What's new

Wireguard implementation?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The tunnel setup time is so fast you don't realise it's being done.

(I know I'm new & you may choose to disregard my comments. As a long time lurker I've joined up to comment. As a past donator of a somewhat trivial amount, I thought OK to add my 5 cents worth.)

Please remember: WireGuard has not yet subjected itself to nor passed an independent security audit. Until such time as that has occurred, I doubt Asus will consider implementation; they’re wisely choosing to proceed with developing and building equipment that is capable of doing what people buy it (and need it) to do, with an eye to future capabilities. Hey, it’s apparently a big deal that the newest stuff is on k4.x...

Like you, I’m running a version (flavour?) of Ubuntu 20.04 with k5.4 on a similar Atom machine - with an SSD and swap, it’s remarkably agile for such an “old machine”, so I can see your confusion/disappointment. But Asus has shareholders to consider.


Sent from my iPhone using Tapatalk
 
If you pop over to the master topic/thread quoted above, I have seen speeds >600Mbps posted there. That’s the best I can recall.
It’s light and fast...but is it secure?


Sent from my iPhone using Tapatalk

Thanks. I considered upgrading my package from Comcast again to gig for a month so I could do some tests. No issue with paying the $20 extra for a month but then when I canceled I could not go back to the current package I have at my locked in price.
 
Please remember: WireGuard has not yet subjected itself to nor passed an independent security audit. Until such time as that has occurred, I doubt Asus will consider implementation; they’re wisely choosing to proceed with developing and building equipment that is capable of doing what people buy it (and need it) to do, with an eye to future capabilities ...
...
...
But Asus has shareholders to consider.

Old <> Better
New <> Better either

I suspect a few people with rudimentary security skills may have looked over the Wireguard code before entering it into the mainline Linux kernel tree.

You aren't getting any real anonymity with a VPN. Any of these VPNs (OpenVPN or Wireguard or IPSec) you are running yourself are a better solution compared to paying for a VPN service. Why not use something that is fast, functional and works.

With a VPN connection that you trust at best you are guarding against:
- public snoops (wired or wifi or cell data when connecting to external networks).
- reducing identity profiling (ad tracking).
- maybe (most likely not) minimizing exposure to government surveillance depending on where you are.

Wireguard Source Code Repositories - available for review.
https://www.wireguard.com/repositories/

- Cloudflare Warp uses Wireguard. Cloudflare may have a little idea about networking / security / etc.

- OpenVPN and IPsec are complex, disconnect easily, reconnections take substantial time, may use outdated ciphers, have codebase that is much larger thus making it harder to find bugs.

- Linus Torvalds: compared to OpenVPN and IPsec as a "work of art". On 28 January 2020, WireGuard entered the mainline Linux kernel tree.

CVE
- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openvpn
- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireguard

Some Security info:
- https://www.wireguard.com/formal-verification/
- https://courses.csail.mit.edu/6.857/2018/project/He-Xu-Xu-WireGuard.pdf
 
All excellent points/arguments; my purpose in adding that post was more to encourage “look before you leap,” or “trust but verify”

HTH.


Sent from my iPhone using Tapatalk
 
NordVPN now offers Wireguard with their new "NordLynx" system.

https://support.nordvpn.com/General-info/1438624372/What-is-NordLynx.htm

NordLynx is the technology that we built around the WireGuard® VPN protocol. It lets you experience WireGuard’s speed benefits without compromising your privacy.

I run NordLynx on my Android phones and Win10 desktop via their app , it is very fast and the connection is made instantly, no delay waiting for the server.
 
disconnect easily

OpenVPN is quite resilient, especially when using TCP. I've seen plenty of occasions where an OpenVPN tunnel stayed connected for hours, even days.

may use outdated ciphers

There's nothing outdated in AES GCM ciphers...
 
NordVPN now offers Wireguard with their new "NordLynx" system.

https://support.nordvpn.com/General-info/1438624372/What-is-NordLynx.htm



I run NordLynx on my Android phones and Win10 desktop via their app , it is very fast and the connection is made instantly, no delay waiting for the server.
This is from nordvpns site
Screenshot_20200604-142705193.jpg

The biggest problem with wireguard implementation is the ever evolving and ever changing kernal. I cant count the numerous times I had to reseat or reinstall wireguard because of a kernal change or an update (referring to my personal experiences with it on linux devices.)
 
Let's put it simply: Wireguard won't sell more routers for Asus

Well it might - bringing VPN to the mainstream.

Setup on my GL-AR750S consisted of https://docs.gl-inet.com/en/3/app/wireguard/
  1. Start server (accepting default ports & IP)
  2. Add new user name
  3. Capturing QR code on end device Wireguard app
It works! Simplicity!
It wasn't that smooth setting up OpenVPN on the ASUS. I did have to check several guides to get it going with my client side. Is my setup optimised? I don't know.

When it comes around to router upgrade time, I'll be looking for a Wireguard compatible solution.
(I omitted setting up port forwarding on the RT-AC86U as that wouldn't be required if native to it.)
 
It wasn't that smooth setting up OpenVPN on the ASUS. I did have to check several guides to get it going with my client side.

Click on Import button, and upload your ovpn config file.
Enter username and password.
You're done.

Not sure how much easier it could be...
 
Click on Import button, and upload your ovpn config file.
Enter username and password.
You're done.

Not sure how much easier it could be...

It took several iterations to get a configuration that worked across ALL Windows, Android & iOS clients. Not all clients had all options, etc. It's years back on a rt-ac68 & I don't remember the detail. Clearly the clients not up to it! The VPN capabilities was one of the key reasons I bought ASUS.
 
It took several iterations to get a configuration that worked across ALL Windows, Android & iOS clients. Not all clients had all options, etc. It's years back on a rt-ac68 & I don't remember the detail. Clearly the clients not up to it! The VPN capabilities was one of the key reasons I bought ASUS.
I get what you are saying. Some providers have a "universal" config setup. I have experienced this with several vpn providers, where they may include "windows-only" parameters within their .conf and tell the user to delete the line after uploading it to Asuswrt-Merlin. Settings like register-dns. They may also require you to configure additional settings on the gui for optimal support such as kill-switch or level of compression, or cipher negotiation.
 
Well it might - bringing VPN to the mainstream.

Setup on my GL-AR750S consisted of https://docs.gl-inet.com/en/3/app/wireguard/
  1. Start server (accepting default ports & IP)
  2. Add new user name
  3. Capturing QR code on end device Wireguard app
It works! Simplicity!
It wasn't that smooth setting up OpenVPN on the ASUS. I did have to check several guides to get it going with my client side. Is my setup optimised? I don't know.

When it comes around to router upgrade time, I'll be looking for a Wireguard compatible solution.
(I omitted setting up port forwarding on the RT-AC86U as that wouldn't be required if native to it.)

Telling [mention]RMerlin [/mention] here isn’t the right place- you have to tell Asus. These discussions should be initiated over on the official firmware forum, where Asus people visit, hang out and answer questions. Until they understand that there is a demand, and that demand will involve selling more/newer hardware (in the future), this is all just proving to consume [mention]RMerlin [/mention] ‘s limited daily processing cycles that I would prefer were focused on doing what he does best.


Sent from my iPhone using Tapatalk
 
When using Merlin firmware on an ASUS router.

Astrill - Select OVPN file and upload - Then Apply done
PIA - Select OVPN file you created using their online configurator and upload - Then add user name and password - Then apply done
Strong - Same steps as PIA

None of them require any modifications or added statements.

Back in the old days it was sometimes more complicated but with Merlin's firmware it is simple.
 
Strongly recommend folks not to rely on VPN solutions where you don't have control over the server instance itself (in other words don't use freeware or commercial VPN Service providers).

It's better if you implementing your on VPN server solution on one of the following:
- your own router
- another device in your home network (like a raspberry pi or some other device that is always on)
- a virtual private server instance(s) (linode, Amazon AWS, DigitalOcean, Vultr etc..) from a reputable hosting provider. Also the ability to easily turn up or down VPN server instances in different regional data centers around the world for various purposes.

In any of the above cases, VPN server will be cheaper, provide more control over privacy (you decide which DNS provider gets to see your name resolution traffic, you decide what and how much ad blocking etc. etc. etc.)

For some more info re: VPN Services paid / free - type in kenn white vpn into a search engine.
 
Just to add to the noise level. While I was eagerly waiting for wireguard to be supported on merlin, I just found out that wireguard only works on UDP and offers no workaround for TCP. There are a few hacky solutions out there tunneling UDP over TCP but I wonder if common clients (e.g. android WG client) would support that type of configuration (apparently, not on android at least).

Ideally, I would have preferred to run WG on UDP (e.g. UDP 53 that is sometimes open in public wifi) for full performance, and at the same time on TCP/443 as a fallback alternative in case I'm on public or work wifi that only allows tcp/443. That would maximize chances of being able to connect to my home router from wherever.

So now I'm a little less eager WRT wireguard :). Long live OpenVPN on TCP/443
 
Just to add to the noise level. While I was eagerly waiting for wireguard to be supported on merlin, I just found out that wireguard only works on UDP and offers no workaround for TCP. There are a few hacky solutions out there tunneling UDP over TCP but I wonder if common clients (e.g. android WG client) would support that type of configuration (apparently, not on android at least).

Ideally, I would have preferred to run WG on UDP (e.g. UDP 53 that is sometimes open in public wifi) for full performance, and at the same time on TCP/443 as a fallback alternative in case I'm on public or work wifi that only allows tcp/443. That would maximize chances of being able to connect to my home router from wherever.

So now I'm a little less eager WRT wireguard :). Long live OpenVPN on TCP/443

All true.

Though I’d mention to all that BYOD poses a genuine risk to businesses. If they locked down their network so far to only permit 443 then using any VPN protocol to bypass probably breaks some terms of use. Best to respect them and bring a personal hotspot for such things.

OpenVPN is more effective than WG at bypassing firewalls. On low powered roaming devices like phones OpenVPN app has problems with battery use and maintaining connection. WireGuard has proved better for those.
 
FYI, wireguard now works well on ac86u with 384.18, iperf3 shows ~550Mbps throughput with single connection on 1Gbps LAN.
 
FYI, wireguard now works well on ac86u with 384.18, iperf3 shows ~550Mbps throughput with single connection on 1Gbps LAN.

Yes agreed, it was simple enough to set up and performs well on AC86U even on 384.17
 
How did you setup wireguard? Is there somehwhere a guide? Thanks
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top