This guide details configuring WireGuard on an Asuswrt-Merlin router to tunnel all traffic through Norton Secure VPN. It focuses on a setup achieving full tunnel functionality.
Asuswrt-Merlin router (with SSH access enabled).
Norton Secure VPN subscription.
Basic understanding of SSH and command-line interface.
Norton Secure VPN does not officially support WireGuard. This guide outlines a workaround by leveraging third-party services that provide WireGuard configurations based on Norton's VPN server network.
Research and select a reliable third-party service that generates WireGuard configurations compatible with Norton Secure VPN servers. Exercise extreme caution when choosing a provider and ensure they have a strong privacy policy.
Download the generated WireGuard configuration file (.conf).
Install WireGuard: Access your router via SSH and install WireGuard using the following command:
opkg update && opkg install wireguard-tools
Create the WireGuard Interface: Use a text editor (e.g., vi or nano) to create a new WireGuard configuration file:
vi /etc/wireguard/wg0.conf
Paste and Modify Configuration: Open the downloaded .conf file and paste its contents into /etc/wireguard/wg0.conf. Modify the following settings as needed:
PrivateKey: Keep the generated private key.
Address: The IP address assigned to your WireGuard interface.
DNS: Set to a public DNS server (e.g., 1.1.1.1, 8.8.8.8).
Endpoint: The VPN server's IP address and port.
AllowedIPs: Typically set to 0.0.0.0/0 to route all traffic.
Bring Up the Interface: Activate the WireGuard interface:
wg-quick up wg0
Configure Routing: Add a post-up and pre-down script to your WireGuard config to manipulate the routing table.
PostUp = ip route add default dev wg0 table 51823
PostUp = ip rule add fwmark 51823 table 51823
PostUp = ip rule add iif lo table 51823
PostDown = ip route del default dev wg0 table 51823
PostDown = ip rule del fwmark 51823 table 51823
PostDown = ip rule del iif lo table 51823
Configure Firewall (nftables): Create a new file /jffs/scripts/firewall.post with the following content:
#!/bin/sh
nft add table filter
nft add chain filter wan_out { type filter hook output priority 0; policy accept; }
nft add rule filter wan_out oifname "eth0" ct mark set 51823
nft add rule filter wan_out oifname "eth0" counter
Make it executable:
chmod +x /jffs/scripts/firewall.post
Enable JFFS partition: If not already enabled, enable the JFFS partition under Administration -> System -> Enable JFFS custom scripts and configs. Reboot the router.
Check Interface Status: Verify the WireGuard interface is active:
wg show wg0
IP Address: Confirm your public IP address has changed using a website like ipinfo.io.
DNS Leak Test: Perform a DNS leak test to ensure your DNS queries are routed through the VPN.
Third-Party Dependency: Relying on third-party services introduces a security risk. Thoroughly vet the provider.
Performance: WireGuard performance may vary based on server location and network conditions.
Router Reboot: Ensure WireGuard automatically starts after a router reboot by adding the wg-quick up wg0 command to a suitable startup script (e.g., /jffs/scripts/init-start).
Policy changes: Norton Secure VPN may actively block third-party configurations.
Privacy: Understand the logging policies of the third-party WireGuard configuration provider.
Installed WireGuard on Asuswrt-Merlin.
Obtained WireGuard configuration from a trusted source.
Configured the WireGuard interface (wg0.conf).
Verified the WireGuard connection and IP address.
Tested for DNS leaks.
Implemented auto-start on boot.
Configured Routing and firewall rules.