ZebMcKayhan
Very Senior Member
My old RT-AC86U recently gave up, the 2.4GHz radio died, so I replaced it with RT-AX86U Pro so I figured Id try out the firmware wireguard server and see if I could tweak it to my needs. My primarily problem is that Im behind a cgnat and using a vps (cloud server) to relay wireguard from clients to my router. But I need my router to connect out, not the other way. Wireguard supports this (remember, the concept of server, client are constructs of the firmware, not wireguard). If anyone is interested on how my setup were:
https://github.com/ZebMcKayhan/WireguardManager#setup-private-server-via-cloud-server
So, my first obstacle was to replicate my old server. Much could be done in the gui, except for the crypto keys used.
After looking at the firmware code it is clear that the firmware is not using config files at all. The only config files that exists are the server client files (/etc/wg).
Instead the gui uses nvram variables for everything. You could check how these are by
So, after creating a server in the gui with my custom ip pool, I ssh into the router and update the crypto keys:
And just to be sure I rebooted the router.
Just a note, any server config only includes server private key and clients public keys and psk ofcource. which should be enough to change for it to work. The rest are only used when generating client configs (qrcode).
Ok, so the next challange was to add the Endpoint directive to my peer so it connect out to my cloud server. This is not at all part of the firmware, but userspace wg tools have the option to set peer parameters directly, like:
And in my case its also a good idea to add the persistant-keepalive option to keep the tunnel open.
But this need to be added to the server each time it starts, so we make use of the firmware hook:
And I have made a simple code that snatches the pub key directly from nvram and populate the endpoint in the peer you want:
And if we want to change the server interface mtu, we could also add:
Save & exit.
Make it executable:
Hopefully this helps the next person wanting to tweak wg server parameters.
//Zeb
Update:
If you ever wish to export you server config to, i.e, move your server to a different router or to a vps whitout wanting to change your clients, this could be done by letting wg create a config file with the current configuration:
You could find your config file here: /tmp/wgs1.conf. however it will miss an important directive that wg doesnt use, that is the interface address, normally 10.6.0.1/24. So under [Interface] section you could add this line:
https://github.com/ZebMcKayhan/WireguardManager#setup-private-server-via-cloud-server
So, my first obstacle was to replicate my old server. Much could be done in the gui, except for the crypto keys used.
After looking at the firmware code it is clear that the firmware is not using config files at all. The only config files that exists are the server client files (/etc/wg).
Instead the gui uses nvram variables for everything. You could check how these are by
Code:
nvram show | grep wgs1
So, after creating a server in the gui with my custom ip pool, I ssh into the router and update the crypto keys:
Code:
#server peer:
nvram set wgs1_priv=PasteInServerPeerPrivateKey
nvram set wgs1_pub=PasteInServerPeerPublicKey
#client1 peer:
nvram set wgs1_c1_priv=PasteInClient1PrivateKey
nvram set wgs1_c1_pub=PasteInClient1PublicKey
nvram set wgs1_c1_psk=PasteInClient1PSKIfUsed
#client2 peer:
nvram set wgs1_c2_priv=PasteInClient2PrivateKey
nvram set wgs1_c2_pub=PasteInClient2PublicKey
nvram set wgs1_c2_psk=PasteInClient2PSKIfUsed
#a.s.o
nvram commit
And just to be sure I rebooted the router.
Just a note, any server config only includes server private key and clients public keys and psk ofcource. which should be enough to change for it to work. The rest are only used when generating client configs (qrcode).
Ok, so the next challange was to add the Endpoint directive to my peer so it connect out to my cloud server. This is not at all part of the firmware, but userspace wg tools have the option to set peer parameters directly, like:
Code:
wg set wgs1 peer <peer pub key> endpoint xx:yyy:zz:xyz:nnnnn
And in my case its also a good idea to add the persistant-keepalive option to keep the tunnel open.
But this need to be added to the server each time it starts, so we make use of the firmware hook:
Code:
nano /jffs/scripts/wgserver-start
And I have made a simple code that snatches the pub key directly from nvram and populate the endpoint in the peer you want:
Code:
#!/bin/sh
ClientNr=1
EndPoint=xx.yyy.zzz.xyz:nnnnn
wg set wgs1 peer $(nvram get wgs1_c"$ClientNr"_pub) endpoint $EndPoint persistent-keepalive 25
And if we want to change the server interface mtu, we could also add:
Code:
ip link set dev wgs1 mtu 1412
Save & exit.
Make it executable:
Code:
chmod +x /jffs/scripts/wgserver-start
Hopefully this helps the next person wanting to tweak wg server parameters.
//Zeb
Update:
If you ever wish to export you server config to, i.e, move your server to a different router or to a vps whitout wanting to change your clients, this could be done by letting wg create a config file with the current configuration:
Code:
wg showconf wgs1 > /tmp/wgs1.conf
Code:
Address = 10.6.0.1/24
Last edited: