WireGuard

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4  Next
Author Message
Shinzu
DD-WRT Novice


Joined: 29 Jul 2018
Posts: 4

PostPosted: Fri Aug 03, 2018 12:47    Post subject: Reply with quote
ok thy

I tried a bit and got it also working on a Kong build, though it is a bit hacky and you cannot edit the settings via web if but that is not so important for me.

Would be nice if Kong would consider also include this in his builds but this is up to Kong Smile

Besides a lib and the wireguard module/binary Kong build has already all needed lib/mudules/scripts. I extracted them of one of Brainslayers builds and added them via scp

If someone is interested i can write a short howto.
Sponsor
liverpoolatnight
DD-WRT User


Joined: 29 May 2008
Posts: 243
Location: United Kingdom

PostPosted: Thu Aug 09, 2018 15:11    Post subject: Reply with quote
Shinzu wrote:
If someone is interested i can write a short howto.


Sure, Can be handy for someone Smile

_________________
TP-Link TL-WDR3600 v1 [EU]: r36330 (07/16/18 )
D-Link DIR-615 D2 [EU]: r36330 (07/16/18 )
Mikrotik RB750r2 (OpenWrt 17.01.4)
EE BrightBox 1 aka A4001N (OpenWrt 17.01.4)
Sagemcom FAST@5364 (VDSL2,FTTC (Fibre to the Cabinet) Synced 65/17

Twitter: @francisuk1989
---------------------------------
Found a bug? Report it http://svn.dd-wrt.com
DD-WRT Official FB Group: https://www.facebook.com/groups/493762527744455
VTecheira
DD-WRT User


Joined: 17 Sep 2014
Posts: 56

PostPosted: Tue Aug 21, 2018 13:18    Post subject: Reply with quote
I've been trying to get this working but I'm stuck. Please offer some insight if you can. I've been running Kong 36000M for sometime and it seems that the wg binaries simply aren't there and I don't see them in opkg.

I did try the latest BS build (36596) which at least did have the wg binary but I also ran into issues there.

First I tried to follow the wireguard instructions verbatim with
Code:
 ip link add dev wg0 type wireguard
but got a response of
Code:
ip: RTNETLINK answers: Not supported
with the busy boxy ip command and the full one from Kongs opkg.

Assuming that the oet1 tunnel I set on the Tunnels tab of networking was what I needed, I then tried to do the config.
Code:
wg setconf wg0 myconfig.conf


I got an error parsing configuration, even though this is the same config file that I used on my android device that worked fine.
Code:
[Interface]
PrivateKey = MYPRIVATEKEY=
Address = 10.XX.XX.XX/32
DNS =  172.XX.XX.XX

[Peer]
PublicKey = MYPUBLICKEY=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = XX.XX.XX.XX:51820


I also tried manually setting the configuration with setconf but also failed. The command is below with the person info masked.
Code:
wg set oet1 listen-port 51820 private-key MYPRIVATEKEY= peer MYPUBLICKEY= allowed-ips 0.0.0.0/0, ::/0 endpoint XX.XX.XX.XX:51820


Please advise, I'd really like to get this working.

As an aside, Kong does any one do Mega builds anymore, I know I usually yours, but even for BS I've only seen one version of the FW lately. I reverted back to 36000M since I seemed to be having wireless drops with the latest BS build. I'm going to try Kongs 36440 to see if have better luck there.
quarkysg
DD-WRT User


Joined: 03 May 2015
Posts: 323

PostPosted: Tue Aug 21, 2018 14:30    Post subject: Reply with quote
VTecheira wrote:
I've been trying to get this working but I'm stuck. Please offer some insight if you can. I've been running Kong 36000M for sometime and it seems that the wg binaries simply aren't there and I don't see them in opkg.

I did try the latest BS build (36596) which at least did have the wg binary but I also ran into issues there.

First I tried to follow the wireguard instructions verbatim with
Code:
 ip link add dev wg0 type wireguard
but got a response of
Code:
ip: RTNETLINK answers: Not supported
with the busy boxy ip command and the full one from Kongs opkg.


Type this command before you run any other wireguard related commands:

Code:
modprobe wireguard


The wireguard kernel module has to be loaded before you can create a wireguard interface. You can also use the GUI to add a wireguard tunnel interface, and it'll automatically load the kernel module.

HTH.
VTecheira
DD-WRT User


Joined: 17 Sep 2014
Posts: 56

PostPosted: Wed Aug 22, 2018 15:57    Post subject: Reply with quote
Thanks for the assist quarky that helped me progress and learn alot but I feel like I'm missing a key point, i.e. how do I install wireguard on the Kong builds.

I tried pulling the openwrt sources found in the distfeeds.conf, and was able to get the modules in opkg. I had to install them (kmod-wireguard, wireguard, wireguard-tools) with '--force-depends' but no luck. For whatever reason I couldn't get the module loaded, though I have tried several variations.

Code:
root@nile:/opt/lib/modules/4.4.14# modprobe kmod-wireguard
modprobe: module kmod-wireguard not found
modprobe: failed to load module kmod-wireguard: No such file or directory
root@nile:/opt/lib/modules/4.4.14# ls
wireguard.ko
root@nile:/opt/lib/modules/4.4.14# modprobe wireguard
modprobe: module wireguard not found
modprobe: failed to load module wireguard: No such file or directory

Code:
root@nile:/opt/lib/modules# insmod -v /opt/lib/modules/4.4.14/wireguard.ko
Using /opt/lib/modules/4.4.14/wireguard.ko
insmod: cannot insert '/opt/lib/modules/4.4.14/wireguard.ko': unknown symbol in module

Code:
root@nile:/opt/lib/modules/4.4.14# modprobe /opt/lib/modules/4.4.14/wireguard
modprobe: module /opt/lib/modules/4.4.14/wireguard not found
modprobe: failed to load module /opt/lib/modules/4.4.14/wireguard: No such file or directory

Code:
root@nile:/opt/lib/modules/4.4.14# modprobe /opt/lib/modules/4.4.14/wireguard.ko
modprobe: module /opt/lib/modules/4.4.14/wireguard.ko not found
modprobe: failed to load module /opt/lib/modules/4.4.14/wireguard.ko: No such file or directory


Later tonight, I'll try the latest BS build again after the kiddos go to bed. Although I'm hesitant to do it, since for the brief time I ran I had quite a few wireless disconnects but I didn't really investigate that.
VTecheira
DD-WRT User


Joined: 17 Sep 2014
Posts: 56

PostPosted: Thu Aug 23, 2018 10:58    Post subject: Reply with quote
I think I'm getting there, but now my main challenge is I'm getting hung/confused on how to set my routes.

Here's my conf
Code:
[Interface]
PrivateKey = PRIVATEKEY=
ListenPort = 51820

[Peer]
PublicKey = PUBLICKEY=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 66.XX.XX.194:51820


And here are my commands
Code:
ip link add dev wg0 type wireguard
ip address add dev wg0 10.19.49.101/24
wg setconf wg0 myconfig.conf
ip link set up dev wg0

iptables -I INPUT -i -j wg0 ACCEPT
iptables -I OUTPUT -o wg0 -j ACCEPT
iptables -I FORWARD -i wg0 -j ACCEPT
iptables -I FORWARD -o wg0 -j ACCEPT   

route add -net 10.19.49.101/24 gw 66.XX.XX.194

Results
Code:
root@nile:/opt/wireguard# route add -net 10.19.49.0/24 gw 66.XX.XX.194
route: ioctl 0x890b failed: Network unreachable


I'm sure I'm missing something simple (networking is my weak point), any last bit of guidance to get me over the hurdle?

I'm also going to have to deal with the fact that I'm doing iphone tethering (so I'm essentially double natted, but I'll deal with that afterwords.
quarkysg
DD-WRT User


Joined: 03 May 2015
Posts: 323

PostPosted: Thu Aug 23, 2018 12:14    Post subject: Reply with quote
VTecheira wrote:

route add -net 10.19.49.101/24 gw 66.XX.XX.194


This is incorrect. Replace with:

Code:
ip route add 10.19.49.0/24 dev wg0


Also, iptables rule for the OUTPUT chain is not needed, unless you added a drop all rule there.

HTH.
Shinzu
DD-WRT Novice


Joined: 29 Jul 2018
Posts: 4

PostPosted: Thu Aug 23, 2018 19:02    Post subject: Mini Howto Wireguard on Kong build Reply with quote
hi,

here a small howto get wireguard working on a kong build, this is a bit hacky but works good so far for me:

1. Extract some files out of a brainslayer build:

im using here firmware-mod-kit from https://github.com/rampageX/firmware-mod-kit

Code:
git clone https://github.com/rampageX/firmware-mod-kit.git



get the dd-wrt build from bs(choose here a build with a similiar kernel)
Code:

 wget ftp://ftp.dd-wrt.com/betas/2018/<version>/netgear-r7000/netgear-r7000-webflash.bin


extract fw
Code:

./extract-firmware.sh netgear-r7000-webflash.bin netgear-r7000/


get the following files out of the extracted fw:

Code:

-rw-r--r-- 1 shinz 197609  12459 Aug  1 22:31 libmnl.so
-rw-r--r-- 1 shinz 197609  12459 Aug  1 22:31 libmnl.so.0
-rw-r--r-- 1 shinz 197609  12459 Aug  1 22:31 libmnl.so.0.2.0
-rw-r--r-- 1 shinz 197609  46591 Aug  1 22:31 wg
-rw-r--r-- 1 shinz 197609 106500 Aug  1 22:32 wireguard.ko



they are in the following dirs:

netgear-r7000/rootfs/usr/lib/
netgear-r7000/rootfs/usr/bin/
netgear-r7000/rootfs/lib/modules/<kernel version>/wireguard.ko

2. place the files in correspondig path on your device:

since i have jffs with opkg active i place it in following dirs so that they are in PATH and LD_LIBRARY_PATH:

wg binary i placed in /opt/bin
libmnl.so* i placed in /opt/lib
wireguard.ko you can place where ever you want i choose /jffs/lib/modules/4.4.144/wireguard.ko

3. edit /etc/config/eop-tunnel.startup(/etc/ is also on jffs):

https://svn.dd-wrt.com/browser/src/router/eop-tunnel/eop-tunnel.startup#L27 replace here wireguard with the location where you put the ko file in my case:

insmod /jffs/lib/modules/4.4.144/wireguard.ko

4. create nvram config, i use here a small script (tried to add some comment to make clear what is set here)

Code:

root@dd-wrt ~ # cat wireguard.sh
#!/bin/sh
#
echo "Write variables"

# number of tunnel my case only 1
nvram set oet_tunnels="1"
# if you want to use a preshared key set 1
nvram set oet1_usepsk0="0"
nvram set oet1_txq="1"
nvram set oet1_shaper="0"
nvram set oet1_rem0="0.0.0.0"
nvram set oet1_rem="192.168.90.1"
# pub key of local endpoint
nvram set oet1_public="<pub key>"
nvram set oet1_pt="0"
# set here the pre shared key if you want to use one
nvram set oet1_psk0=""
# proto 2 is wireguard
nvram set oet1_proto="2"
# private key of local endpoint
nvram set oet1_private="<priv key>"
# public port where wireguard tunnel is reachable
nvram set oet1_port="51821"
# number of peers
nvram set oet1_peers="1"
nvram set oet1_peerport0="51280"
nvram set oet1_peerkey0="<pub key of the 1st peer"
# netmask of the wireguard network
nvram set oet1_netmask="255.255.255.0"
nvram set oet1_nat="1"
nvram set oet1_multicast="0"
nvram set oet1_mtu="1500"
nvram set oet1_mssfix="0"
nvram set oet1_local="0.0.0.0"
nvram set oet1_ka0="0"
nvram set oet1_isolation="0"
# ipaddress of the endpoint on the dd-wrt device
nvram set oet1_ipaddr="10.200.100.1"
nvram set oet1_id="1"
nvram set oet1_hwaddr="00:00:00:00:00:00"
nvram set oet1_fragment="0"
nvram set oet1_endpoint0="0"
# for now leave the tunnel disabled
nvram set oet1_en="0"
nvram set oet1_dns_redirect="0"
nvram set oet1_dns_ipaddr="0.0.0.0"
nvram set oet1_comp="0"
# set bridge to 0 otherwise the iptables rules are not added
nvram set oet1_bridged="0"
# ipaddress of the peer
nvram set oet1_aip0="10.200.100.2/32"

# Commit variables
echo "Save variables to nvram"
nvram commit



execute the script to set the values

5. enable the tunnel and execute /etc/config/eop-tunnel.startup and /etc/config/eop-tunnel.firewall

Code:

nvram set oet1_en="1"
/etc/config/eop-tunnel.startup
/etc/config/eop-tunnel.firewall


6. confirm tunnel is up and firewall rules are added

Code:

root@dd-wrt ~ # wg show
interface: oet1
  public key: < pub key >
  private key: (hidden)
  listening port: 51821

peer: < peer pub key >
  endpoint:
  allowed ips: 10.200.100.2/32


Code:

root@dd-wrt ~ # iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1206 93307 ACCEPT     0    --  oet1   *       0.0.0.0/0            0.0.0.0/0
58730 7387K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:51821
....

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
12562 6258K ACCEPT     0    --  *      oet1    0.0.0.0/0            0.0.0.0/0
53946 3442K ACCEPT     0    --  oet1   *       0.0.0.0/0            0.0.0.0/0
....


Code:

root@dd-wrt ~ # ip r
...
10.200.100.0/24 dev oet1 scope link  src 10.200.100.1
...


7. disable the tunnel in the nvram, so i gets not started on a reboot

i do this so that on a reboot the scripts are not executed in case something is wrong

the tunnel is still up until the next reboot

Code:

nvram set oet1_en="0"


i hope that this guide is helpful

greetings
liverpoolatnight
DD-WRT User


Joined: 29 May 2008
Posts: 243
Location: United Kingdom

PostPosted: Mon Sep 17, 2018 5:13    Post subject: Reply with quote
You dont need to set via commands as you can set this into the GUI at 192.168.1.1 under setup > tunnels.

This is a typical screenshot showing how to connect to a VPN/VPS/Dedicated usage using 185.84.6.1 as a example but if i open SSH on my home router i can traceroute and ping ok but the clients on 192.168.1.1-192.168.1.254 isnt sending traffic to the VPN and only sends traffic to the WAN.

DD-WRT v3.0-r36808M (36808M build)

root@HomeRouter:~# wg
interface: oet1
public key: XXXXXXXXXXXXXXXXXXXX
private key: (hidden)
listening port: 51840

peer: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
endpoint: 185.84.6.1:51841
allowed ips: 0.0.0.0/0
latest handshake: 6 seconds ago
transfer: 184 B received, 668 B sent
persistent keepalive: every 25 seconds

_________________
TP-Link TL-WDR3600 v1 [EU]: r36330 (07/16/18 )
D-Link DIR-615 D2 [EU]: r36330 (07/16/18 )
Mikrotik RB750r2 (OpenWrt 17.01.4)
EE BrightBox 1 aka A4001N (OpenWrt 17.01.4)
Sagemcom FAST@5364 (VDSL2,FTTC (Fibre to the Cabinet) Synced 65/17

Twitter: @francisuk1989
---------------------------------
Found a bug? Report it http://svn.dd-wrt.com
DD-WRT Official FB Group: https://www.facebook.com/groups/493762527744455


Last edited by liverpoolatnight on Thu Sep 20, 2018 5:21; edited 3 times in total
ak00
DD-WRT Novice


Joined: 12 Nov 2017
Posts: 7

PostPosted: Mon Sep 17, 2018 21:59    Post subject: Reply with quote
Holy crap it works!!

So in all fairness - my first attempt borked my router and it went offline (because I thought I had to manually edit the firewall iptables). So simply hard reset and loaded the config before I started this process.

The only thing I had to do differently than your example was that the router and peer needed to be on the same subnet. So a /30 worked perfectly.

Next question: Anyone know how to add a manual route table to an android device?

Thanks so much - that screenshot needs to be on the Wiki.


Last edited by ak00 on Wed Sep 19, 2018 1:10; edited 2 times in total
liverpoolatnight
DD-WRT User


Joined: 29 May 2008
Posts: 243
Location: United Kingdom

PostPosted: Wed Sep 19, 2018 0:46    Post subject: Reply with quote
ak00 wrote:
So no need to modify the firewall iptables?


Thats the issue now i cant send my traffic over the office VPN but i can traceroute, ping etc via SSH commands to the office VPN and office VPN > Home

Shinzu wrote:
i set it via nvram set oet1_bridged=0 and the rules are added


Open PuTTY ssh and exclude:

Quote:
nvram set oet1_bridged="0"
nvram commit
reboot


but this didnt work for me as is still sending the traffic over to the WAN and not WG Office VPN however may work on some other devices.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1135225

_________________
TP-Link TL-WDR3600 v1 [EU]: r36330 (07/16/18 )
D-Link DIR-615 D2 [EU]: r36330 (07/16/18 )
Mikrotik RB750r2 (OpenWrt 17.01.4)
EE BrightBox 1 aka A4001N (OpenWrt 17.01.4)
Sagemcom FAST@5364 (VDSL2,FTTC (Fibre to the Cabinet) Synced 65/17

Twitter: @francisuk1989
---------------------------------
Found a bug? Report it http://svn.dd-wrt.com
DD-WRT Official FB Group: https://www.facebook.com/groups/493762527744455
ak00
DD-WRT Novice


Joined: 12 Nov 2017
Posts: 7

PostPosted: Wed Sep 19, 2018 17:42    Post subject: Reply with quote
Looks like new build - 09/19/2018 - r36995 - included some wireguard updates....
Shinzu
DD-WRT Novice


Joined: 29 Jul 2018
Posts: 4

PostPosted: Tue Sep 25, 2018 12:12    Post subject: Reply with quote
liverpoolatnight wrote:
You dont need to set via commands as you can set this into the GUI at 192.168.1.1 under setup > tunnels.

...


to be clear: my mini howto is about enable wireguard on Kong builds, in this build is wireguard not included
liverpoolatnight
DD-WRT User


Joined: 29 May 2008
Posts: 243
Location: United Kingdom

PostPosted: Tue Sep 25, 2018 20:09    Post subject: Reply with quote
Shinzu wrote:
to be clear: my mini howto is about enable wireguard on Kong builds, in this build is wireguard not included


Yeah thats correct some builds dont have this GUI but asked BS that he would include this on the tplink tl-wdr3600v1 model (builds afther 36154) however He WONT enable on 4MB flash chips though.

_________________
TP-Link TL-WDR3600 v1 [EU]: r36330 (07/16/18 )
D-Link DIR-615 D2 [EU]: r36330 (07/16/18 )
Mikrotik RB750r2 (OpenWrt 17.01.4)
EE BrightBox 1 aka A4001N (OpenWrt 17.01.4)
Sagemcom FAST@5364 (VDSL2,FTTC (Fibre to the Cabinet) Synced 65/17

Twitter: @francisuk1989
---------------------------------
Found a bug? Report it http://svn.dd-wrt.com
DD-WRT Official FB Group: https://www.facebook.com/groups/493762527744455
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Tue Sep 25, 2018 21:01    Post subject: Reply with quote
liverpoolatnight wrote:
Shinzu wrote:
to be clear: my mini howto is about enable wireguard on Kong builds, in this build is wireguard not included


Yeah thats correct some builds dont have this GUI but asked BS that he would include this on the tplink tl-wdr3600v1 model (builds afther 36154) however He WONT enable on 4MB flash chips though.


There's so much crap missing or broken on builds for older devices and it just seems that it's either never dealt with or you might get lucky and it gets fixed within a (few) month(s). Can't really test features that aren't in the build....
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 3 of 4
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum