Menu
What's new
By:
Filters Better Search

Wireguard Standalone wg-quick alternative (no Entware/USB Drive required)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

Jeffrey Young

Very Senior Member

WG-TOOL.SH​

Wg-tool.sh is a wg-quick (8) replacement tool for Asus-Merlin firmware based routers that support the Wireguard user space tool. The script does not require Entware to be installed or a USB drive to be used.

I built this script - in part - as over the last couple of years I have helped a couple folks get Wireguard working on their routers who either did not have a USB drive (XT12) or did not want to install Entware. For more advanced Wireguard use, including policy routing, @Martineau Wireguard Manager script is still the best route to go. However, that script requires Entware.

The script can be placed in the /jffs drive in a convenient location. I recommend placing the script in /jffs/addons/wireguard.

Installation​

Code: 
curl --retry 3 https://raw.githubusercontent.com/Bandsaw12/Asus-Merlin-Wireguard/main/wg-tool.sh

Script Overview​

The script has all the functionality of the official wg-quick script written in bash with a couple of exceptions. The script does not support the SaveConfig directive. The directive is read, and processed in order to remain compatible with existing Wireguard config files, but the directive is not acted on. Secondly, the script goes one step further and adds appropriate fire wall rules depending on if the config file is a server configuration or a client configuration.

The script looks for a config file in the same directory in which the script is located. If the script cannot find a config file there, it will look in the directory “/jffs/addons/wireguard”

To use the script​

Code: 
Wg-tool.sh [ start | stop | restart ] [ interface_name ] {show}

Where a configuration file named “{interface_name}.conf” exists either in the same directory as wg-tool.sh or in /jffs/addons/wireguard.

The optional argument show can be added which will have the script print out key commands that are being carried out by the script.

Firewall-start and nat-start scripts​

Since firewall and NAT restarts will clear any custom firewall rules, wg-tool.sh can be placed in both the firewall-start and nat-start scripts with the following options which will loop through all running wireguard interfaces and re-add the appropriate rules;

Code: 
Wg-tool.sh firewall {show}

Placed in the firewall-start script

Code: 
Wg-tool.sh nat {show}

Placed in the nat-start script

IPv6 handling​

I have done my best to code in the required commands and firewall rules for systems running IPv6. However, I do not have IPv6 at home and as I am behind a CGNAT, I cannot get any kind of IPv6 tunnel broker to work. Therefore, I fully expect that there will be problems with IPv6 installations. I apologize in advance.

Notes​

  • The script uses the same default routes methodology as is described in the official Wireguard documentation (https://www.wireguard.com/netns/) as described under the “Improved Rule Based Routing” section. In my tests, I found that using the traditional overwriting of the default route would get wiped out anytime the wan interface went down or reset. Whereas the default route method used by the script seemed to stay in place even when the wan was reset or dropped. This may be advantageous if your aim is not to leak and data over the wan. For more information, you can also see this site for more information: https://www.procustodibus.com/blog/2022/01/wg-quick-firewall-rules/
  • The “Table” directive in a config file is handled the same as in wg-quick. If set to Off, no routing rules are added at all. If set to a number, a IPSET table is added by the number provided, but any other IPSET, routing or policy rules will have to be set up via the Pre/Post Up/Down directive. Just as in the official wg-quick script. My intentions with this script were to keep things simple and convenient for those who do not have a USB port or do not want Entware and who are primarily still using an AC router. If you want rule based routing, check out SNBForum user @Marineau fantastic script “Wireguard Session Manager”. More info here: https://www.snbforums.com/threads/session-manager-4th-thread.81187/post-793726
  • If the DNS directive is used in the config file, DNS redirection is handled through iptables rules and not by altering DNSmasq. Only port 53 is redirected at the moment.
  • I don’t expect that there will be much demand for this script, but if anyone wants to improve or make fixes where IPv6 is concerned, I will create a develop branch in GitHub where pull requests can be made.

Contributors​

  • Original script ideas from @Odkrys
  • Some utility code snippets from the work of @Jack Yaz
  • Most of the IPv6 iptables code where inspired by @Martineau Wireguard Manager Script
 
Last edited:
Reserved
 
as I'm considering turning an Oracle VPS into a router/wireguard server (serving two locations/nodes across 3 time zones to bust the Netflix password sharing crackdown) and moving unbound there as well, this will likely come very much in handy...thank you! (there's IPv6 at both locations, so I should be able to confirm/assuage your worries there)
 
heysoundude said:
as I'm considering turning an Oracle VPS into a router/wireguard server (serving two locations/nodes across 3 time zones to bust the Netflix password sharing crackdown) and moving unbound there as well, this will likely come very much in handy...thank you! (there's IPv6 at both locations, so I should be able to confirm/assuage your worries there)
Click to expand...

Lol, I actually have a simple wg script set up for a site to site wg connection to an Oracle free tier server that I am using as an NGINX reverse proxy into into my network. I am behind a CGNAT, so this was the best I could come up with to get a public IP address. Those simple scripts are here (server) and here (client).
 
I figured I wouldn't be trying to emulate Capt Kirk and going where no-one has gone before...I appreciate and thank you, kind sir!
 
@Jeffrey Young & @heysoundude I recently set up an Oracle free tier account and started setting up Wireguard as:
https://github.com/ZebMcKayhan/WireguardManager#setup-private-server-via-cloud-server
However, I seem to max-out at roughly 50Mbit/s. Seems like processor stucks at 50%. Im using the E2.1 Micro shape and something seems up with the wireguard install. The instance have 2 cores but Wireguard only seem to use 1 of them, thus speed limit despite 50% usage.

Im thinking of switching to A1 flexible instance to see if I get better throuput.

Which type of instance are you guys using? And what speeds are you getting?
 
I am running two arms, 2 cores each. One as backup dc and WG. The second as my NGINX reverse proxy into my network. Took a little oracle learning to get the two to see each other and the oracle subnet to see my network and vice versa via the WG. That said, my ISP is only 80/40, so I can't really put anything through its paces. Oracle free tier is suppose to be 400mbits.

Maybe some CPU throttling going on? Try installing top and see what is going on.

I had to switch to pay as you go as my reverse proxy was not busy enough to meet Oracles 10% load. Without pay as you go, they were going to stop the instances. As long as I stay within the free tier limits, it is not a biggy
 
ZebMcKayhan said:
@Jeffrey Young & @heysoundude I recently set up an Oracle free tier account and started setting up Wireguard as:
https://github.com/ZebMcKayhan/WireguardManager#setup-private-server-via-cloud-server
However, I seem to max-out at roughly 50Mbit/s. Seems like processor stucks at 50%. Im using the E2.1 Micro shape and something seems up with the wireguard install. The instance have 2 cores but Wireguard only seem to use 1 of them, thus speed limit despite 50% usage.

Im thinking of switching to A1 flexible instance to see if I get better throuput.

Which type of instance are you guys using? And what speeds are you getting?
Click to expand...
I suspect it's a config mishap - I have Oracle's instructional link stored somewhere; when I find it, I'll post here.
That sort of "speed limit" isn't an issue for me - the Package speed from my ISP plan is 50Mbps down and 10Mbps up.

Jeffrey Young said:
I am running two arms, 2 cores each. One as backup dc and WG. The second as my NGINX reverse proxy into my network. Took a little oracle learning to get the two to see each other and the oracle subnet to see my network and vice versa via the WG. That said, my ISP is only 80/40, so I can't really put anything through its paces. Oracle free tier is suppose to be 400mbits.

Maybe some CPU throttling going on? Try installing top and see what is going on.

I had to switch to pay as you go as my reverse proxy was not busy enough to meet Oracles 10% load. Without pay as you go, they were going to stop the instances. As long as I stay within the free tier limits, it is not a biggy
Click to expand...
I hadn't considered that setup...what if you run everything on one quad core server? Will that make for enough traffic to avoid paying?
 
Jeffrey Young said:
Maybe some CPU throttling going on? Try installing top and see what is going on.
Click to expand...
Yea, I tried and it looks like both cores are used but never ar the same time... right, maybe some throttling.

Jeffrey Young said:
I had to switch to pay as you go as my reverse proxy was not busy enough to meet Oracles 10% load.
Click to expand...
I thought it was 5% load? I better read up. Anyhow, I solved it differently. I put:
Code: 
cat /dev/random > /dev/null
in a script and cronned it to run during 2am-5am. It keeps the load up. But good to know there are other options...

Edit: just checked and the instance is reclamed if the following are true:
CPU utilization for the 95th percentile is less than 15%
Click to expand...
I enterpret that as if I keep load >15% for 1h and 15m each day I would be good. I just have to wait and see. When my command is active I get 50% load and its toggling on/off every 10min for 3h, effectively 1,5h which is something like 6,25%
 
Last edited:
heysoundude said:
I hadn't considered that setup...what if you run everything on one quad core server? Will that make for enough traffic to avoid paying?
Click to expand...

You only pay if you exceed the always free tier limits. So far, have not paid a penny. The only benefit is that you don't need to fool around with Oracle's games.

I went with two VMs for isolation. The DC/WG only have ports open for WG and SSH (not on port 22). The NGINX server little more exposed with ports 80 and 443 open.
 
ZebMcKayhan said:
I thought it was 5% load? I better read up. Anyhow, I solved it differently. I put:
Click to expand...

I'd have to look at the email again. They say 10%, but you need to read the link they send with it. It is not just CPU workload they look at. You also need to use at least 10% of total bandwidth allowed, and something else which does not come to mind at the moment.
 
Jeffrey Young said:
I'd have to look at the email again. They say 10%, but you need to read the link they send with it. It is not just CPU workload they look at. You also need to use at least 10% of total bandwidth allowed, and something else which does not come to mind at the moment.
Click to expand...
https://docs.oracle.com/en-us/iaas/...ier_topic-Always_Free_Resources.htm#resources
Reclamation of Idle Compute Instances

Idle Always Free compute instances may be reclaimed by Oracle. Oracle will deem virtual machine and bare metal compute instances as idle if, during a 7-day period, the following are true:

CPU utilization for the 95th percentile is less than 15%
Network utilization is less than 15%
Memory utilization is less than 15% (applies to A1 shapes only)
Click to expand...

My interpretation is that all needs to be true for it to be revoked. But I could be wrong. Im in my 3rd week now.
 
ZebMcKayhan said:
https://docs.oracle.com/en-us/iaas/...ier_topic-Always_Free_Resources.htm#resources


My interpretation is that all needs to be true for it to be revoked. But I could be wrong. Im in my 3rd week now.
Click to expand...

I had used the free tier for about six months before I got the email saying both of my instances were not exceeding the threshold and both would be shutdown if I did not upgrade or the usage did not exceed the threshold. They also went on to say that I could restart both instances only if the resource capacity was still available. All games, if you ask me. As long as I don't exceed the free tier limits, I'm good.

Ma Bell is busy installing fibre in town. Once that project is done, I plan on switching to Bell as they offer a public IP. I am only using free tier as my current ISP (and only option) is CGNAT. I keep working on them to turn on IP6. It is available to him from the ISP that he sources from, he just needs to turn it on at his equipment.
 
heysoundude said:
I hadn't considered that setup...what if you run everything on one quad core server? Will that make for enough traffic to avoid paying?
Click to expand...
Memory and bandwitdh scale with OCPUs and far more than we need. I think 4 cores gets you 24GB memory. But outbound data is not scaled:
Outbound Data Transfer

As part of your Always Free resources, you get 10 TB per month of outbound data.
Click to expand...
10TB per month is by far, enough for me. I dont even think my lan traffic from my family even aproaches this number in a month.
 
ZebMcKayhan said:
10TB per month is by far, enough for me. I dont even think my lan traffic from my family even aproaches this number in a month.
Click to expand...
Four of us in the house all streaming plus my projects - have never gone over a TB. Come close, but not over.

Ten TB is extremely generous. Does not even close to any other free tier offerings let alone the others paid services.
 
ZebMcKayhan said:
Edit: just checked and the instance is reclamed if the following are true:
Click to expand...
CPU utilization for the 95th percentile is less than 15%
Click to expand...
ZebMcKayhan said:
I enterpret that as if I keep load >15% for 1h and 15m each day I would be good. I just have to wait and see. When my command is active I get 50% load and its toggling on/off every 10min for 3h, effectively 1,5h which is something like 6,25%
Click to expand...
One hour & 15 minutes is >5% of 24 hours, but that's a standard percentage measurement and not directly related to a percentile which is essentially a ranking system based on the normal distribution of a given sample data set.

Granted, I don't know the formulas, sample sizes, and sampling frequencies that Oracle is using to eventually calculate the 95th percentile, but my current understanding & interpretation of what Oracle may be doing to arrive at the conclusion that a system is "idle" in order to reclaim it is that, at certain intervals, they're collecting snapshots (i.e. data samples) of each OCI free tier system's network, RAM & CPU utilization (*not* CPU load) for every 7-day period to gather a pretty good sample size and build a normal distribution curve. It's this collection of data points (perhaps aggregated with other users with similar system configurations) that's being used to calculate the 95th percentile for your CPU utilization. IOW, this means that if your system CPU utilization is less than 15% for 95% of the data samples, then your CPU may be considered "idle."

Just my 2 cents.
 
Martinski said:
One hour & 15 minutes is >5% of 24 hours, but that's a standard percentage measurement and not directly related to a percentile which is essentially a ranking system based on the normal distribution of a given sample data set.
Click to expand...
Right, so they could pretty much do as they want. Guess @Jeffrey Young is right, Its a game.

In a 3 core Instance I could run this constantly to soak 1 core and end up in 33% utilization continously. That would show them... but it seem to affect ssh, which becomes really sluggish...
Or maybe the best would be to switch to pay-as-go.
 
ZebMcKayhan said:
10TB per month is by far, enough for me. I dont even think my lan traffic from my family even aproaches this number in a month.
Click to expand...
Jeffrey Young said:
Four of us in the house all streaming plus my projects - have never gone over a TB. Come close, but not over.

Ten TB is extremely generous. Does not even close to any other free tier offerings let alone the others paid services.
Click to expand...
Easy enough to check, gents:
General-Traffic Analyzer-Traffic Monitor-Monthly
a TB or a bit more is about average, I'd say:

https://imgur.com/0erZrhm


I figure with two locations using one server similarly, the low-end limits of traffic will be easily surpassed to stay in the free tier.
 
Last edited:
You must log in or register to reply here.

Similar threads

S
Wireguard Wireguard Client Help
4 5 6
Replies
119
Views
3K
sammyano
S
S
Wireguard VPN change routes ip
Replies
0
Views
646
S75
S
vlord
gnMerlin - Guest Network Isolation
Replies
4
Views
888
tnkrer
T
B
Entware Where is Entware started upon reboot?
2
Replies
25
Views
1K
bibikalka
B
R
DomainVPNRouting Domain VPN Routing v3.0.3 ***Release***
2 3
Replies
44
Views
3K
maghuro
maghuro

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 789 (members: 16, guests: 773)
Top