Idiot's Guide to Configuring Wireguard - Client Tunnel

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3  Next
Author Message
Hellakenut
DD-WRT Novice


Joined: 22 Mar 2019
Posts: 22
Location: Gamma Quadrant

PostPosted: Thu May 09, 2019 2:51    Post subject: Reply with quote
kooper2013 wrote:

I'm getting always
sh: eval: line 6: syntax error: unexpected "(" (expecting "do")
when I try to run your script. What's the problem? All () seem to be correct...

~~

I'm trying to get wireguard as client running since days (Mullvad, Asus AC87U, bs r39654 currently). I know all this is kind of beta, but I always end up seeing my DSL-providers IP, never Mullvad's. I tried a lot of permutations, of various firewall-seetings, start/custom scripts, with and without.

The pain starts with syslog: Even if the 'Peer Public key' is forcedly wrong, I get
Jan 1 00:00:17 main kern.info kernel: wireguard: WireGuard 0.0.20190406 loaded. See www.wireguard.com for information.
Jan 1 00:00:17 main kern.info kernel: wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld . All Rights Reserved.
Jan 1 00:00:17 main kern.info kernel: wireguard: packed headroom 128, message minimum length 32
Jan 1 00:00:17 main user.info root: Enable WireGuard interface oet1 on port 51820
Jan 1 00:00:18 main user.info root: Establish WireGuard tunnel with peer endpoint 31.7.59.xxx:51820
Jan 1 00:00:18 main kern.info kernel: device oet1 entered promiscuous mode

~~
Also,
ip route get 8.8.8.8
will only show
8.8.8.8 via 192.168.2.1 dev br0 src 192.168.2.100
which seems to be wrong, as it should state vlan2 or eth... (.1 is my DSL modem, .100 is the DD-WRT AP with wireguard).

What could possible be wrong? Something left over from OpenVPN settings? I really don't get it. And I don't like to set up my router from scratch.

All this is a big PITA, far from the 'easiest tunnel ever'...


When you run nvram get wan_iface OR nvram get wan_ifname in the terminal, what do you get? That should show you what your default WAN interface is according to your build and regardless of your current setup. You can then plug that information in the portion of the script that asks for your WAN interface (the variable $WANIF). So assuming your result is vlan2, your variable should be corrected to WANIF="vlan2" (keep the quotations).

I realize now that using ip route get is not particularly reliable if people are starting this guide with a preexisting setup that's not utilizing DD-WRT's default settings. Which is why I made the looping script that would attempt to grab that information automatically. Clearly I gotta get back to the drawing board!

Also, I second what MesMurized said. I spent a few hours just dinking around with my script's format alone because BusyBox is really wishy-washy with the supported Bash syntax, so thanks for spotting if I need to add spaces anywhere or tweak some things.

And I also agree that this process comes off as a giant PITA. I was on that boat before I got any of this crap working, haha.

Audia3, thanks for this! As a heads up. I was looking into your issue and tethered my Android phone to my router. Main difference is my interface was called usb0 instead of iph0, and when I call nvram get wan_proto in the terminal, my result is always "dhcp" when I'm tethered. So there is definitely some discrepancy with phone tethering that I need to account for. I'll make sure to mention all of this and append the guide with more information for people using this sort of setup. In any case, glad you came up with something that fixed your scenario. I'm still trying to find a well rounded way that checks what interface DD-WRT is receiving internet from, but there is no easy, reliable way to do that (at least from what I've found). So for now, I'll make sure to account for possible changes needed to the script.

Thank you all for the feedback!!
Sponsor
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 60
Location: DE

PostPosted: Thu May 09, 2019 19:42    Post subject: Reply with quote
Hellakenut wrote:


When you run nvram get wan_iface OR nvram get wan_ifname in the terminal, what do you get? That should show you what your default WAN interface is according to your build and regardless of your current setup. You can then plug that information in the portion of the script that asks for your WAN interface (the variable $WANIF). So assuming your result is vlan2, your variable should be corrected to WANIF="vlan2" (keep the quotations).

I realize now that using ip route get is not particularly reliable if people are starting this guide with a preexisting setup that's not utilizing DD-WRT's default settings. Which is why I made the looping script that would attempt to grab that information automatically. Clearly I gotta get back to the drawing board!

Also, I second what MesMurized said. I spent a few hours just dinking around with my script's format alone because BusyBox is really wishy-washy with the supported Bash syntax, so thanks for spotting if I need to add spaces anywhere or tweak some things.

And I also agree that this process comes off as a giant PITA. I was on that boat before I got any of this crap working, haha.

Audia3, thanks for this! As a heads up. I was looking into your issue and tethered my Android phone to my router. Main difference is my interface was called usb0 instead of iph0, and when I call nvram get wan_proto in the terminal, my result is always "dhcp" when I'm tethered. So there is definitely some discrepancy with phone tethering that I need to account for. I'll make sure to mention all of this and append the guide with more information for people using this sort of setup. In any case, glad you came up with something that fixed your scenario. I'm still trying to find a well rounded way that checks what interface DD-WRT is receiving internet from, but there is no easy, reliable way to do that (at least from what I've found). So for now, I'll make sure to account for possible changes needed to the script.

Thank you all for the feedback!!


Thanks for your replies, @hellakenut and @MesMurized!

I'm not any step forward, unfortunately.

/usr/sbin/nvram get wan_iface nor nvram get wan_ifname return anything. But
wan_ifname2=vlan2
is defined. No idea why.

Maybe this is some culprit:
nvram get wan_proto=disabled

Other vars oet1_:
oet1_peerport0=51820
oet1_mcast=1
oet1_rem0=[correct IP assigned to me by Mullvad]
oet1_endpoint0=1
oet1_rem=192.168.90.1 [no idea why that is set, my private net is 192.168.2.x, active DHCP-server on this router]
oet1_private=[private key]
oet1_peers=1
oet1_multicast=0
oet1_bridged=1
oet1_ka0=25size: 39793 bytes (25743 left)
oet1_mtu=1500
oet1_netmask=255.255.255.255
oet1_en=1
oet1_mtik=0
oet1_dns_ipaddr=0.0.0.0
oet1_psk0=[don't know what key that is]
oet1_isolation=0
oet1_port=51820
oet1_dns_redirect=0
oet1_ip0=0.0.0.0
oet1_dns0=8.8.8.8 [should work]
oet1_hwaddr=00:00:00:00:00:00
oet1_peerkey0=[peer public key]
oet1_pt=0
oet1_proto=2
oet1_id=1
oet1_label=
oet1_mssfix=0
oet1_aip0=0.0.0.0/0
oet1_usepsk0=0
oet1_ipaddr=10.99.66.44 [correct]
oet1_shaper=0
oet1_public=[local public key]
oet1_local=0.0.0.0
oet1_txq=1
oet1_comp=0
bat_oet1_bridge=br0

For the script, also whitespaces between ( and command, eg.
WGPROC=$( wg )
don't help. Also
while true
instead of
while :
doesn't help, same messsage. This is on BusyBox v1.30.1 (2019-05-03 08:44:26 CEST) built-in shell (ash) of now DD-WRT r39715 std using kernel 4.4.179 (bs, not kong). Router is my ASUS AC87U, configured as AP. Also from other sources I know that *sh commands are difficult to handle from version/version, router/router and what not. Another mess.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xASUS RT-AC87U
1xTP710
Hellakenut
DD-WRT Novice


Joined: 22 Mar 2019
Posts: 22
Location: Gamma Quadrant

PostPosted: Sat May 11, 2019 5:37    Post subject: Reply with quote
Your router being setup as an access point is maybe why you have "wan_proto=disabled" showing up. Correct me if I'm wrong, but you have to set WAN Connection Type (under Setup > Basic Setup) to Disabled in order to configure an AP right? If so, that would explain why that variable comes up like that. When your AP is working the way it normally should, what comes up when you type "nvram get wanup"? You should get either a 1 or a 0. Better yet, what comes up when you type nvram show | grep wan in the terminal? Just trying to find clues.

Let me know the results. Also, since you don't get anything from running nvram get wan_iface or nvram get wan_ifname, try this altered script below. For troubleshooting purposes, I'd recommend keeping the sh /tmp/custom.sh line out of startup until we know you have the script working.

Code:
#!/bin/bash
while :
do
WGPROC=$(wg)
WGIF=$(ip route show gateway | grep -io oet1)
WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
WANGWY=$(/usr/sbin/nvram get wan_gateway)
HOST=$(ip route | grep -E "($WGSERVER.*$WANGWY)")
if [ "$WGPROC" ]
then
echo "Wireguard is running. Checking routes..."
if [ ! "$WGIF" ] || [ ! "$HOST" ]
then
echo "Routes missing. Correcting..."
route add -host $WGSERVER gw $WANGWY dev vlan2
route del default
route add default dev oet1
ip route flush cache
echo "Done"
else
echo "Routes are correct"
fi
else
echo "Wireguard is not running"
fi
sleep 60
done


For the line "route add -host $WGSERVER gw $WANGWY dev vlan2" try replacing vlan2 with br0 just to see if that helps. Otherwise, the script may be getting caught up on WANGWY variable.

Last thing, you mentioned OpenVPN in your first post. I take it running OpenVPN works fine on your AP? If so, I'm curious what the routing tables look like for it as Wireguard shouldn't deviate too far from the format. Enable it, confirm it's working, and in a terminal run ip route && route and paste the results you get.
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 60
Location: DE

PostPosted: Sat May 11, 2019 7:56    Post subject: Reply with quote
Thanks a lot, Hellakenut! Very Happy

Could not yet try the script, but results with OpenVPN are below. I'll report later what your script gives.


Right, WAN connection type is disabled.

nvram get wanup of course is 1 with OpenVPN.

nvram show | grep wan with OpenVPN:

size: 39268 bytes (26268 left)
wan_unit=0
wan_get_dns=
telnet_wanport=23
wan_lease=0
http_wanport=8080
wan_gateway=0.0.0.0
wan_hwname=
wan_domain=WZ
wan_netmask=0.0.0.0
wan_hwaddr_x=
wan_ifname2=vlan2
block_wan=0
dr_wan_rx=0
wan_dns=(2 DNS by NordVPN)
dhcp_wins=wan
wan_proto=disabled
wanup=1
lighttpd_wan=0
wan_hwaddr=9C:5C:8E:xx:xx:xx
clone_wan_mac=0
wan_default=vlan2
wan_ifnames=
dr_wan_tx=0
l2tp_wan_gateway=0.0.0.0
proftpd_wan=0
wan_primary=1
openvpn_onwan=1
wandevs=et1
dhcp_domain=wan
wan_dial=0
wan_gateway_buf=0.0.0.0
wan_vdsl=0
wan_iface=
upnp_wan_proto=
wan_ipaddr=0.0.0.0
wan_wins=0.0.0.0
wan_priority=0
wan0_hwaddr_x=
wan1_hwaddr_x=
wan_mtu=1500
pptp_wan_gateway=0.0.0.0
sshd_wanport=22
wan_get_domain=
wan_ifname=
wan0_hwaddr=9C:5C:8E:xx:xx:xx (same as wan_hwaddr...)
wan_hostname=main
ddns_wan_ip=1
wan_dualaccess=0
wan1_hwaddr=


ip route && route with OpenVPN:
0.0.0.0/1 via 10.8.8.1 dev tun1
default via 192.168.2.1 dev br0
10.8.8.0/24 dev tun1 scope link src 10.8.8.66
.... via 192.168.2.1 dev br0
.... via 192.168.2.1 dev br0
(my public VPN-IP) via 192.168.2.1 dev br0
127.0.0.0/8 dev lo scope link
128.0.0.0/1 via 10.8.8.1 dev tun1
169.254.39.0/24 dev br0 scope link src 169.254.39.65
.... via 192.168.2.1 dev br0
.... via 192.168.2.1 dev br0
.... via 192.168.2.1 dev br0
192.168.2.0/24 dev br0 scope link src 192.168.2.100
.... via 192.168.2.1 dev br0
.... via 192.168.2.1 dev br0
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.8.8.1 128.0.0.0 UG 0 0 0 tun1
default 192.168.2.1 0.0.0.0 UG 0 0 0 br0
10.8.8.0 * 255.255.255.0 U 0 0 0 tun1
.... 192.168.2.1 255.255.255.255 UGH 0 0 0 br0
.... 192.168.2.1 255.255.255.255 UGH 0 0 0 br0
(my public VPN-IP) 192.168.2.1 255.255.255.255 UGH 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
128.0.0.0 10.8.8.1 128.0.0.0 UG 0 0 0 tun1
169.254.39.0 * 255.255.255.0 U 0 0 0 br0
.... 192.168.2.1 255.255.255.255 UGH 0 0 0 br0
.... 192.168.2.1 255.255.255.255 UGH 0 0 0 br0
.... 192.168.2.1 255.255.255.255 UGH 0 0 0 br0
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
.... 192.168.2.1 255.255.255.255 UGH 0 0 0 br0
.... 192.168.2.1 255.255.255.255 UGH 0 0 0 br0

External IPs replaced by ....
192.168.2.1 is my DSL router, 192.168.2.100 is the AP with DD-WRT.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xASUS RT-AC87U
1xTP710
Hellakenut
DD-WRT Novice


Joined: 22 Mar 2019
Posts: 22
Location: Gamma Quadrant

PostPosted: Sun May 12, 2019 3:57    Post subject: Reply with quote
Hopefully made some progress here. Is your router configured in client bridge mode? If so, I set that up on my second router to try and recreate your scenario and this script got Wireguard working for me:

Code:
#!/bin/bash
while :
do
WGPROC=$(wg)
WGIF=$(ip route show gateway | grep -io oet1)
WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
WANGWY=$(/usr/sbin/nvram get lan_gateway)
HOST=$(ip route | grep -E "($WGSERVER.*$WANGWY)")
if [ "$WGPROC" ]
then
echo "Wireguard is running. Checking routes..."
if [ ! "$WGIF" ] || [ ! "$HOST" ]
then
echo "Routes missing. Correcting..."
route add -host $WGSERVER gw $WANGWY dev br0
route del default
route add default dev oet1
ip route flush cache
echo "Done"
else
echo "Routes are correct"
fi
else
echo "Wireguard is not running"
fi
sleep 60
done


The key here being we need the gateway you assigned to your router to get internet from, which is on your LAN instead of your WAN port. In your case, the WANGWY variable should end up being set to 192.168.2.1 (your DSL router). Worst case, if running /usr/sbin/nvram get lan_gateway doesn't return your DSL router IP for some reason, we can just manually assign it to the variable. Replace the line in the script with this and try running it again:

Code:
WANGWY="192.168.2.1"
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 60
Location: DE

PostPosted: Sun May 12, 2019 17:36    Post subject: Reply with quote
Hellakenut wrote:
Hopefully made some progress here. Is your router configured in client bridge mode? If so, I set that up on my second router to try and recreate your scenario and this script got Wireguard working for me:


This router is in AP mode.

AWESOME.


This is 95% of linespeed down, and 100% of upload (DSL 50/10MBit/s) using wg! Far better than OpenVPN, reaching only approx. 20% of linespeed up (NordVPN, which also never reached grade A+).

What I know so far:
Took the time and configured the router from scratch. Don't know if that helped at all.
I knew the keys were correct (using tunsafe on my iPhone and used the QR-code of Mullvad to get the config).
Currenty using the 1-line firewall on page 1 of this thread (firewall with killswitch doesn't seem to work).
Learnt that 'Run command' just doesn't work for the custom-script in the GUI. I had to run it from the shell!
I added the following to see what's going on after the first else:

Code:

...
else
echo "Routes are correct"
echo $WANGWY
echo $WGPROC
echo $WGIF
echo $WGSERVER
...


I could then see that some kB's of traffic were flowing. So the script was always working, but not from the GUI. Then I set Mullvad's DNS on Setup/Basic and there I am (8.8.8.8 is disappointing).

BTW, Mullvad allows to download configs for all servers in 1 ZIP.

BIG THANKS for your time!

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xASUS RT-AC87U
1xTP710
Hellakenut
DD-WRT Novice


Joined: 22 Mar 2019
Posts: 22
Location: Gamma Quadrant

PostPosted: Mon May 13, 2019 23:17    Post subject: Reply with quote
Ay, glad to hear you found the solution! Very Happy

I should have clarified if you were running commands through the DD-WRT UI or a Linux/Putty terminal. Yeah, definitely try and run commands solely through a terminal, especially for troubleshooting issues. I've gotten weird results or errors using the UI command box. I'll amend the guide to ensure people use a terminal over the UI.

As for the killswitch not working, I'll take a look into that and see what might be going on (iptables is a foreign beast to me that I have yet to scratch the surface on).

Happy Wireguarding!
marbius
DD-WRT Novice


Joined: 22 May 2019
Posts: 3

PostPosted: Wed May 22, 2019 8:59    Post subject: Reply with quote
Hi mate,

I've spend a couple of hours to get this working on a TP-link archer c8 V1 router, but it worked out eventually Very Happy

This DD-WRT version (Firmware: DD-WRT v3.0-r37305 std ( 10/10/18 ) does not support curl ssh commands, so for the putty commands I just had to put the command line in the windows command prompt and it gave me the IP.

All other steps worked like a charm. I went from a 30 mbit openvpn to a 120 (!) mbit (wireguard) connection (!).

Thanks for the guide!
marbius
DD-WRT Novice


Joined: 22 May 2019
Posts: 3

PostPosted: Wed Jun 19, 2019 13:15    Post subject: Reply with quote
Ok so a problem with the tunnel got to me while trying to install Steam to play some games on a PC (wired connection). It downloaded with a speed of 25 kb/s somehow. Somehow it slows a lot down on particular downloads from the interwebs.I'm on a working Mullvad wireguard server.

I had some time to play around to exclude some things:

-250mbit connection without the tunnel, so no firewall or card faulty settings
-tried different WG servers; problem persists
-WIFI connection has no problems with the tunnel! (on my laptop everything works), only the wired connection it seems to get selectively to 0.25 mbps on some downloads and speedtests. It looks like it prioritizes wifi over wired connection somehow, and there might be an additional firewall setting required in the router to allow this.
-Torrents have absolutely no problems in download/upload (max).
-some speed tests end up with socket error, some speed tests give me max result (150 mbps)






Hope someone could figure this out!

Best regards!

ps. as for the command settings, these one I got from another website to try out if this would fix my problem, but ti still persists.
=======================================================

The solution!: (20Jun2019)

-enabling QoS on port LAN/WLAN with default settings
Hellakenut
DD-WRT Novice


Joined: 22 Mar 2019
Posts: 22
Location: Gamma Quadrant

PostPosted: Thu Jun 20, 2019 23:52    Post subject: Reply with quote
marbius wrote:
The solution!: (20Jun2019)

-enabling QoS on port LAN/WLAN with default settings


Great! Very Happy Here's hoping your performance lasts this time, haha. That's odd how your wifi had priority over lan. I wonder why that may have been the case. Maybe the DD-WRT build? Hmm.

As for the commands, you got me curious where they were from (eibgrad mentioned making a .wanup script a while ago, so I thought he maybe had something on pastebin) and I noticed IVPN now has a guide for Wireguard on DD-WRT routers and they actually adapted the code in this guide for theirs. Even the variables have the same names! Laughing

If this guide can get more VPN providers to look into Wireguard for DD-WRT and make their own tailored guides, then that's a win in my book. Mullvad, I'm looking at you now...
marbius
DD-WRT Novice


Joined: 22 May 2019
Posts: 3

PostPosted: Fri Jun 21, 2019 5:46    Post subject: Reply with quote
The command list I got from the IVPN website indeed, as I got some problems with some of the returns of some local vram commands. As for mullvad, I informed them about the guide and my problems, so they are certainly aware of this and it is on their list to add to their guides. Rolling Eyes Great stuff indeed, seems to be stable at my end, thanks alot!
Opinawa
DD-WRT Novice


Joined: 16 Jul 2019
Posts: 1

PostPosted: Tue Jul 16, 2019 15:38    Post subject: Reply with quote
Thank you all for delivering this great guide! With it, I managed to set up my dd-wrt router as a VPN gateway for Mullvad.

However, I would also like to use the same router as a "Wireguard-Server" to reach my home network via a private-VPN. Before setting up the second tunnel for Mullvad, this was already working, but I assume the default route for the Mullvad tunnel broke it. Or maybe I am missing some firewall setting?

How would I have to change the setup to have both tunnels working properly on the same router?

A few facts about my setup that might help debugging (I'll gladly add more info upon request):

- Netgear R7000 running DD-WRT v3.0-r40276 std (07/12/19)
- WAN disabled, Router is just a client in my network, IP: 192.168.178.2
- Home-Network-IPs: 192.168.178.0 (main router IP: 192.168.178.1)
- Private-VPN-IPs: 192.168.179.0


Startup Script:
Code:

sleep 30
echo "Update route table on startup..."
WGSERVER=$(/usr/sbin/nvram get oet2_rem0)
WANGW=$(/usr/sbin/nvram get lan_gateway)
WANIF=$(/usr/sbin/nvram get lan_ifname)
route add -host $WGSERVER gw $WANGW dev $WANIF
route del default
route add default dev oet2
ip route flush cache
mkdir -p /tmp/etc/config
ln -s /tmp/custom.sh /tmp/etc/config/wg-route-fix.wanup
echo "... Done route table update."

Firewall:
Code:

WANIF=$(/usr/sbin/nvram get lan_ifname)
iptables -t nat -I POSTROUTING -o oet2 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $WANIF -j MASQUERADE
#iptables -I FORWARD -i br0 -o $WANIF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
#iptables -I FORWARD -i br0 -p tcp -o $WANIF -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i oet1 -j ACCEPT
iptables -I FORWARD -o oet1 -j ACCEPT

Custom Script:
Code:

#!/bin/sh
sleep 5
echo "Update route table on wanup ..."
WGSERVER=$(/usr/sbin/nvram get oet2_rem0)
WANGW=$(/usr/sbin/nvram get lan_gateway)
WANIF=$(/usr/sbin/nvram get lan_ifname)
route add -host $WGSERVER gw $WANGW dev $WANIF
route del default
route add default dev oet2
ip route flush cache
echo "... Done route table update."

Output of "ip route":
Code:

default dev oet2 scope link
127.0.0.0/8 dev lo scope link
141.98.103.58 via 192.168.178.1 dev br0
192.168.178.0/24 dev br0 scope link  src 192.168.178.2
192.168.179.0/24 dev oet1 scope link  src 192.168.179.1

Output of "wg show":
Code:

interface: oet1
  public key: (hidden)
  private key: (hidden)
  listening port: 51823

peer: (hidden)
  endpoint: (hidden):51823
  allowed ips: 192.168.179.2/32
  transfer: 296 B received, 184 B sent

interface: oet2
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: (hidden)
  endpoint: 141.98.103.58:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 3 seconds ago
  transfer: 124 B received, 468 B sent
Hellakenut
DD-WRT Novice


Joined: 22 Mar 2019
Posts: 22
Location: Gamma Quadrant

PostPosted: Mon Jul 29, 2019 15:53    Post subject: Reply with quote
My apologies for the late check in. I'm taking summer classes and that's been my top priority of late.

Unfortunately, I'm personally not familiar enough with the server setup to know how to get that functioning. This guide was meant for a client setup, so I sadly don't have a process to create a Wireguard server, let alone have the server tunnel run in conjunction with a client tunnel. Sad

I know this wasn't the response you were hoping for, but I wanted to at least respond so that you know I saw your message. Plus, bumping this might catch the attention of someone else who has better knowledge than myself in this territory (which I'd argue is most of the forum, lol).
davood.1983
DD-WRT Novice


Joined: 17 Aug 2019
Posts: 8

PostPosted: Sat Aug 17, 2019 4:12    Post subject: Wireguard Reply with quote
Hi there
When I want to use this command
curl https://api.mullvad.net/wg/ -d account=YOURMULLVADACCOUNTNUMBER --data-urlencode pubkey=YOURPUBLICKEY

and put my id number and publick key I get this message like this

-sh: curl: not found

What Am I suppose to do?!
I Appreciate that
Cool
davood.1983
DD-WRT Novice


Joined: 17 Aug 2019
Posts: 8

PostPosted: Sat Aug 17, 2019 4:57    Post subject: Re: Idiot's Guide to Configuring Wireguard - Client Tunnel Reply with quote
Hellakenut wrote:
Welcome to my idiot’s guide to setting up a Wireguard client tunnel!

I wanted to make a beginner-friendly tutorial for setting up Wireguard on DD-WRT. Most of the information currently given on this site is for already experienced users who know how to navigate the DD-WRT GUI, use commands to alter startup parameters/firewall rules, and perform tasks in Telnet/SSH terminals. For people who are flashing DD-WRT for the first time, this is going to sound overwhelming and come off confusing to inexperienced eyes, so I wanted to make a palatable guide that would help new users configure a Wireguard tunnel/client for the first time. Doing so will allow you to route ALL traffic from your LAN devices through the Wireguard tunnel on your router.

Exclamation THE INFORMATION PROVIDED HERE IS EXPERIMENTAL Exclamation

Let me preface that Wireguard is still in beta as of writing this guide. Things I mention here can and/or will change in the future as Wireguard develops. I will try to keep this up to date if things change in the Wireguard GUI, but in off chance I go dark forever or have an affair with the OpenWRT community, a moderator can happily adapt this guide and repost it. Or it can fade into obscurity, idc, lol. This is the internet after all.

Also, this guide is going to be for a very basic setup. I unfortunately can’t help you if you are looking to do more than what I describe here. But if you are reading this and can give some more info on how to set up a more advanced task involving Wireguard, feel free to post your knowledge!

I must give credit to the following users for making this information available in a way I can digest:


audia3
liverpoolatnight
eibgrad



Without them I’d never have gotten this to work, so they deserve full credit for the majority of the information I provide in this tutorial! Very Happy

Also, the pictures I post are resized by the forum. So if you can't read anything, make sure to click the images to view the full size!

Table of Contents:

    ○ Wireguard Intro/Benchmark Comparisons
    ○ Wireguard Setup Tutorial
    ○ Optional Settings
    ○ Troubleshooting/Issues

- Wireguard Intro/Benchmark Comparisons

So... why Wireguard instead of OpenVPN?

The biggest struggle with running a VPN client on your router is the need for a powerful CPU to handle the necessary encryption processes. Unfortunately, OpenVPN is built to utilize only a single core, therefore it cannot take advantage of any additional power in your router. So unless you have a really high clock rate for a single core, you are going to see a serious bottleneck on your internet speeds when using OpenVPN on your router.

This is where Wireguard has turned heads. It DOES take advantage of all CPU cores and the overall footprint of the VPN is much more lean and efficient. With that in mind, how much of a speed improvement does Wireguard have over OpenVPN?

See these tests below. I compared the down/up speeds of my 100/100 fiber internet using my standard ISP connection, Wireguard, and OpenVPN. The results are pretty staggering:



My router is currently a Linksys EA6900, with an 800MHz dual-core processor. 800MHz for OpenVPN is, shall we say, not exactly optimal for running a VPN. However, Wireguard gives me nearly the full down/up speeds that my ISP provides, which is a pretty wild improvement.

Nevertheless, don’t take my results as an objective benchmark. Wireguard is still very young and not a finalized protocol, so there will be varied performance depending on your hardware, build, location, etc. I sadly can’t guarantee ANYTHING to you in terms of expectations and reliability.

But now that you have a picture of what Wireguard can bring to the table, let’s move on to the tutorial!

- Wireguard Setup Tutorial

To get started, you must have the following:

    • A VPN provider that supports the Wireguard protocol (e.g. Mullvad, IVPN, AzireVPN, etc.).
    • A router that is currently running a Brainslayer build w/ the Wireguard GUI. [1]
    • An SSH program to log into the router. I highly suggest PuTTY for this. PuTTY Download Page
    • Patience and a willingness to troubleshoot!

[1] If you are using a Kong build, Wireguard may or may not be natively supported in the GUI. If not, you must install it separately using the methods described here: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1152435

Word of caution: As kooper2013 experienced in this thread, I do NOT recommend running the mentioned commands/scripts in this guide using the DD-WRT GUI commands box. Unexpected results or errors may occur, so make sure you execute them through a Linux/Putty terminal! Use the GUI commands box primarily to make changes to your startup, firewall, and custom script fields.

For this tutorial, I will be using Mullvad as my VPN provider to work off of. Please keep in mind that VPN providers may have their own tutorials for configuring Wireguard on custom router firmware (if so, try and reference their guides prior to reading this!). However, in my case, Mullvad only explains the process for OpenWRT, which does not translate clearly to DD-WRT. So for those that don’t have documentation specifically for DD-WRT, this guide should help push you in the right direction for getting a basic connection set up.

1. Enable Wireguard in DD-WRT

First off, we need to enable Wireguard in the GUI to get the ball rolling. To do so, log into your router and under the Setup tab, navigate to the Tunnels tab. You should see the following:



Select the “Enable” radio button and you should see some settings appear, one that’s a drop-down menu. Click the drop-down menu and select the option “Wireguard.” After that, hit the "Add Peer" button and you should now see the following items:



From here, you should see the text box titled “Local Public Key.” Hit “Generate Key” to create a custom public key that we’ll use with our VPN provider.

2-A. Use Local Public Key to get IP for Wireguard Tunnel

This is where PuTTY comes in. First, make sure SSH is enabled in DD-WRT by going to the Services tab. Scroll down until you see the section named “Secure Shell.” Make sure the option “SSHd” is set to enable (you may need to reboot your router for it to take effect). Once that’s done, launch PuTTY and select the radio button that says “SSH.” Enter your router’s address (e.g. 192.168.1.1) in the Host Name field and hit “Open.” You should see the terminal box below:



For the login, you will type “root” and press enter (this is the master username). The next output should ask for your password, which is the same password you set to log into your router. If you entered the information correctly, you should see the DD-WRT welcome screen below:



Congrats! You’re in. Now from here, we are going to fetch some information to plug into the Wireguard interface in DD-WRT. Note, this step may vary WIDELY depending on your VPN provider. For Mullvad, you are required to run this command to get an IP address to use with your router:

Code:
curl https://api.mullvad.net/wg/ -d account=YOURMULLVADACCOUNTNUMBER --data-urlencode pubkey=YOURPUBLICKEY


As the placeholders suggests, plug your Mullvad account number where it says “YOURMULLVADACCOUNTNUMBER” and the Local Public Key you generated back in the Wireguard GUI where it says “YOURPUBLICKEY” in the command.

FYI, in my case this code failed due to a (60) SSL certificate problem. If this happens to you, append your code to the following to skip SSL verification:

Code:
curl -k https://api.mullvad.net/wg/ -d account=YOURMULLVADACCOUNTNUMBER --data-urlencode pubkey=YOURPUBLICKEY


The “-k” is what bypasses the verification. You can also try “--insecure” as an alternative.

You should now receive an IP address from your VPN provider. The output will be something like this:



For the purpose of this tutorial, I used a random generated public key to produce an IP address. So we’ll be using 10.99.5.54/32,fc00:bbbb:bbbb:bb01::536/128 from here on out as a placeholder. Also, ignore the IPv6 portion of the address as we won’t be using it in this tutorial (just focus on 10.99.5.54/32).

This returned address is what we’ll use to put into the Wireguard GUI in DD-WRT. Head back to your browser and return to the Setup > Tunnels tab in DD-WRT. From here, we’ll insert the IP address we received from our VPN provider in the space below:



So we received the IP address, but what goes in the Subnet Mask field? As of writing this tutorial, the only provider-supported guides to setup Wireguard are for OpenWrt, not DD-WRT. Because of this, there are a fair amount of discrepancies between the two firmwares, one of which being the lack of needing to define a subnet mask in OpenWrt. DD-WRT, on the other hand, wants this information. For those who are unfamiliar with networking, the subnet can be calculated from this number:

10.99.5.54/32

The highlighted part tells us the subnet. This shorthand version is known as CIDR notation. Without going into the gory details on how it works, I’m providing a cheat sheet that you can reference to translate the notation. The IP you receive from your VPN may have a different CIDR number, so use this to determine your subnet mask:



2-B. Use Private Key to get IP for Wireguard Tunnel

*You can skip to step 3 if step 2-A worked for you*

If all else fails and you can't obtain an IP address using the methods described above, you can use your private key instead if your VPN provider allows you to generate a Wireguard config file from a preexisting private key. In Mullvad's case, we can. Unlike OpenWRT, DD-WRT does not display the private key in the GUI. In order to get it, open up an SSH terminal using the process described in step 2-A, and in the terminal type the following command:

Code:
wg showconf oet1


You should get an output like this:



The "PrivateKey" portion is what we want. Highlight the generated key and it will automatically be copied to your clipboard. Now navigate to your VPN provider's webpage that allows you to generate a Wireguard config file. For Mullvad, the page looks like this:



Make sure "Custom key pair" is selected and paste the private key you got from the terminal into the box that says "Enter private key..."

From here, refer to step 3 to determine your server information. Once you've selected the appropriate Wireguard server you want, download the file and open it. You should see something like this:



The line that says "Address = 10.99.5.54/32,fc00:bbbb:bbbb:bb01::536/128" is what we need for the IP address/Subnet Mask area in the Wireguard GUI (again, ignore the IPv6 portion). We will also be ignoring the DNS line in this config file. Once you have this, jump to the end of step 3 (where the picture of the config file is) and follow the remaining steps normally.

3. Get Wireguard Server Information

Next, you are going to need to get the information of the specific Wireguard server you are trying to connect to from your VPN provider. Note that these servers are separate from the OpenVPN ones, so make sure you go to your provider’s website and find a list that specifically labels the Wireguard ones.

This is where DD-WRT might make you take a detour. If you’re lucky, your VPN provider will show the IP address along with the domain name of the server you want to connect to. If that’s the case, great! Skip to the next step. But if you use Mullvad like I do, only the domain names are listed. DD-WRT doesn’t play nice with this because there is a character limit in the field we need to put this information, so only the plain IP address will work. In order to get this, we need to generate a config file from our VPN provider. Your VPN should provide a webpage where you can create a Wireguard config file for a specific operating system. Mullvad’s looks like this:



For the operating system, I just chose Linux and had it generate a new key pair (we won’t be using these keys). For the server, select the one you wanted to use and get the IP from. After that, hit Download and open the config file you get in Notepad or any other text editor. You should see something like this:



The [Peer] portion is what we need. The Endpoint is the IP address of the server you picked. Also take note of the port number, which is 51820. We now have all the information we need to finally get connected!

4. Plug All the Information in the Wireguard GUI

Back in the Wireguard GUI, put all your settings in as follows:



The MTU box will fill automatically. Once this is done, hit apply and Wireguard should now be configured correctly. Next, we need to make changes to the startup script, firewall, and add a custom script to get the tunnel working. Navigate to the Administration > Commands tab and paste the following into the Commands box: [2]

Code:
#!/bin/bash
while :
do
WGPROC=$(wg)
WGIF=$(ip route show gateway | grep -io oet1)
WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
WANGWY=$(/usr/sbin/nvram get wan_gateway)
WANIF=$(/usr/sbin/nvram get wan_iface)
HOST=$(ip route | grep -E "($WGSERVER.*$WANGWY)")
until /usr/sbin/nvram get wanup | grep -q 1
do
echo "Waiting for WAN to initialize..."
sleep 10
done
if [ "$WGPROC" ]
then
echo "Wireguard is running. Checking routes..."
if [ ! "$WGIF" ] || [ ! "$HOST" ]
then
echo "Routes missing. Correcting..."
route add -host $WGSERVER gw $WANGWY dev $WANIF
route del default
route add default dev oet1
ip route flush cache
echo "Done"
else
echo "Routes are correct"
fi
else
echo "Wireguard is not running"
fi
sleep 60
done


Note the line that says WANIF=$(/usr/sbin/nvram get wan_iface) in the script. Due to a varying degree of setups that people may have (e.g. iphone/android tethering, bridging, etc.) you may need to configure this variable manually if you are running a setup that doesn't automatically use the default WAN interface on your router. In the case of phone tethering, your WAN interface is the device you set to receive internet from. So this could be iph0, usb0, or whatever the necessary naming scheme for your device was required. If your WAN interface is NOT the default assigned in the nvram, then set your WANIF variable like such (keep the quotations around the interface name you have):

Code:
WANIF="your interface name here"


Again, this interface can be iph0, usb0, etc. For a specific startup script altered to detect iphone tethering, see audia3's post here.

Once you've entered the script, scroll to the bottom of the page and hit “Save Custom Script.” When the page reloads, paste sh /tmp/custom.sh in the Commands box and hit "Save Startup" at the bottom of the page. This will execute the custom script on startup and route your LAN devices to go through the Wireguard tunnel (oet1) once your router boots up. Finally, the tunnel needs to get passed the firewall. Paste this into the Commands box:

Code:
iptables -t nat -I POSTROUTING -o oet1 -j MASQUERADE


Hit “Save Firewall” to add the rule.

Reboot the router and, if you did everything correctly, you should be connected through Wireguard! Check your IP online to make sure it’s displaying the endpoint address you entered. If you don't have a connection, remove the startup entry for the custom script, reboot the router, and run the custom script manually in a terminal session to see if any errors come up. The command to execute the script is the same as the startup command, so paste sh /tmp/custom.sh and hit enter to run it. To stop the script at any time, hit Ctrl+C.

- Optional Settings

DNS Leaks:

You can also set your router’s DNS to that of your VPN’s if you are worried about DNS leaks. I’d at least recommend setting it to something that isn’t the router’s default (e.g. Comodo, Cloudflare, OpenDNS, etc.). You can easily find these online. Put the DNS server address under Setup > Basic Setup in the box that’s titled “Static DNS 1.” Preferably, fill all 3 Static DNS fields with alternate addresses.

Network Killswitch:

To add a kill switch in case you lose connection over your VPN, add the following commands to your firewall in Administration > Commands:

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset


With this, if the Wireguard server you are using goes down, or if your Wireguard interface gets disabled, your traffic will be blocked from accessing the internet and potentially leaking information.

- Troubleshooting/Issues

With anything that’s new, this setup is not without some problems. For one, if you make any general changes to your DD-WRT settings (e.g. enable something in Services), your routing table gets reset and you have to configure it again (this is what the looping custom script helps correct when it's run on startup). The Wireguard feature in DD-WRT should be able to account for this problem on its own, but sadly it does not at this point in time. Hence, the custom script provided runs quietly in the background on startup to make sure the routes are correct should something gets altered. Since it is an infinite looping script, this avoids relying on the cron service which, in my experience, did not run reliably upon a router reboot. You also save nvram space by not enabling the cron service.

If you find that Wireguard isn't connecting upon router reboot, remove the custom script line from startup, reboot again, log into the router through an SSH terminal, and run sh /tmp/custom.sh to view the output and determine where the script is getting hung up.

[2] ADVANCED DD-WRT USERS: PLEASE inform me of any better ways to go about doing this. I’ve only been using DD-WRT for a couple months, so if there’s a simpler solution out there to accomplish this then I’d be happy to amend it into the guide.

Thanks for sticking through all the way to the end. Hopefully your setup is working. If you have any corrections and/or better suggestions to include in this guide, please let me know and I’ll make the necessary changes as soon as possible. Thank you!






I tried to config mullvad and enabled ssh on router then connected to router with putty but when I want to use that command to get IP
curl -k https://api.mullvad.net/wg/ -d account=xxxxxxxxxxxxx --data-urlencode pubkey=lRqGzRVEfFxtAM1KsNCidR0UdEs0qMA6Pzx8122Slz8= or

others command I get this error

it says that

-sh: curl: not found

I don't know what to do Crying or Very sad Crying or Very sad Crying or Very sad Crying or Very sad Exclamation Question
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum