What's new

Wireguard Standalone wg-quick alternative (no Entware/USB Drive required)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@Jeffrey Young I had a look through your script and was really glad to se you using the suppress_prefixlength 0 routing rule, I think thats a really great way to do this. But you didnt use this for default route (all) option, how come?

I looked through the ipv6 rules and they look ok for the most part. But I cant seem to find any ipv6 masquarade rule. Without that a ipv6 communication wont work. Or maybe I just dont find it?
 
But you didnt use this for default route (all) option, how come?

I choose to use the improved default route option as explained on the wireguard website (https://www.wireguard.com/netns/).

In testing, I found that the classic handling of the default route would get wiped when Asus decided to reset the network or WAN interface. Using the policy based default routing seemed to survive Asus meddling. I figured there was less chance of a leak this way.

EDIT: On second look, the suppress_prefixlength 0 should have been used in the way the default route should have been implamented. I will have to look at that again. I have been tied up with building a website for the parish as of late, but I will try to make some time to look at this.

But I cant seem to find any ipv6 masquarade rule

You did not find it, as there is not one there. Feel free to add it, or give me an idea of where it needs to be added. I have done zero testing with the ipv6 stuff as I don't have any means of testing ipv6.
 
But you didnt use this for default route (all) option, how come?

Had a second look, it is there..... Line 377

There are two functions for the default route. Add_Default(), which is not called by anything. I originally did the the default rule this way as it seemed to be the "normal" way. The default policy rule that I chose to use is the function Add_Default_Policy() located at line 357.
 
You did not find it, as there is not one there. Feel free to add it, or give me an idea of where it needs to be added. I have done zero testing with the ipv6 stuff as I don't have any means of testing ipv6.
Right around line 566, but only if peer have ipv6 ip:

Code:
cmd ipt6ables -t nat -I POSTROUTING -s "${LAN_SUBNET}" -o "$WGIF" -j MASQUERADE
ofcource $LAN_SUBNET would be br0 ipv6 prefix /64.

using -s "${LAN_SUBNET}" have given me some headache during the years, Asus and merlin both uses "! -s wg_peer_ip" same as for wan for ipv4. This is also convenient in a script as wg peer ip never changes. It will also work if a wg server want to use wg client for internet data which the current rule does not.

It was probably made this way to keep one more level of control, but it also means having to manage more rules from the user.
 
Thanks @ZebMcKayhan

I'll keep that info handy for when I can get back at that project. The idea to incorporate the iptables rules was one I had to think about long and hard. The official wg-quick script leaves all the firewall handling up to the user via the post up/down scripts. I should have followed suit (I think). I may yet add a new directive to the conf file to tell the script not to bother with any iptables and leave it to the user to add their own via the post up/down scripts.
 
I may yet add a new directive to the conf file to tell the script not to bother with any iptables and leave it to the user to add their own via the post up/down scripts.
That would probably cut-off a part of the users from this script, especially since it appeal to users which dont want/can/know/bother with installing Entware and WireguardManager. Users today want more integrated solutions with the subsequent less flexible. Its a balancing act indeed. Perhaps with a tutorial on the github Readme with the common setup rules, like I did for wgm?

BTW, I manage to set up a 3 core A1 instance (Ampera arm64) and it behaves much, much better with Wireguard. Running iperf between the vps and my nas on my lan I'm getting constantly 233Mbit/s (I have 250/250 subscription). Trying on my phone which is a wg client to the vps I get 170 Mbit/s but the bottleneck is not the vps or Wireguard, its my lousy phone that won't run faster over 5Ghz wifi (Its a Galaxy S9). When running these tests, I can see small bumps on the load graps, like 20-30% and cores share the load much better. This is a keeper!
 
As I said, @Jeffrey Young, trying to run your tool and got stuck. Newbie here! I will try to explain my steps from where I was:
  1. ssh to the router
  2. uninstalled Wg manager (remove interfaces and got it uninstalled)
  3. Created /jffs/addon/wireguard folder
  4. ran the installation code "curl --retry 3 https://raw.githubusercontent.com/Bandsaw12/Asus-Merlin-Wireguard/mai
    n/wg-tool.sh" but nothing happened.
  5. created a wg-tool.sh file and copied your scritpt to it.
  6. created an interface.conf file with my data into it.
What else should I do to make it work?
 
Did you set execute permission on the tool? Also since you did a copy paste, run a dos2unix command on the tool as well
 
Did you set execute permission on the tool? Also since you did a copy paste, run a dos2unix command on the tool as well
Did I do it right?
Well, after running :
Code:
./wg-tool.sh start br-sao

I've gotten the:
Wireguard interface br-sao successfully added
Adding firewall rules
Adding NAT Rules


And it works!
Do I need to do something to come back after rebooting?
 

Attachments

  • Captura de Tela 2023-08-16 às 16.57.57.png
    Captura de Tela 2023-08-16 às 16.57.57.png
    46.7 KB · Views: 40
Last edited:
You will need to add some scripts as detailed in the instructions that are on the first post of the tool. In all, you will need to put a line into the services-start, firewall-start, and nat-start scripts.
 
more info here

 
I have no nat-start and services-start files, should I create them? I found only firewall-start file
Yes, normally these files do not exist. You only create them when you need them.
 
Thanks for the help guys! Appreciate it!

So what I have done:

  1. cd /jffs/scripts/
  2. Edited the firewall-start and added
    Code:
    #!/bin/sh
    /jffs/addon/wireguard/wg-tool.sh firewall show
  3. added with 'nano' the file nat-start with
    Code:
    #!/bin/sh
    /jffs.../wg-tool.sh nat show
  4. added with 'nano' the file services-start with
    Code:
    #!/bin/sh
    /jffs/.../wg-tool.sh start br-sao show
  5. Executed the "chmod a+rx /jffs/scripts/*" to change permissions
  6. rebooted.
Not working. No access to internet. I have this error:

Nickolau@RT-AC86U-7210:/tmp# /jffs/addons/wireguard/wg-tool.sh start br-sao show
Wireguard interface br-sao appears to be already up! To restart use the RESTART command
Error reported parsing config file, not adding firewall entries
Nickolau@RT-AC86U-7210:/tmp# /jffs/addons/wireguard/wg-tool.sh restart br-sao show
[#] ip -4 rule delete table 51820
[#] ip rule delete table main suppress_prefixlength 0
[#] ip link del dev br-sao
Wireguard interface br-sao successfully deleted
Deleting firewall rules
Deleting NAT Rules
[#] ip link add dev br-sao type wireguard
[#] ip -4 address add dev br-sao 10.14.0.2/16
[#] ip link set up dev br-sao
[#] ip link set mtu 1420 up dev br-sao
[#] ip -4 route add 0.0.0.0/0 dev br-sao table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
Wireguard interface br-sao successfully added
Adding firewall rules
[#] iptables -I INPUT -i br-sao -j ACCEPT
[#] iptables -I FORWARD -i br-sao -j ACCEPT
[#] iptables -I FORWARD -o br-sao -j ACCEPT
[#] iptables -I OUTPUT -o br-sao -j ACCEPT
Adding NAT Rules
[#] iptables -t mangle -I FORWARD -o br-sao -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[#] iptables -t mangle -I FORWARD -i br-sao -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[#] iptables -t mangle -I FORWARD -o br-sao -j MARK --set-xmark 0x01/0x7
[#] iptables -t mangle -I PREROUTING -i br-sao -j MARK --set-xmark 0x01/0x7
[#] iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -o br-sao -j MASQUERADE
[#] iptables -t nat -N DNSbr-sao
[#] iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSbr-sao
[#] iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSbr-sao
[#] iptables -t nat -I OUTPUT -o br-sao -p tcp -m tcp --dport 53 -j DNSbr-sao
[#] iptables -t nat -I OUTPUT -o br-sao -p udp -m udp --dport 53 -j DNSbr-sao
[#] iptables -t nat -I DNSbr-sao -p tcp -s 10.0.0.0/24 -j DNAT --to-destination 162.252.172.57:53
[#] iptables -t nat -I DNSbr-sao -p udp -s 10.0.0.0/24 -j DNAT --to-destination 162.252.172.57:53
[#] iptables -t nat -I DNSbr-sao -p tcp -s 10.0.0.0/24 -j DNAT --to-destination 149.154.159.92:53
[#] iptables -t nat -I DNSbr-sao -p udp -s 10.0.0.0/24 -j DNAT --to-destination 149.154.159.92:53
[#] iptables -t mangle -A PREROUTING -p udp -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
[#] iptables -t mangle -A POSTROUTING -p udp -m mark --mark 0xca6c -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
[#] iptables -t raw -A PREROUTING -d 10.14.0.2/16 ! -i br-sao -m addrtype ! --src-type LOCAL -j DROP
Nickolau@RT-AC86U-7210:/tmp#


What have I done wrong?

Edit: When I run it manually (commenting the scripts and running it by command line with the ./wg-tool.sh start... ), it works fine.
 
Last edited:
Take the word "show" out of the firewall and nat scripts and reboot.
 
Take the word "show" out of the firewall and nat scripts and reboot.
Did it, still the same.
And also ran some tests. I commented each file and rebooted. No luck.
Code:
#!/bin/sh
/jffs/addons/wireguard/wg-tool.sh firewall

Code:
  GNU nano 5.7                                                 nat-start                                                          
#!/bin/sh
/jffs/addons/wireguard/wg-tool.sh nat
 
Last edited:
Did you apply execute permission to each of the scripts?
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top