[Feature request] Replace Wireguard with AmneziaWG

This is my setup of AmneziaWG on GL.iNet MT-3000 router, based on this and this instructinos

Prerequisites:

• A GL.iNet MT-3000 router.
• AmneziaVPN server with configuration.
• Internet access for your router during the setup process.

Summary of Steps:

1. Update GL.iNet MT-3000 Firmware.
2. Install AmneziaWG Packages.
3. Get/generate AmneziaWG Client Configuration.
4. Configure AmneziaWG Interface in LuCI.
5. Create Firewall Rule.
6. Enable "Route Allowed IPs".
7. Verify Connection.

Step 1: Update GL.iNet MT-3000 Firmware

1. Download Firmware: Go to the official GL.iNet download page and download the 4.6.6-op24 firmware for your MT-3000.

2. Install Firmware:

• Access your GL.iNet router's web interface (usually http://192.168.8.1).
• Navigate to System -> Upgrade.
• Upload the downloaded firmware file.
• Important, when prompted, choose to install without saving the old configuration. This ensures a clean slate and avoids potential conflicts.
• Wait for the router to complete the firmware upgrade and reboot.

Step 2: Install AmneziaWG Packages

1. Access LuCI: Once the router has rebooted, log in to the LuCI web interface. (e.g., http://192.168.8.1/cgi-bin/luci).
2. Download AmneziaWG Packages: On your computer, download the following AmneziaWG packages from the Amnezia GL.iNet MT-3000 releases page for firmware version 4.6.6:

• kmod-amneziawg_4.6.6.ipk
• amneziawg-tools_4.6.6.ipk
• luci-proto-amneziawg_4.6.6.ipk

3. Install Packages:

• In LuCI, navigate to System -> Software.
• Click on the Upload Package... button.
• Upload and install each of the three downloaded .ipk files one by one (in order as mentioned above).

Step 3: Get/Generate AmneziaWG Client Configuration

1. Open AmneziaVPN App on your phone:
2. Select "Share" option within the existing connection .
3. Change "Connection format: AmneziaWG native format"
4. Copy Configuration Details, in a text format similar to the example below.

[Interface]
Address = 10.2.2.2/32
DNS = 1.1.1.1, 1.0.0.1
PrivateKey = +a/XXXxXXXXXXXX=
Jc = 1
Jmin = 10
Jmax = 10
S1 = 111
S2 = 111
H1 = 2233232
H2 = 2233232
H3 = 2233232
H4 = 2233232

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXX=
PresharedKey = XXXXXXXXXXXXXXXXXXX2=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = yourAmneziaServer:port
PersistentKeepalive = 25

Step 4: Configure AmneziaWG Interface in LuCI

1. Create New Interface:

• In LuCI, navigate to Network -> Interfaces.
• Click on the Add new interface... button.
• Enter AWG as the Name of the new interface.
• From the Protocol dropdown, select AmneziaWG.
• Click Create interface.

2. Import AmneziaWG Configuration:

• On the next screen, you will be on the Interface: AWG settings page.
• Look for an option to "Import configuration"
• You may need manually define some params

Step 5: Create Firewall Rule

Configure Firewall Zone:

• While still on the Interface: AWG settings page, go to the Firewall Settings tab.
• Create a new firewall zone for the AWG interface. You can name it awg_zone.
• Set the Input, Output, and Forward policies to accept.
• Under Covered networks, ensure that AWG is selected.
• Under Allow forward to destination zones, select wan.
• Under Allow forward from source zones, select lan.
• Click Save.

Step 6: Enable "Route Allowed IPs"

This is a crucial step that was not explicitly clear in the original instructions but was necessary for your setup.

1. Go to Interface Settings: Navigate back to Network -> Interfaces.
2. Edit AWG Interface: Click on Edit next to your AWG interface.
3. Go to Peer Settings: Navigate to the Peers tab within the AWG interface configuration.
4. Check "Route Allowed IPs": Locate the specific peer configuration (the one corresponding to your AmneziaWG server). Check the box next to "Route Allowed IPs."
5. Save & Apply: Click Save at the bottom of the page, and then click Save & Apply to apply all changes.

Step 7: Verify Connection

1. Interface Status: Go to Network -> Interfaces. Your AWG interface should now show as "Up" or "Connected" if the configuration is correct.
2. Test Connectivity:

• Connect a device (e.g., your computer or phone) to your GL.iNet MT-3000's Wi-Fi or LAN.
• Verify your public IP address using a website like whatismyip.com. It should now reflect the IP address of your AmneziaWG server.

Hello,

Nice document!
Welcome to GL.iNet Forum!

Is the link to the "official GL.iNet download page" incorrect?
It should be GL.iNet download center

Thank you!
I bought this model solely for native openwrt firmware to support AmneziaWG.

But does anyone know how to set this up on a GL-AXT1800? I have 2 of these.

Worked, but config import from file not worked! Nice job!!!

Thanks for greeting.

Yes you are right it should be GL.iNet download center

Looks like I can't edit the post

Hello, Bruce!!!
Will this instruction work on the new router state 7?! I want to buy

OK, I edited the correct link.

It seems that these packages only support MT3000 with op24 firmware.

I would get a device that supports native openwrt firmware. But it may be possible to install the package if the Target Platform is supported. You can attempt to compile your own packages using the github action.

In my case for AXT1800 is running on openwrt 21.02 and I believe the minimum openwrt version required is 23.05

AXT1800 v4.8.0, the op version is 23.05.

Any ETA for version 4.9.0?

This version is a bit unstable. I had issues staying connected to wifi. But I may try it on my spare to test to see if I can setup awg

May I know what WiFi issue did you encounter in Slate AX v4.8.0?

Are 2.4GHz and 5GHz WiFi the same SSID? If yes, please change to different.

If no luck, please PM me the WiFi issue syslog.

We are currently working hard for v4.8.0 firmware.

The v4.9.0 is under pre-research, but the expected time is not sure.
It is after all functions are completed to pre-research, and move to develop, then we may estimate the approximate release time.

After installing the packages in step 2, I had to reboot the MT-3000 (Beryl). This step is not mentioned/missing in the guide. Otherwise, the protocol "AmneziaWG VPN" was not selectable / did not appear in the dropdown list for Step 4.1 "Create new interface".

In step 5, I was able to manually enter a firewall zone name like "awg_zone". The web interface did mention "(create)" next to it, but did not offer to configure the zone as mentioned (e.g. for setting Input/Output/Forward to accept). So I had to manually change to Network/Firewall later and modify the corresponding entry.

Then my problem was:
The AWG connection to the peer seems to be OK and working. Checking Status/AmneziaWG I see traffic received and transmitted on the interface including last handshake timestamp. However, I couldn't manage to establish a connection from the laptop (connected via wifi to the MT-3000) to the internet via the AmneziaWG interface. I could not get it working with firmware version 4.6.6 and also not with version 4.7.5, which I tried in addition.

I want to have all LAN/wifi traffic of the MT-3000 exclusively routed via the AmneziaWG interface, without having any traffic bypassing the VPN (for usage in a restricted country).

So -- while I prepared this for a post to ask how to set it up, I managed to configure it (hopefully properly). Please find here some screenshots of the required firewall configuration (based on version 4.7.5):

AND BY THE WAY -- with 4.7.5, LuCI is on port 8080 --> http://192.168.8.1:8080/cgi-bin/luci

image476×499 30.4 KB

HTH somebody else running into the same issue.

Have fun!

Hello, I buy be3600 (state 7 router)!!! How to install amnesiawg on this?!

IMG_23181290×2796 238 KB

Thats work for me

image1084×384 31.2 KB

How did you compile packages for the custom OpenWRT version from official firmware?

@bruce Please, use specifically the latest AmneziaWG 1.5 version, as there were vulnerabilities in the 1.0 which made it susceptible to blocking. This is extremely important, as 1.0 is going to be useless very soon and is already being blocked in a lot of places.

Thanks for the suggestions.
Will forward to PM team.