Running WireGuard on an ASUS router

Running WireGuard on an ASUS router

Prerequisites

  • ASUS RT-AC86U router
  • Merlin Firmware for ASUS installed
  • USB storage device connected to the router
  • Download Putty (if running Windows) to connect to your router
  • Subscription at a VPN provider that support the WireGuard protocol
  • Use a public DNS service as for example Quad9 in your router config or combine it with a Pi-Hole.

Install Entware on the router/USB connected storage with command:

entware-setup.sh

Link to Merlin Instructions about this.

Installation of WireGuard

(Instruction and links collected from SmallNetBuilder forum thread combined with my own experiences.)

Download the WireGuard ipk install package and copy it to your USB storage connected to the router.
This file to download can be found on the first post in trhead link above. Linking to this because the link to the fil itself is been updated regularly when new WireGuard updates are released, so check from time to time for an updated version.

Install WireGuard with command:

opkg install
wireguard_0.0.20181218-79b5151_aarch64-3.10.ipk
(depending on downloaded version)

Download your WireGuard config file from your VPN provider.
When you are using Mullvad you download your config file from here.

Create Wireguard config file with the command. (Name it as you wish, i used Mullvad as name)

nano /opt/etc/wireguard/mullvad.conf

Save the information from your VPN provider inside this file but change the setup of the config file a bit.

[Interface]
PrivateKey = **********
#Address = xx.xx.xx.xx
#DNS = xx.xx.xx.xx

[Peer]
Endpoint = xxx.xxx.xxx.xxx:xxxxx
PublicKey = **********
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = xxx.xxx.xxx.xxx:xxxxx
PersistentKeepalive = 25

Remove or write # in front of “Address” and “DNS” to disable those two lines. WireGuard will not start when those are still active.
Add the PersistentKeepallive information at the end.

Another adjustment needed is that the Endpoint IP must be written in the Config file before the PublicKey information.
Otherwise you will get the following error message when trying to connect:

Line unrecognized: `PublicKey=*********’
Configuration parsing error
need at least a destination address

Continuing with the installation by editing the wireguard client config file:

nano /opt/etc/init.d/S50wireguard

Add your local IP address written in the config file from your VPN provider behind:

#client
export LocalIP= xxx.xxx.xxx.xxx

Now edit wg-up config file

nano /opt/etc/wireguard/wg-up

and replace:

wg setconf wg0 /opt/etc/wireguard/wg0.conf
with:
wg setconf wg0 /opt/etc/wireguard/mullvad.conf (or what ever you called your config file above)

Additional DNS config settings

Because the DNS configuration from the WireGuard config files can not be used in this setup, it is important that you are using an alternative DNS server in your router settings.
As mentioned under Prerequisites, you can use Quad9 or an Pi-Hole setup to get this done. In this case, you are not leaking the DNS servers from your ISP.

Installation and configuration finished

Now you can start the WireGuard connection with the following command:

/opt/etc/init.d/S50wireguard start

If you have everything configured correctly, you should not get any error message. 🙂
All your devices on your home network are now routed through your WireGuard VPN connection to the internet.

To check your active WireGuard connection, just type “wg” as command.

This should bring up information similar to the one shown below.

interface: wg0
public key: **********
private key: (hidden)
listening port: xxxxx

peer: **********
endpoint: xxx.xxx.xxx.xxx:xxxxx
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 1 second ago
transfer: 794.16 MiB received, 436.97 MiB sent
persistent keepalive: every 25 seconds

Double check your external IP address and DNS info by visiting: :

To shutdown your WireGuard connection, login to the router and write:

/opt/etc/init.d/S50wireguard stop

Speed achievements  

After finishing the installation, I’m getting partly over 600 Mbit/s transfer speed with the setup described above,  using Mullvad´s WireGuard servers in Stockholm/Sweden. WireGuard version 0.0.20190123.

Connecting to host speedtest.serverius.net, port 5002
[  5] local 10.99.xx.xx port 57217 connected to 178.21.16.76 port 5002
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.01   sec  54.4 MBytes   451 Mbits/sec    0   2.71 MBytes
[  5]   1.01-2.00   sec  73.6 MBytes   623 Mbits/sec    0   2.72 MBytes
[  5]   2.00-3.01   sec  77.5 MBytes   649 Mbits/sec    0   2.72 MBytes
[  5]   3.01-4.00   sec  76.2 MBytes   643 Mbits/sec    0   2.72 MBytes
[  5]   4.00-5.00   sec  76.2 MBytes   637 Mbits/sec    0   2.72 MBytes
[  5]   5.00-6.00   sec  69.5 MBytes   584 Mbits/sec    3   2.00 MBytes
[  5]   6.00-7.00   sec  63.8 MBytes   534 Mbits/sec    5   1.52 MBytes
[  5]   7.00-8.01   sec  47.6 MBytes   396 Mbits/sec    1   1.14 MBytes
[  5]   8.01-9.01   sec  41.0 MBytes   343 Mbits/sec    0   1.21 MBytes
[  5]   9.01-10.01  sec  44.8 MBytes   376 Mbits/sec    0   1.26 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.01  sec   625 MBytes   523 Mbits/sec    9             sender
[  5]   0.00-10.01  sec   623 MBytes   522 Mbits/sec                  receiver

iperf Done.

Latest update of this article: 2019-03-24

5 reaktioner till “Running WireGuard on an ASUS router

  1. Thanks for the tutorial. When trying to list the most recent wireguard package using the following command “opkg list wireguard*” I get no hits.

    Could you please tell me if there is a different way to obtain the latest wireguard ipk file?

    For the record, I first installed Entware using as mentioned in step 1.

    Thanks,
    Marc

    1. Link to the Google Drive (on SNB Forums) is working and has the latest WireGuard ipk file.
      Thanks.

  2. Can I simply say what a relief to find someone who actually knows what they’re discussing over the internet. You certainly understand how to bring a problem to light and make it important. More people really need to look at this and understand this side of your story. I can’t believe you’re not more popular given that you certainly have the gift.

  3. Many thanks as well.
    Would you share with us the throughput of the connection? I mean for a 1Gbps line 600Mbps is still about ~40% short, right? Plus, it would not match IPSECs throughput, from what I read elsewhere.
    Thanks.

    1. Yes my internet line at that point was 1 Gbps from my ISP. In reality my internet speed was about 860 to 950 Mbps up or down, depending on the time at the date.
      You see some of the results also in one of the other VPN tests I did in the past.

Lämna ett svar

E-postadressen publiceras inte. Obligatoriska fält är märkta *