m mark --mark 0xca6c -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
[#] iptables -t raw -A PREROUTING -d 10.14.0.2/16 ! -i br-sao -m addrtype ! --src-type LOCAL -j DROP
Nickolau@RT-AC86U-7210:/tmp#


What have I done wrong?

Edit: When I run it manually (commenting the scripts and running it by command line with the ./wg-tool.sh start... ), it works fine.

 

[Jeffrey Young]

Take the word "show" out of the firewall and nat scripts and reboot.

 

[NickolauBr]

Take the word "show" out of the firewall and nat scripts and reboot.

Did it, still the same.
And also ran some tests. I commented each file and rebooted. No luck.

#!/bin/sh
/jffs/addons/wireguard/wg-tool.sh firewall

  GNU nano 5.7                                                 nat-start                                                          
#!/bin/sh
/jffs/addons/wireguard/wg-tool.sh nat

 

[Jeffrey Young]

Did you apply execute permission to each of the scripts?

 

[NickolauBr]

Did you apply execute permission to each of the scripts?

I did... I guess!