Wireguard on ROOter?

[tetranz]

Right, but I've noticed that each time I change it, I am only able to buy myself a few hours of unthrottled speeds. Are you familiar with how to schedule a task so that the TTL value will change for example every hour? Or perhaps you've had better luck with some particular settings where you don't run into this issue? Any input is really appreciated

I don't really have any particular wisdom on this, sorry. All I can say is that I can tether from my Moto G Power phone on Visible to the Raspberry Pi running WireGuard and TTL 65 and have never seen the 5 Mbps throttle except when I had the TTL at something other than 65. I haven't used it for hours at a time recently although I was doing that a few months ago.

After reading of people's trouble with this yesterday I ran it for maybe two hours and it was still good. That's not to say it's always fast. It's usually about 20 but sometimes it's less than 5. It's obvious when the throttle happens because after a few seconds it averages to almost exactly 5. I'm in a pretty good signal area for Visible. Often it's really good. I've seen 90 Mbps while using WireGuard.

Now that I have my nice new router I probably won't be tethering the phone much but I'm thinking of getting a Visible SIM for the router. I'm currently testing Net10 on AT&T. It's for my RV and I don't need it all the time but $25 per month is maybe low enough to keep permanently so it's ready to go at a moment's notice. I guess I'll see how it works out. Net10 is going great. It's $50 and I've heard that it unofficially maxes out at 200 GB in the month. I'm getting about 40 Mbps on the router with WireGuard.

[LTE_boi]

What wireguard settings are you using?

[tetranz]

What wireguard settings are you using?

There's almost no settings to set. I just use the config file I download from Windscribe. It's basically just the keys and endpoint IP address etc.

[Adm1jtg]

Many times when updating to a higher, or lower, linux kernel it wont take unless you use the firmware recovery method / bootloader. I do it all the time, it's no harm or hassle in my experience.

Oh I know I probably did it a dozen times a year or 2 ago when I was first setting things up, but I noticed this file is "upgrade", typically when changing versions dont you need the non upgrade version?

Example the feb version filename is:
openwrt-WiFiX-WG3526-GO2021-02-20-19076.bin
no upgrade in its name

The one you linked is named:
WiFiX-NEXP1GO-GO2021-09-11-upgrade.bin

I dont believe you can load an upgrade version clean/factory style and I cant load it on top of my old version. I am betting I would need to load the feb 2021 version then do the upgrade version on top of it.

That is unless you have a link to the non upgrade version of the latest version firmware.

I am posting this mostly to try and help others avoid issues, more then as an issue that I personally need resolved. In all the lede and openwrt I have done in the past there are always 2 versions an upgrade version for updating a client and a "full" or non upgrade version for clean or first time installs.

Is this the same for goldenorb? As the above naming of files implies there should be a non upgrade version somewhere used for "clean installs"

[tetranz]

Here's an update on using WireGuard in a WG3526 / NEXP1GO with an EM7565 and the latest firmware.

It's generally working great for me. I have it set to start on boot but the one issue I have is that it doesn't survive an ungraceful shutdown. If I simply cycle the power off and then on again, everything seems to restart but I have no internet connection on the LAN until I go into Network / Interfaces and restart WG0. That seems to work consistently but it's a bit of a pain since this is installed in my RV, often running on the house batteries where I really need a convenient way to switch it off when I don't need it.

The only recycle that seems to work reliably is doing a graceful System Stop from the menu and then a power cycle. Reboot from the menu doesn't usually work without manually restarting WG0.

I'm looking for suggestions on how to avoid or at least minimize this. A bandaid would be a script that restarts WG0 a few minutes after boot. Another would be some sort of UPS which connects view SSH and does a graceful shutdown.

Could someone please tell me what the recommended CLI command is to do the same as restart WG0 from the menu.

EDIT next day: The last few power cycles and reboots have worked well so maybe this is not as bad as it seemed at first.

[tetranz]

This seems like a good place to continue with another update.

Restarts are not working well. It took me a while to figure it out but I finally know what's happening. It's a common problem with WireGuard on routers with no battery backed real time clock.

You can set WireGuard to start on boot but if you power the router off and on again, WireGuard will fail to reconnect. This is because WireGuard requires timestamps to be monotonic which means time always has to move forward. It's a security measure to prevent replay attacks.

I think we need it configured so that NTP time syncs go direct to the WAN, not via WireGuard. That would fix the problem. Another way would be to delay starting WireGuard until we have a good NTP sync. I'm researching this but unfortunately I'm not yet really skilled enough with iptables and/or OpenWRT / Rooter / WiFix configuration to figure out how to fix this.

This was getting quite frustrating but I feel better now that I know what's causing it. It is a significant problem, especially in a situation like an RV where it's quite common to simply switch things off to save battery power so I hope we can find a solution.

[LoveMeSomeCALTE]

Using systemd you can setup dependencies so that the NTP daemon is started before WireGuard, or you can be even more careful and insert your own shell script based daemon as a dependency before WireGuard that checks timestamp for monotonicity.

[tetranz]

Yeah I'm trying to find my way around the internals of OpenWRT / Busybox which is easier said than done when I'm no expert on this stuff. You mention systemd but doesn't it use procd?

Something I did which I think gets me one step closer is I installed an NTP server on my WireGuard server. That was very easy using chrony. That's always available regardless of whether or not WireGuard has connected. I can now do this any time to fix the problem where x.x.x.x is my WireGuard server endpoint.

ntpd -q -p x.x.x.x

I'm still not quite there because I need to figure out where to run that. I might be wrong but I'm not sure it's quite as simple as getting the dependencies right. I'm looking at the hotplug framework that procd provides to respond to events but I don't really see an appropriate event. Running it before WireGuard starts is not probably not useful because that's probably before we have an LTE connection. I think it really needs to happen when, or shortly after, the modem connects regardless of whether or not WireGuard has started.

I think a good test to detect this is to try pinging my WireGuard server internal address, 192.168.100.1 in my case. If I can't ping that but I can ping its public address then it means that the LTE is connected but WireGuard is not working so I need to sync time using the NTP server at that public address. I've tested that manually a few times and seems to be reliable and doesn't involved any service that I don't control. I'm going to try to write a script to do that and run it on cron but only run while up time is less than about 5 minutes.

I'm obviously not the first to face this issue but I haven't found an easy to follow "canned" solution yet.

[tetranz]

I think I have a reasonable solution to this:

Here's my script. I'm no expert at (b)ash so I'm sure this is not perfect but it seems to work. It assumes that the WireGuard server remote endpoint is also an NTP server. This is very simple to do (at least on Ubuntu) by installing something like chrony.

Code: Select all

#!/bin/ash

if [ $# -ne 2 ]; then
  cat <<EOF
Usage: ntp-sync-for-wg <private-ip> <public-ip>

private-ip is the internal private IP address of the WireGuard server.
public-ip is the public endpoint IP address of the WireGuard server.
It is assumed that a NTP server is also available at the public address.

EOF
  exit 1
fi

# Get up time as an integer.
uptime=$(cat /proc/uptime | cut -d ' ' -f 1)
uptime=$(echo $uptime | cut -d '.' -f 1)

if [[ $uptime -gt 600 ]]; then
  # After 10 minutes we've either successfully reconnected or failed. Let's not ping needlessly forever.
  exit 0
fi

pingtest () {
  ping -c 1 -W 5 $1 > /dev/null
}


# Ping the WireGuard server's private internal address.
pingtest $1
if [ $? -eq 0 ]; then
# Success so nothing to do.
  exit 0
fi

# Ping the WireGuard server's public endpoint address.
pingtest $2
if [ $? -ne 0 ]; then
# Failed so nothing we can do. We probably don't have an internet connection.
  exit 0
fi

# A time sync will probably fix it.
ntpd -q -p $2

I have this saved in a file ntp-sync-for-wg.sh in /root/scripts and run it once per minute by adding this to crontab.

Code: Select all

* * * * * /root/scripts/ntp-sync-for-wg.sh 192.168.100.1 x.x.x.x

192.168.100.1 is the WireGuard server's internal address.
x.x.x.x is the WireGuard server's public endpoint address.

After 10 minutes, it does nothing except check the up time so hopefully it's not a burden running every minute. In practice the date is set almost the instant the modem connects so it probably doesn't need anything like 10 minutes / 600 seconds.

[LoveMeSomeCALTE]

I'm currently testing Net10 on AT&T. It's for my RV and I don't need it all the time but $25 per month is maybe low enough to keep permanently so it's ready to go at a moment's notice. I guess I'll see how it works out. Net10 is going great. It's $50 and I've heard that it unofficially maxes out at 200 GB in the month. I'm getting about 40 Mbps on the router with WireGuard.

That's impressive.

Is the Net10/AT&T plan $25 per month or $50 per month?

[tetranz]

That's impressive.

Is the Net10/AT&T plan $25 per month or $50 per month?

It's $50 https://www.net10wireless.com/serviceplan. Sorry, I might have been a bit ambiguous there. I've been testing the new router / modem / WireGuard setup with Net10. I only need it when I'm in the RV so I don't want to pay $50 every month but, as an alternative $25, Visible is low enough I might keep it all the time.

Net10 is still working well. The month ends this week. I'm going to try Page Plus on Verizon next as a comparison. I think that's also $50 and unofficially 200 GB. They're both Tracfone. I guess I could have tried the Verizon version of Net10 because I think that and Page Plus are effectively the same thing. I also have the $20 AT&T postpaid tablet plan actually in a tablet which I guess I could put in the router but it's quite convenient to keep in the tablet. I run that with WireGuard too via a Raspberry Pi https://databurst.medium.com/adventures ... fd7bd92bf9. I think I'll keep that in the RV as a backup in case something happens to the router/modem.

[LoveMeSomeCALTE]

It's $50 https://www.net10wireless.com/serviceplan. Sorry, I might have been a bit ambiguous there. I've been testing the new router / modem / WireGuard setup with Net10. I only need it when I'm in the RV so I don't want to pay $50 every month but, as an alternative $25, Visible is low enough I might keep it all the time.

Net10 is still working well. The month ends this week. I'm going to try Page Plus on Verizon next as a comparison

Have you tried SimpleMobile? Don't use it in the modem but you can use in the phone:

https://wirelessjoint.com/viewtopic.php?f=32 ... =10#p10737

or CricketWireless

https://wirelessjoint.com/viewtopic.php?f=32&t=1556

I also have the $20 AT&T postpaid tablet plan actually in a tablet which I guess I could put in the router but it's quite convenient to keep in the tablet

Nice, I would be interested in your feedback for this postpaid tablet plan at https://wirelessjoint.com/viewtopic.php?f=32&t=2955

[tetranz]

I haven't tried Simple Mobile. I think they're T-Mobile. The Poynting antenna on my RV doesn't do band 71 so I've been sticking with AT&T and Verizon. I haven't tried it but I guess Cricket is certainly an option.

[mtl26637]

Simple Mobile is T-Mobile. They also work in other devices than phones. Think their unlimited plan is around the $50 mark. Not sure exact devices they work in but I've moved mine around quite a few times. They use their own APN portal "simple" but I don't care for the extra MVNO hops or any of 'tracfone' APN's for that matter so just use the real carriers APN instead, .

[tetranz]

Another update in case this is useful for anyone. I'm still messing around trying to get the perfect startup script. It's a frustratingly simple but somewhat tricky to solve problem.

The script I published at https://wirelessjoint.com/viewtopic.php?f=8& ... =50#p22004 has been working well but it depends on running my own WireGuard server which also runs a NTP server. That part is easy and inexpensive if you know how but maybe not ideal. I have my server on a $5/month host at DigitalOcean and, probably to be expected, I've run into quite a few roadblocks while general web browsing with the IP address blocked. I think it's mostly CloudFlare's CDN which blocks these cheap cloud servers, probably because they think I might be a bad 'bot.

So ... I've gone back to Windscribe but I still need to deal with WireGuard's monotonic time requirement on a router without a battery backed RTC. An easy trick that I read elsewhere is to simply set the time at boot to something way in the future. That generally works but I've found that sometimes I still need to restart wg0 and sometimes it connects but the time stays wrong. I want the logs to have the right time.

Here's another attempt at a script for this. So far this hasn't failed once on Windscribe rebooting with the three different methods I know how to reboot. i.e., reboot from the menu, shutdown from the menu and power on/off and simply power on/off while it's running.

The following is a file /root/scripts/wg0-test-restart.sh

Code: Select all

#!/bin/ash

# Add the following to /etc/rc.local.
# date --set=2030-01-01

# Get up time as an integer.
uptime=$(cat /proc/uptime | cut -d ' ' -f 1)
uptime=$(echo $uptime | cut -d '.' -f 1)

if [[ $uptime -lt 240 ]]; then
  # Wait a few minutes for the the normal boot and connect process to run.
  exit 0
fi

if [[ $uptime -gt 600 ]]; then
  # After 10 minutes we've either successfully reconnected or failed. Avoid unnecessary pinging. 
  exit 0
fi

pingtest () {
  logger -p notice -t tag wg0-test-restart.sh "ping test $1."
  ping -c 1 -W 5 $1 > /dev/null
}

timesync () {
  logger -p notice -t tag wg0-test-restart.sh "Time sync."
  ntpd -q -p 0.openwrt.pool.ntp.org -p 1.openwrt.pool.ntp.org -p 2.openwrt.pool.ntp.org -p 3.openwrt.pool.ntp.org
}

restart_interface() {
  logger -p notice -t tag wg0-test-restart.sh "Restarting $1."
  ifdown $1 && sleep 3 && ifup $1
}

pingtest 1.1.1.1

if [ $? -eq 0 ]; then
  # Ping was successful.

  if [[ $(date +%Y) -eq 2030 ]]; then
    # Time is still wrong.
    timesync
  fi

  exit 0
fi

# Ping failed.
restart_interface wg0
timesync

Scheduled tasks has the following so it runs once per minute.

Code: Select all

* * * * * /root/scripts/wg0-test-restart.sh

Make sure to add the following to /etc/rc.local

Code: Select all

date --set=2030-01-01

[chuyeu123]

Hello,

May I ask how do you guys configured your firewall or routes so that my traffic go through wireguard? In the firewall setting I said forward wan port to wireguard then wireless/lan but all my traffic still unfiltered. I hope someone would please be kind forward me to the right direction.

Thank you all so much

[tetranz]

I didn't need to do anything on my firewall. I think I'm basically using default settings and WireGuard just works.

The only things I needed to change were:

* Set a custom DNS in the LAN interface. I use Cloudflare's 1.1.1.1.
* Set the modem to only do IPv4. See https://wirelessjoint.com/viewtopic.php ... ard#p22631
* Use the script I published above to help WireGuard reconnect after a reboot.

I run permanently through Windscribe.

[Dude4Linux]

After upgrading my router to the latest version of WiFiX I found that WireGuard was available as a VPN option.
Hostname WiFiX
Model WiFiX NEXP1GO
Architecture MediaTek MT7621 ver:1 eco:3
Firmware Version GoldenOrb_2021-09-11
Kernel Version 5.4.124

Changes I made:
* Enabled NTP time sync using the default servers
* Enabled Connection monitoring with restart LTE modem if the connection is lost
* Imported client config file generated by my wireguard server running on Home Assistant

My use case is different in that I only start the wireguard connection when I need access to my home network. I don't use this full time because the network speeds are greatly reduced. I don't have the connection set to restart on boot so I haven't experienced any problems with reboots.

Now I'm trying to setup WireGuard as a server so I can remotely connect to my RV's network. Home Assistant has a nifty way to generate a client config file along with a QR encoded version for smartphones. The WiFiX gui allows you to create a server configuration and associated clients. Save and Apply modifies the Luci config file in /etc/config/wireguard, but the GENERATE CONF FILES button doesn't seem to do anything. Is this a feature still under development?

[Didneywhorl]

... but the GENERATE CONF FILES button doesn't seem to do anything. Is this a feature still under development?

I need to spend more time on the VPN stuff myself. I don't know the answer to that. I'll have to ask the Goldenorb guys.

[Dude4Linux]

After analyzing the code in /usr/lib/wirequard, I found the desired config file in /www/package/wg.conf and wgconf.tar.gz which are created by conf.sh.
I had to edit the wg.conf file to get my android phone to accept it (lines beginning with '---' need to be commented). Although the phone attempts to connect to the wireguard server there is no response. I have to check to see if the firewall settings are correct.