Tutorial Wireguard server tweaks

[ZebMcKayhan]

My old RT-AC86U recently gave up, the 2.4GHz radio died, so I replaced it with RT-AX86U Pro so I figured Id try out the firmware wireguard server and see if I could tweak it to my needs. My primarily problem is that Im behind a cgnat and using a vps (cloud server) to relay wireguard from clients to my router. But I need my router to connect out, not the other way. Wireguard supports this (remember, the concept of server, client are constructs of the firmware, not wireguard). If anyone is interested on how my setup were:
https://github.com/ZebMcKayhan/WireguardManager#setup-private-server-via-cloud-server

So, my first obstacle was to replicate my old server. Much could be done in the gui, except for the crypto keys used.
After looking at the firmware code it is clear that the firmware is not using config files at all. The only config files that exists are the server client files (/etc/wg).
Instead the gui uses nvram variables for everything. You could check how these are by

nvram show | grep wgs1

So, after creating a server in the gui with my custom ip pool, I ssh into the router and update the crypto keys:

#server peer:
nvram set wgs1_priv=PasteInServerPeerPrivateKey
nvram set wgs1_pub=PasteInServerPeerPublicKey
#client1 peer:
nvram set wgs1_c1_priv=PasteInClient1PrivateKey
nvram set wgs1_c1_pub=PasteInClient1PublicKey
nvram set wgs1_c1_psk=PasteInClient1PSKIfUsed
#client2 peer:
nvram set wgs1_c2_priv=PasteInClient2PrivateKey
nvram set wgs1_c2_pub=PasteInClient2PublicKey
nvram set wgs1_c2_psk=PasteInClient2PSKIfUsed
#a.s.o
nvram commit

And just to be sure I rebooted the router.

Just a note, any server config only includes server private key and clients public keys and psk ofcource. which should be enough to change for it to work. The rest are only used when generating client configs (qrcode).

Ok, so the next challange was to add the Endpoint directive to my peer so it connect out to my cloud server. This is not at all part of the firmware, but userspace wg tools have the option to set peer parameters directly, like:

wg set wgs1 peer <peer pub key> endpoint xx:yyy:zz:xyz:nnnnn

And in my case its also a good idea to add the persistant-keepalive option to keep the tunnel open.

But this need to be added to the server each time it starts, so we make use of the firmware hook:

nano /jffs/scripts/wgserver-start

And I have made a simple code that snatches the pub key directly from nvram and populate the endpoint in the peer you want:

#!/bin/sh 

ClientNr=1
EndPoint=xx.yyy.zzz.xyz:nnnnn

wg set wgs1 peer $(nvram get wgs1_c"$ClientNr"_pub) endpoint $EndPoint persistent-keepalive 25

And if we want to change the server interface mtu, we could also add:

ip link set dev wgs1 mtu 1412

Save & exit.

Make it executable:

chmod +x /jffs/scripts/wgserver-start

Hopefully this helps the next person wanting to tweak wg server parameters.

//Zeb

Update:
If you ever wish to export you server config to, i.e, move your server to a different router or to a vps whitout wanting to change your clients, this could be done by letting wg create a config file with the current configuration:

wg showconf wgs1 > /tmp/wgs1.conf

You could find your config file here: /tmp/wgs1.conf. however it will miss an important directive that wg doesnt use, that is the interface address, normally 10.6.0.1/24. So under [Interface] section you could add this line:

Address = 10.6.0.1/24

 

[DocUmibozu]

Interesting post.
I'll soon have to migrate my Asus wireguard server config to a vps.
Thaks for the info

 

[ZebMcKayhan]

Interesting post.
I'll soon have to migrate my Asus wireguard server config to a vps.
Thaks for the info

Please share your experience so others could benefit! And let me know if you hit a snag and need another set of eyes.

 

[ZebMcKayhan]

I just realized this methode would also allow one to create a site-2-site or site-2-multisite (mesh) network with only server peers on each site.

On the upside, you would get rid of any policy routes as the server routes would go into the main routing table. However current policy routing table does not include server routes (which is alittle wierd). So if Wireguard internet clients are used vpn director rules for wgs1 destinations may still be needed.
There may be benefits with nat hw accelleration using servers instead as there are no nat involved (and should not be).

The method for populating the keys in nvram is alittle tedious, perhaps some scriptwriter could make an import script that parses a config file and populates the nvram variables accordingly. Could even be a script for aiding the creation of complex mesh networks where multple lan is setup to connect together as these setup fast grows really complex:
https://github.com/ZebMcKayhan/WireguardManager#site-2-multisite--mesh

 

[heysoundude]

Interesting post.
I'll soon have to migrate my Asus wireguard server config to a vps.
Thaks for the info

The people at Oracle sent me the instructions on how to install it on one of their Free Tier servers...just ask them.

 

[Jeffrey Young]

Interesting post.
I'll soon have to migrate my Asus wireguard server config to a vps.
Thaks for the info

Just do a google search on setting up wireguard on Ubuntu (if that is the distro you choose for your VPS). There is a ton of tutorials out there.

I've used Oracle Free Tier myself for a while as a proxy server into my network that is behind a CGNAT. I use wireguard as the VPN tunnel. Started out using a AC86U, now using AX88U. I done everything though with my own scripts.

 

[DocUmibozu]

Yes, the interesting part is how to retrieve Asus wireguard config.
Cause I'd like to not reconfigure all the keys

 

[ZebMcKayhan]

Yes, the interesting part is how to retrieve Asus wireguard config.
Cause I'd like to not reconfigure all the keys

you dont have to reconfigure the keys, that is only if you like to copy an old server without needing to remake all the client configs... if you are setting up a new server you dont have to worry.

setup a server in the gui and make a client to it. say the server is 10.60.0.1/32 and the VPS client gets 10.60.0.2/32. if you will never have any other direct connections, then all other clients will be connecting over VPS, you simply set AllowedIPs (server) to be the entire network: 10.60.0.0/24. Then you add the endpoint to your VPS according to my first post.

the gui allows you to retrieve the VPS config file if I remember correctly, otherwise you will find it in /etc/wg.
but the config file only includes Router public key and VPS private key. you need to retrieve VPS public key for using for your clients connecting to the VPS:

nvram get wgs1_c1_pub

for the rest of the VPS you could setup according my guide, just scroll past the WGM part in the beginning until you get to the "Setup Cloud Server" part.
https://github.com/ZebMcKayhan/WireguardManager#setup-private-server-via-cloud-server

 

[DocUmibozu]

you dont have to reconfigure the keys, that is only if you like to copy an old server without needing to remake all the client configs... if you are setting up a new server you dont have to worry.

setup a server in the gui and make a client to it. say the server is 10.60.0.1/32 and the VPS client gets 10.60.0.2/32. if you will never have any other direct connections, then all other clients will be connecting over VPS, you simply set AllowedIPs (server) to be the entire network: 10.60.0.0/24. Then you add the endpoint to your VPS according to my first post.

the gui allows you to retrieve the VPS config file if I remember correctly, otherwise you will find it in /etc/wg.
but the config file only includes Router public key and VPS private key. you need to retrieve VPS public key for using for your clients connecting to the VPS:

nvram get wgs1_c1_pub

for the rest of the VPS you could setup according my guide, just scroll past the WGM part in the beginning until you get to the "Setup Cloud Server" part.
https://github.com/ZebMcKayhan/WireguardManager#setup-private-server-via-cloud-server

I'd like to preserve the old keys... I've about 5 clients and rekeying all of them is a pain in the butt.
For now I'm experimenting a migration to an old openwrt router, just to see which key goes where.

 

[ZebMcKayhan]

I'd like to preserve the old keys... I've about 5 clients and rekeying all of them is a pain in the butt.
For now I'm experimenting a migration to an old openwrt router, just to see which key goes where.

Sure, you can move all client pub keys to the vps, and your old server priv key. But you will still need to update the clients endpoint to be pointing to your vps ip instead of your router. Or perhaps you have some ddns which you could point to your vps instead.

Then you need to add your new peer between your router and the vps, but this could be generated on the router and copy-paste the config peer part into your vps conf.

Good idea to practice move to another router. Let me know if you need some assistance.

 

[DocUmibozu]

Well, the transfer of the key from asus router to openwrt was long and tedious... why thet put them in the nvram variables and not in a .conf file?
Ranting apart, the openwrt router was configured with a 192.168.0.0/32 subnet and 51819 port for wireguard. The rest mimics perfectly the asus router (which is 192.168.1.0/32 subnet and 51820 port for wireguard).
I tried to establish connection modifying one client config and it's all ok.
So configured the openwrt router to 192.168.1.0/32 and 51820 port and switched off the asus router.... BAM... no connection...
Seems that when you change the server config, the peers have to be restarted to establish the connection. And one peer is 150km away from my home
So now I have put online the asus again, set a reboot timer in the peers, switch the asus with the openwrt router and wait the reboot timer to trigger... and hope that everything goes well

 

[ZebMcKayhan]

Seems that when you change the server config, the peers have to be restarted to establish the connection. And one peer is 150km away from my home

Normally no, Wireguard is connection-less, and thus somehow state-less. Are you running both routers off the same wan?

 

[DocUmibozu]

Sorry, but no. Wireguard is connection-less, and thus somehow state-less. Are you running both routers off the same wan?

Same wan.
Asus router connection established.
Openwrt router no connection until I restart client wireguard or reboot the client router.
Don't know what to say.

 

[ZebMcKayhan]

Same wan.
Asus router connection established.
Openwrt router no connection until I restart client wireguard or reboot the client router.
Don't know what to say.

Alright, must be the client app that somehow notice the difference. But the good thing is that you got it working!

 

[DocUmibozu]

Alright, must be the client app that somehow notice the difference. But the good thing is that you got it working!

Yes, everything works.
Don't know why but the clients all need a restart, otherwise they don't sense the new server. Very strange behaviour....

 

[jksmurf]

|SNIP| My primarily problem is that Im behind a cgnat and using a vps (cloud server) to relay wireguard from clients to my router. But I need my router to connect out, not the other way.

Interesting. My remote Router is also behind a CGNAT but I paid for a Static IP to get past that and to be able to use WG (hopefully no security issues there). It is really slow though, probably the limited upload speed, I thought it might be because of the ONT (modem) not being bridged, but apparently that has nothing to do with it. Thanks for the instructions - quite a handful!

 

[ZebMcKayhan]

Well, the transfer of the key from asus router to openwrt was long and tedious... why thet put them in the nvram variables and not in a .conf file?

You could retrieve the config from userspace wg with:

wg showconf wgs1 > /tmp/wgs1.conf

It will be missing directives that wg dont use but other parts are setting up, such as
DNS
ADDRESS

But the rest will be there.

 

[DocUmibozu]

Interesting. My remote Router is also behind a CGNAT but I paid for a Static IP to get past that and to be able to use WG (hopefully no security issues there). It is really slow though, probably the limited upload speed, I thought it might be because of the ONT (modem) not being bridged, but apparently that has nothing to do with it. Thanks for the instructions - quite a handful!

Check the MTU of the wireguard connection and try to optimize that parameter.
If it fails contact your ISP to know if they throttle wireguard via DPI.

 

[jksmurf]

Check the MTU of the wireguard connection and try to optimize that parameter.
If it fails contact your ISP to know if they throttle wireguard via DPI.

Sorry but how do I do this please?

 

[DocUmibozu]

Sorry but how do I do this please?

Wireguard MTU?

I'm using a Wireguard config from my VPN provider. I notice doing ping tests that it sets the MTU at 1420 for the WG connection. Is there any advantage to setting the MTU on the modem and/or the router WAN to 1392? RT-AX86U

www.snbforums.com