WireGuard VPN client running on DDWRT

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
ersterhernd
DD-WRT Novice


Joined: 30 Dec 2018
Posts: 5

PostPosted: Sat Jan 05, 2019 17:50    Post subject: WireGuard VPN client running on DDWRT Reply with quote
Hello,

I have posted this information as an additional resource to the two following threads:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318016&sid=532d73d9879b44d65b74ca35deecca61

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=312522&start=30&sid=52d6e075fb31df770da602e0ee487bcc

Special thanks to @Shinzu and @Pandora-Box for their posts.

I have WireGuard server running on a VPS in the USA, and 2 DDWRT routers, ASUS RT-AC68U and Netgear R7000 running as WireGuard clients on the latest Kong firmware (Sept 23/18). Many devices are using the VPN, including Chromecast, Roku, Google Home Mini, several MacOS machines, Samsung Tablets and Samsung Phones. The setup has been rock stable for several days now. The WG client routers are each on their own separate LAN subnet. My main router is also an R7000 running a recent Kong firmware, but minus the WG client software. I previously used Algo VPN client software, which was terrific and first introduced me to WireGuard last summer when TrailofBits included it in their Algo install scripts.

Server Setup

I run the minimum IPV4 instance available at Vultr. Its 20gb/1vcpu/512mb/500GB combo @ 3.50 per month is a winner. We're on 50mbit DSL about 150km from the server, we get no speed loss or packet loss whatsoever running through the WG server at such a close distance. There is zero speed/ping difference between the VPN connection and our regular ISP connection. I keep a WG base install (with all security settings in place) backup up as a snapshot, so destroying and redeploying a WG server instance is literally a 5 minute operation. At home, a couple of IP changes in the router NVRAM and everything is back up really quickly. I like that.

Just like @Pandora-Box, my WireGuard server setup was done by following the guide on the following site:

https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/



DDWRT WG Client Setup

I've been running DDWRT for over a decade, and am partial to the Kong builds. I purchase my routers based on compatibility with his releases. After reading Shinzu's post about modding the Kong firmware via the commandline to run WireGuard, I went out and purchased two compatible routers on a Boxing Day sale. I didn't want to risk compromising my main R7000, as I knew this could be a challenging and time consuming venture before all was running to plan. Besides that, I wanted WireGuard on separate deeper subnets anyway, not directly facing the internet.

The fresh out-of-the-box Netgear R7000 was chosen first for the operating table. I saw the @liverpoolatnight post on https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=312522&postdays=0&postorder=asc&start=30 (Thanks!) and noticed the 'WireGuard' option in a pulldown menu portion of the graphic that he included in the post. I decided (like @Pandora-Box) that installing the BS firmware would allow me to grab the required WG files and nvram settings directly off the router before reinstalling DDWRT with a Kong build. I kept a list of steps as I went through the process. This list may seem redundant for experienced users, but I wrote is so as even a newcomer to DDWRT may find this useful.


Netgear R7000 Wireguard Client Installation

1. Install BrainSlayer r37860 first
2. Mount /JFFS to USB storage and share it via Samba
3. Moved all required files (as per Shinzu's post) to /JFFS and grab with MacOS
4. Copiy all oet1 settings from nvram to a text file in MacOS
5. Save all files in a secure location for later use

Install Kong DDWRT on R7000

1. Flash dd-wrt.K3_R7000.chk from http://www.desipro.de/ddwrt/K3-AC-Arm/
2. Enable SSH and set RSA Authorized Key
3. SSH into root@192.168.1.1 and 'erase nvram' / Reboot
4. Flash dd-wrt.v24-K3_AC_ARM_STD.bin from http://www.desipro.de/ddwrt/K3-AC-Arm/
5. Reboot / Enable SSH / Set RSA Authorized Key
6. SSH into root@192.168.1.1 and 'erase nvram' / Reboot
7. Set up WiFi / Enable SSH / Set RSA Authorized Key

Create Linux USB Stick for external storage

1. Use a small USB stick <= 8GB
2. Follow instructions at:
https://wiki.dd-wrt.com/wiki/index.php/How_to_-_Format_and_Partition_External_Storage_Device
(Make sure to include the JFFS partition on the USB)
3. Plug USB into R7000
4. Services/USB -
enable Core USB Support / enable USB Storage Support / enable Automatic Drive Mount
5. Disk Info - /opt and swap should now both be mounted
6. Administration/JFFS2 Support - enable Internal Flash Storage / enable Clean Internal Flash Storage
7. Reboot R7000

Required Software Installation

1. SSH into R7000
2. Install Entware -
cd /opt
wget http://bin.entware.net/armv7sf-k3.2/installer/generic.sh
sh generic.sh
3. Install Nano - opkg install nano
4. Install SFTP - opkg install openssh-sftp-server
5. Test SFTP - sftp root@192.168.1.1 (SSH Authorized Key must be properly configured)

Install Wireguard Binaries & Scripts
(Please note that all Supporting Code for scripts/firewall is at the end of this post)

1. Use SSH connected to ddwrt
cd /opt/etc
mkdir wireguard
cd /jffs/etc
mkdir config
mkdir wireguard
2. Use sftp connected to ddwrt as in (5) above (using binaries stored on local filesystem)
put <local binaries folder>/wg /opt/bin/wg
put <local binaries folder>/libmnl.so /opt/lib/libmnl.so
put <local binaries folder>/libmnl.so.0 /opt/lib/libmnl.so.0
put <local binaries folder>/libmnl.so.0.2.0 /opt/lib/libmnl.so.0.2.0
put <local binaries folder>/wireguard.ko /opt/etc/wireguard/wireguard.ko
put <local binaries folder>/eop-tunnel.firewall
put <local binaries folder>/eop-tunnel.startup /jffs/etc/config/eop-tunnel.startup
put <local binaries folder>/wireguard-init.sh /jffs/etc/wireguard/wireguard-init.sh
put <local binaries folder>/wireguard-nvram.sh /jffs/etc/wireguard/wireguard-nvram.sh
put <local binaries folder>/wireguard-firewall.txt /jffs/etc/wireguard/wireguard-firewall.txt
3. SSH into ddwrt and use Nano to edit eop-tunnel.startup
cd /jffs/etc/config
nano eop-tunnel.startup
Change line 27 that says 'insmod wireguard' to 'insmod /opt/etc/wireguard/wireguard.ko'
CTRL-X and Save file
4. SSH into ddwrt and use Nano to edit wireguard-nvram.sh
cd /jffs/etc/wireguard
nano wireguard-nvram.sh
Change all variables to match the current WireGuard configuration
CTRL-X and Save file
5. Copy the content of wireguard-firewall.txt to the clipboard
6. Paste the clipboard into the DDWRT GUI Administration Commands box and Save Firewall
7. Execute the nvram script in /jffs/etc/wireguard
sh wireguard-nvram.sh
reboot
8. Execute init and route fix scripts in /jffs/etc/wireguard
sh wireguard-init.sh
wg
(Cross fingers and verify that WireGuard is running and handshake with server has occurred)


Supporting Code for Scripts and Firewall


wireguard-init.sh

Code:

#!/bin/sh
echo "Configuring WireGuard tunnel..."
nvram set oet1_en="1"
sleep 2
/jffs/etc/config/eop-tunnel.startup
sleep 2
echo "Configuring Firewall..."
/jffs/etc/config/eop-tunnel.firewall
sleep 2
echo "Modifying Route tables..."
WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
WANGWY=$(/usr/sbin/nvram get wan_gateway)
/sbin/route add -host $WGSERVER gw $WANGWY dev vlan2
/sbin/route del default
/sbin/route add default dev oet1
echo "Completed WireGuard Setup."



firewall.txt (paste this into DDWRT GUI Firewall)

Code:

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/24 -j MASQUERADE
iptables -I FORWARD -i br0 -o oet1 -j ACCEPT
iptables -I FORWARD -i oet1 -o br0 -j ACCEPT
iptables -I FORWARD -s 'nvram get lan_ipaddr'/16 -j ACCEPT



wireguard-nvram.sh

Code:

#!/bin/sh

echo "Write variables"

# number of tunnel my case only 1
nvram set oet_tunnels="1"
# if you want to use a preshared key set 1
nvram set oet1_usepsk0="0"
nvram set oet1_txq="1"
nvram set oet1_shaper="0"
nvram set oet1_rem0="*** SERVER PUBLIC IP GOES HERE ***"
nvram set oet1_rem="192.168.90.1"
# pub key of local endpoint
nvram set oet1_public="***   CLIENT PUBLICKEY GOES HERE   ***"
nvram set oet1_pt="0"
# set here the pre shared key if you want to use one
nvram set oet1_psk0=""
# proto 2 is wireguard
nvram set oet1_proto="2"
# private key of local endpoint
nvram set oet1_private="***   CLIENT PRIVATEKEY GOES HERE   ***"
# public port where wireguard tunnel is reachable
nvram set oet1_port="51821"
# number of peers
nvram set oet1_peers="1"
nvram set oet1_peerport0="51820"
nvram set oet1_peerkey0="***   SERVER PUBLICKEY GOES HERE   ***"
# netmask of the wireguard network
nvram set oet1_netmask="255.255.255.0"
nvram set oet1_nat="1"
nvram set oet1_multicast="0"
nvram set oet1_mtu="1500"
nvram set oet1_mssfix="0"
nvram set oet1_local="0.0.0.0"
nvram set oet1_ka0="25"
nvram set oet1_isolation="0"
# ipaddress of the endpoint on the dd-wrt device
nvram set oet1_ipaddr="10.19.51.3 *** CHANGE THIS IP TO SUIT ***"
nvram set oet1_id="1"
nvram set oet1_hwaddr="00:00:00:00:00:00"
nvram set oet1_fragment="0"
nvram set oet1_endpoint0="1"
# for now leave the tunnel disabled
nvram set oet1_en="0"
nvram set oet1_dns_redirect="0"
nvram set oet1_dns_ipaddr="0.0.0.0"
nvram set oet1_comp="0"
# set bridge to 0 otherwise the iptables rules are not added
nvram set oet1_bridged="0"
# ipaddress of the peer
nvram set oet1_aip0="0.0.0.0/0"
# Commit variables
echo "Save variables to nvram"
nvram commit



This is the complete WG setup onto Kong DDWRT that worked for me. Hopefully others will find this information helpful. The WireGuard VPN has worked flawlessly for several days already connected through both routers, no additional software or settings on any client devices required. WG shows a ton of promise for DDWRT users running the hardware to support it.


Cheers!
Ersterhernd
Sponsor
liverpoolatnight
DD-WRT User


Joined: 29 May 2008
Posts: 243
Location: United Kingdom

PostPosted: Thu Feb 07, 2019 6:14    Post subject: Reply with quote
You dont need to go though all this as the DD-WRT GUI now dos the job and heres how to.

1st) Setup the WG info (see attachments, May need to login to see this)

2nd) traceroute to make sure the pockets is working correctly
Quote:
traceroute -i oet1 www.google.nl

if you see something like this

root@ddwrt:~# traceroute -i oet1 www.google.nl
traceroute to www.google.nl (216.58.206.67), 30 hops max, 38 byte packets
1 ** *** ***

something wrong with configuration

if you see something like this

root@ddwrt:~# traceroute -i oet1 www.google.nl
traceroute to www.google.nl (216.58.206.67), 30 hops max, 38 byte packets
1 172.16.0.1 12ms 14ms 11ms 13ms 13ms 12ms
2 1.1.1.1 12ms 14ms 11ms 13ms 13ms 12ms

etc, then you can add the following into the DD-WRT GUI

Go to administration > commands

Save Startup

Quote:
sleep 30
WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
WANGWY=$(/usr/sbin/nvram get wan_gateway)
route add -host $WGSERVER gw $WANGWY dev vlan2
route del default
route add default dev oet1


I put in a 30 second sleep so the WAN interface has time to come up before the command executes

Save Firewall

Quote:
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/20 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -j MASQUERADE
iptables -I FORWARD -i br0 -o oet1 -j ACCEPT
iptables -I FORWARD -i oet1 -o br0 -j ACCEPT


Reboot, then test http://zx2c4.com/ip to see if your routed to your VPS/VPN IP

also note the following

Quote:
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/20 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -j MASQUERADE


Double check the CIDR subnets are correct, Im using an /20 subnet https://www.aelius.com/njh/subnet_sheet.html

using build r38581



WGClient.png
 Description:
 Filesize:  32.6 KB
 Viewed:  2494 Time(s)

WGClient.png



_________________
TP-Link TL-WDR3600 v1 [EU]: r36330 (07/16/18 )
D-Link DIR-615 D2 [EU]: r36330 (07/16/18 )
Mikrotik RB750r2 (OpenWrt 17.01.4)
EE BrightBox 1 aka A4001N (OpenWrt 17.01.4)
Sagemcom FAST@5364 (VDSL2,FTTC (Fibre to the Cabinet) Synced 65/17

Twitter: @francisuk1989
---------------------------------
Found a bug? Report it http://svn.dd-wrt.com
DD-WRT Official FB Group: https://www.facebook.com/groups/493762527744455
rainin
DD-WRT Novice


Joined: 04 Dec 2016
Posts: 8

PostPosted: Sat Feb 16, 2019 8:39    Post subject: Reply with quote
Thanks for your detailed explanation on how to get Wireguard running on DD-WRT.

Personally, for me, the wg interface handshakes correctly, traceroute also working perfectly, the only issue is that the Internet is routed through WAN IP Address instead of OET1, despite saving and implementing the required Firewall settings.

What seems to be the issue? How can I redirect all the Internet traffic to OET1 tunnel?
audia3
DD-WRT Novice


Joined: 10 Mar 2018
Posts: 21

PostPosted: Thu Mar 28, 2019 21:14    Post subject: Reply with quote
Brilliant instructions, liverpoolatnight! I finally have Wireguard working on my Asus RT-N66U! Thanks so much!
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7909

PostPosted: Sun Mar 31, 2019 3:36    Post subject: Reply with quote
First off, thanks for your efforts here. The comments that follow are only intended to improve everyone's understanding of how the firewall works, and thus the proper use of firewall rules wrt Wireguard, or just about any other service you might wish to access via its own network interface (e.g., Algo).

Code:
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/20 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -j MASQUERADE
iptables -I FORWARD -i br0 -o oet1 -j ACCEPT
iptables -I FORWARD -i oet1 -o br0 -j ACCEPT


While I'm not a current Wireguard user (although I am going to look into it given the increasing interest by others), I have to say that those firewall rules are well..., not fully coherent.

For example, consider the following rule.

Code:
iptables -t nat -A POSTROUTING -j MASQUERADE


The above says to NAT *all* network interfaces. It's as broad and sweeping a NAT rule as you can make. And for that reason I generally don't recommend it because it makes no sense to, for example, NAT inbound traffic for any port forwards over the LAN (br0). That would mask the public IP of the remote client from the service being offered (e.g., web server). Every remote access would appear to be originating from the router itself. And that can mess up ip-based filtering and logs.

But let's assume you keep that rule anyway. Then there's no need for the following more specific NAT rules.

Code:
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -j MASQUERADE


Once you're NATin'g everything w/ the first rule, having more specific rules is superflous. It's not going to harm anything, but it just adds confusion.

There's a similar issue w/ the following rule.

Code:
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/20 -j ACCEPT


Once you decide to broadly accept *any* traffic between oet1 and br0 (the last two rules), the above more specific rule is also superfluous.

In fact, last time I checked, the default firewall rules do NOT prevent any traffic on br0 from accessing any other network interfaces. And the replies are always ACCEPT'd thanks to the ESTABLISHED,RELATED rule. The need for FORWARDing rules only comes into play when connections are initiated from the remote network and into the router. That's why the WAN requires port forwarding for remote access purposes. That creates rules that allow specific traffic from the WAN (usually vlan2) and a port, to a specific device and port on the LAN (br0).

So if we assume this is NOT a site-to-site configuration (i.e., clients do NOT require remote access into the router over oet1), then the only rule that seems necessary is to NAT any local traffic (br0, br1, etc.) over the oet1 network interface.

Code:
iptables -t nat -I POSTROUTING -o oet1 -j MASQUERADE


IOW, anytime something is sent over the oet network interface, replace its source IP w/ that of the IP assigned to that network interface. Now that traffic can be routed back to the dd-wrt router by the Wireguard server. It's no different than what happens when local traffic is NAT'd over the WAN. That traffic has to have the local IP replaced w/ the public IP on the WAN before being dropped on the internet.

But even THAT can be avoided if you add a static route on the system hosting the VPN server that tells it to route that traffic (e.g., 192.168.1.x) back to the Wireguard network interface on that side of the tunnel. The only time that's not going to work is if you don't have control of the VPN server (e.g., you're using a commercial Wireguard service provider, if such a thing even exists at this point). Obviously you have no means to add static routes to their network.

Finally, I would assume if Wireguard is configurable via the GUI on some Kong build, that he has already created the necessary firewall rules. At least he *should* have. Everything I've described above still applies, and should be reflected in his rules. OTOH, if you're supporting Wireguard on dd-wrt via scripting (no GUI), then you'll obviously be responsible for also creating the firewall rules.

In summary, I know the firewall rules as indicated are allegedly "working", but I'm not a fan of creating rules that make no sense, or are unnecessary, because pretty soon no one understands why they were created in the first place, and everyone just blindly adds them. It's my guess that these rules were bastardized from similar OpenVPN rules, that have likewise long ago been proven unnecessary. That's why when configuring the OpenVPN client GUI, no additional firewall rules are required by the user.

Anyway, in the meantime, I'm going to setup Wireguard for myself and confirm the above.
audia3
DD-WRT Novice


Joined: 10 Mar 2018
Posts: 21

PostPosted: Sun Mar 31, 2019 12:09    Post subject: Reply with quote
Thanks, eibgrad, for a very educational post. I am a complete novice when it comes to firewall rules and the ones that I used from this thread did have me scratching my head for the reasons that you have detailed.

One issue that I have been dealing with is although these settings "work" for my router when the internet is coming in through the ethernet WAN port, they do not work when I use an iPhone USB tether for internet access (iph0). I can connect to the internet when tethering, but not through the WireGuard tunnel. Your post has provided a direction for me to follow to try and sort this out.

Update -- I think the iPhone tether is not working because the startup script is running before the iPhone connection is established.


Last edited by audia3 on Mon Apr 01, 2019 13:02; edited 1 time in total
Hellakenut
DD-WRT Novice


Joined: 22 Mar 2019
Posts: 16
Location: Gamma Quadrant

PostPosted: Mon Apr 01, 2019 5:46    Post subject: Reply with quote
@eibgrad This is interesting insight. I'll be honest though, I don't fully grasp all the details of the concepts you're describing because I am new to advanced networking. I will be educating myself more about iptables/firewall rules and NAT. But your logic about the port forwarding does make sense, as I have no interest in accessing my network remotely through the tunnel. Thus, that rule should not apply to setting up a Wireguard client. However, forwarding would apply for a Wireguard server setup, correct?

I went ahead and tested your rule and it worked just fine. The results were identical to the previous block of firewall rules suggested in liverpoolatnight's guide, for my purposes at least. So not only is this simpler, but cutting out any redundancy is always a plus. And of course, none of my comments are meant to throw liverpoolatnight under the bus and undermine his efforts. I love seeing the progress being made here and this community acts in the interest to help one another. It's not like you said "you dummy, THIS is the right way" or something. Laughing

With your logic in mind, I would like your input on the firewall rules that are suggested in the DD-WRT Wireguard wiki here. Are these rules also superfluous and/or redundant?

Looking forward to your findings when you setup Wireguard yourself.

Oh, and as a final note, you mentioned that Kong builds should have the Wireguard GUI available. I can't speak for other hardware, but when I downloaded the latest K3-AC-Arm build for my EA6900 (which was about 2 weeks ago), the Wireguard GUI was NOT present. It *might* be implemented via the command line, but I personally didn't check. I switched to a Brainslayer build specifically for the Wireguard GUI natively being available.
rainin
DD-WRT Novice


Joined: 04 Dec 2016
Posts: 8

PostPosted: Mon Apr 01, 2019 20:45    Post subject: Reply with quote
audia3 wrote:
Brilliant instructions, liverpoolatnight! I finally have Wireguard working on my Asus RT-N66U! Thanks so much!


Hi Audia3, hope you're doing well. Could you please help me out in how you got the Wireguard client working? I did try liverpoolatnight's instructions above but still can't redirect all my Internet traffic to the Wireguard tunnel.

Can you please help out, possibly with screenshots of your Wireguard config? I'm using Brainslayer's build on my Netgear R7000.
Hellakenut
DD-WRT Novice


Joined: 22 Mar 2019
Posts: 16
Location: Gamma Quadrant

PostPosted: Fri Apr 05, 2019 9:11    Post subject: Reply with quote
rainin wrote:
audia3 wrote:
Brilliant instructions, liverpoolatnight! I finally have Wireguard working on my Asus RT-N66U! Thanks so much!


Hi Audia3, hope you're doing well. Could you please help me out in how you got the Wireguard client working? I did try liverpoolatnight's instructions above but still can't redirect all my Internet traffic to the Wireguard tunnel.

Can you please help out, possibly with screenshots of your Wireguard config? I'm using Brainslayer's build on my Netgear R7000.


See if audia3's post here may help you:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1160842#1160842

It helped me with what you're specifically trying to accomplish.
inevcr
DD-WRT Novice


Joined: 15 Sep 2016
Posts: 2

PostPosted: Fri May 03, 2019 10:42    Post subject: Reply with quote
I'm attempting to get DDWRT Wireguard working via Mullvad and I'm in the same boat as rainin it seems.

traceroute -i seems to show that traffic can be routed via the WG tunnel, however I can't figure out how to route all traffic through said tunnel.

Running the start up script manually via SSH shows that the
Code:
route add -host $WGSERVER gw $WANGWY dev vlan2

command returns the following error:
Code:
route: ioctl 0x890b failed: Network unreachable

(both WGSERVER and WANGWY are set appropriately it seems).

Any ideas what I could be doing wrong?
Cheers
inevcr
DD-WRT Novice


Joined: 15 Sep 2016
Posts: 2

PostPosted: Fri May 03, 2019 11:02    Post subject: Reply with quote
I've only now encountered Hellakenut's superb post here:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319319&highlight=mullvad

Works perfectly! Thanks a lot Hellakenut!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum