Wireguard Setup guide

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4703
Location: Netherlands

PostPosted: Mon Nov 25, 2019 16:55    Post subject: Wireguard Setup guide Reply with quote
Wireguard setup guide

You can only see and download the guide below if you are logged in!

WireGuard is a BETA/WIP open-source VPN solution written in C by Jason Donenfeld and others, aiming to fix many of the problems that have plagued other modern server-to-server VPN offerings like IPSec/IKEv2, OpenVPN, or L2TP.
It can be seen as a replacement for OpenVPN although it does not have the versatility, possibilities and track record of OpenVPN.
However, it has two advantages over OpenVPN, it is much faster especially on lower-spec hardware such as Soho routers (my own R7800 goes from 90 Mb/s on OpenVPN to 240 Mb/s with Wireguard) and is easy to setup if you know how.

Some key points about Wireguard:
• Layer 3 only no bridging
• UDP only punches through firewall
• Like SSH authenticated keys
• Executes in Linux Kernel
• Static routing

What makes it so much faster then OpenVPN is not the cryptography, this is more or less the same (use of PKI to calculate/exchange a key with PFS for symmetric encryption). It is the fact that all is done in Kernel space while OpenVPN has to constantly switch between User and Kernel space.
Inherently the executing in Kernel space is less secure, if security is broken than you are compromised big time.
Another disadvantage is that it only supports static routing, so if you use Wireguard to connect to a commercial VPN provider (Mullvad is one of them) they keep track of your IP address. Mullvad implements some NAT'ting and is not tracking your IP address but still it is more insecure then OpenVPN.
Bottom line if you are a high level government target do not use Wireguard yet.

This guide is to walk you through the setup of Wireguard on DDWRT and will cover both setup as a Wireguard server and setup Android and Windows clients and DDWRT as a client.
Just as Wireguard itself both the DDWRT implementation and this guide is a work in progress so not without mistakes.

I will try to keep the guide updated, but your help, remarks and recommendations are crucial in getting this done so please notify me of any errors or inconsistencies (there shall be many in the beginning).

You can post in the thread or send me a PM (personal mail) : https://forum.dd-wrt.com/phpBB2/privmsg.php?mode=post&u=342338

This is not the first setup guide there is already a wiki which is very informative: https://wiki.dd-wrt.com/wiki/index.php/The_Easiest_Tunnel_Ever

v0.04 first draft
v0.08, added DDWRT as client, Killswitch, Troubleshooting, Pre-shared key, using DNS server and how to use on a WAP
v10 tidying up
v14 CVE-14899 vulnerability and workarounds
v16 added information to set private key
v17 instructions for builds past build number 42067

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135


Last edited by egc on Thu Jan 23, 2020 9:25; edited 9 times in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4703
Location: Netherlands

PostPosted: Mon Nov 25, 2019 16:56    Post subject: Reply with quote
Scripts for setup DDWRT router as a Wireguard client

Downloads are only visible when you are logged in !

You can download the attached script, unzip it and put it in /jffs or in an other place of your liking for permanent storage and execute the script from Firewall.
In the script you will find instructions.

You can also copy and paste the script below and place in Administration/Commands and Save as Firewall.

The script will run once at startup or if you change anything because the firewall is then re-initialized and thus the script will run.
As Wireguard uses static routing it normally is not necessary to run the script periodically, this is only necessary if you are using an endpoint with a DDNS/URL which changes frequently. In that case set SLEEP=90 and save the script as Startup. The script will run every 90 seconds.


#!/bin/sh
# * name: ddwrt-wireguard-client-script.sh
# * version: 1.0, 27-12-2019 by egc
# * modify parameters in script if necessary, make sure not to include Windows style line endings <CR>
# * Copy and paste text between BEGIN and END to Administration/Commands and Save as Firewall
# * You can run the script every x seconds from Startup but the smart way is to run it only once from the Firewall, if something changes it will rerun
# * After changing anything REBOOT the router


#=======BEGIN ddwrt-wireguard-client-script.sh=========
SCRIPT="/tmp/ddwrt-wireguard-client-script.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
(
#DEBUG= # uncomment/comment to enable/disable debug mode
SLEEP=0 # runs continuously executing every [SLEEP] seconds, if SLEEP=0 it runs only once
WGNAT= # uncomment/comment to enable/disable SNAT over the oet interface
WGPEER=0 # do not change
WGDELRT="/tmp/wg-delete-routes"
[ ${DEBUG+x} ] && set -x
while :; do
#checks if interface is enabled if not continue
if [ "$(nvram get oet_tunnels)" -eq 1 ] && [ "$(nvram get oet1_en)" -eq 0 ]; then
logger "$(basename $0)[$$] No tunnel interface enabled, going to sleep"
(while read route; do $route; done < $WGDELRT) >/dev/null 2>&1
#WGIF= #this wil recreates routes when Disabled/Enabled
else
#wait for interface
SLEEPCT=0
#this will recreates all routes when run everytime
WGIF=
while [ -z $WGIF ]; do
sleep 10
WGIF="$(wg | awk '/interface/ {gsub("interface:", "", $2); print $2}')"
SLEEPCT=$((SLEEPCT+10))
if [ $SLEEPCT -gt 60 ]; then
logger "$(basename $0)[$$] Could not detect Wireguard interface after $SLEEPCT seconds, going to sleep"
break
elif [ ! -z $WGIF ]; then
(while read route; do $route; done < $WGDELRT) 2>&1 > /dev/null
logger "$(basename $0)[$$] it took $SLEEPCT seconds to get the Wireguard interface up, now excuting"
#egc: MASQUERADE over the wireguard interface
echo "iptables -t nat -D POSTROUTING -o $WGIF -j MASQUERADE" > $WGDELRT
[ ${WGNAT+x} ] && iptables -t nat -I POSTROUTING -o $WGIF -j MASQUERADE
#egc: provide way out if set to client and everything is routed vie the oet interface
# use route add -host because the endpoint can be a host name
echo "route del -host $(nvram get ${WGIF}_rem${WGPEER}) gw $(nvram get wan_gateway) dev $(get_wanface)" >> $WGDELRT
route add -host $(nvram get ${WGIF}_rem${WGPEER}) gw $(nvram get wan_gateway) dev $(get_wanface)
#egc:add routes based on allowed IP's
for aip in $(nvram get ${WGIF}_aip${WGPEER} | sed "s/,/ /g"); do
#echo $aip #debug
echo "ip route del $aip dev $WGIF" >> $WGDELRT
ip route add $aip dev $WGIF
done
#end add routes
ip route flush cache
fi
done
fi
#stop running if sleep=0
[ $SLEEP -gt 0 ] && sleep $SLEEP || break
done
) 2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT
nohup $SCRIPT > /dev/null 2>&1 &
#=======END ddwrt-wireguard-client-script.sh=========

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135


Last edited by egc on Sat Dec 28, 2019 17:29; edited 17 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4703
Location: Netherlands

PostPosted: Mon Nov 25, 2019 16:57    Post subject: Reply with quote
Policy Based Routing for Wireguard

This script is the only script needed when using Wireguard with PBR, it takes care of the NAT rule and all other necessary routing rules also for your normal Wireguard routing.

If you do not alter anything in the script, the default route is via the WAN, this is useful if you have incoming connections like SSH or Port Forwards or OpenVPN which need the WAN to be default.
In this case the IP addresses entered in the add_rules section are using the Wireguard route.
You can add addresses and interfaces in the section between ==BEGIN RULES== and ===END RULES===
I already gave a few possibilities as an example.

You can reverse the working of the script (everything via Wireguard route except the addresses entered in the add_rules section) by commenting the line:
Code:
WANGW_DEFAULT= # when uncommented the main table will use the WAN as default and the Alternate table will use Wireguard route


Version 0.9 can work together with the automatic kill switch script in the next post.
This will automatically set a kill switch, preventing WAN access for the clients you want to use the Wireguard VPN.
If you want to have this kill switch, uncomment the following line and set the path to the kill switch script and copy the script from the next post to that path:
Code:
#KS="/jffs/ddwrt-wireguard-kill-script.sh" # uncomment/comment to enable/disable automatic Kill Script, set path for kill-script



Important settings
In the Allowed IP setting to your Server/Peer add the WG address of the server e.g. 10.4.0.1/32 and allow all other traffic: 0.0.0.0/1, 128.0.0.0/1

So in the end the Allowed IPs will look like:
Code:
10.4.0.1/32,0.0.0.0/1,128.0.0.0/1

(Important: do not use any whitespace in the Allowed IPs field in builds below 41643!)

Setup Instructions
# * name: ddwrt-wireguard-pbr-script.sh
# * version: 0.4, 5-12-2019 by egc
# instructions:
# 0. unzip the downloaded file
# 1. add your rules in the add_rules section and modify parameters in script if necessary, make sure not to include Windows style line endings <CR>
# 2. copy modified script to /jffs (or external storage, e.g., usb)
# 3. make script executable:
# chmod +x /jffs/ddwrt-wireguard-client-script.sh
# 4. call this script from the startup: Administration/Commands Save as Firewall after making sure it works:
# sh /jffs/ddwrt-wireguard-pbr-script.sh &
# you can run the script continuously from Startup by setting SLEEP=120, but to run it once from Firewall (SLEEP=0) is the smart way as it will rerun on changes
# 5. after changing anything REBOOT the router


Trouble shooting
In the script, enable DEBUG by uncommenting the line:
Code:
#DEBUG= # uncomment/comment to enable/disable debug mode

Reboot

Via CLI (telnet/Putty)
Code:

grep -i wireguard /var/log/messages
ifconfig
wg showconf oet1
wg (look for traffic Rx/Tx)
ip route show
ip route show table 15
ip rule show
iptables -vnL -t nat


Downloads are only visible when you are logged in !

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135


Last edited by egc on Mon Dec 09, 2019 9:30; edited 14 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4703
Location: Netherlands

PostPosted: Mon Nov 25, 2019 16:57    Post subject: Reply with quote
Wireguard PBR Kill Script

This is the accompanying script for the ddwrt-wireguard-pbr-script v 0.9 and higher which can be downloaded below.

This will automatically set a kill switch, preventing WAN access for the clients you want to use the Wireguard VPN and which are set in the aforementioned ddwrt-wireguard-pbr-script.

This script is triggered from the ddwrt-wireguard-pbr-script, you just have to upload the script in the same directory as that script and activate the kill switch from that script (see there for instructions)


# instructions:
# 0. Unzip if necessary and place in same directory as the ddwrt-wireguard-pbr-script.sh which will invoke this script
# 1. Set WG_ENABLED_ONLY to your preference
# 2. Set FW_STATE to your preference
# 4. Reboot router

# state checking: "state NEW" vs. no state
# state NEW (default):
# * any pre-existing LAN->WAN connections persist until/unless they timeout/close
# * remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
# * more efficient (only LAN->WAN packets used to establish NEW connections are inspected)
# no state:
# * any pre-existing LAN->WAN connections are stopped/blocked
# * remote access (WAN->LAN) is denied (even if port forwarding is enabled)
# * less efficient (every LAN->WAN packet is inspected)

Downloads/attachments are only visible when you are logged in !

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Zyxx
DD-WRT User


Joined: 28 Dec 2018
Posts: 56

PostPosted: Fri Dec 27, 2019 16:54    Post subject: Reply with quote
Dear egc,

thank you for this guide!
It worked without a flaw until the most recent release r41791 (12/24/19).

You are aware of it, I know Wink
(https://svn.dd-wrt.com/ticket/6928)

What is your opinion about this?
Should I wait for an upcoming release or enter a new rule into iptables?
Will upcoming releases enable local access by default again?

Am currently not sure how to proceed... feels bad.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4703
Location: Netherlands

PostPosted: Fri Dec 27, 2019 17:14    Post subject: Reply with quote
Yes I have been working on an update of the guide.

You can use the following rule on the latest build:

this is the short version which supposes you are using the first tunnel:

Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j MASQUERADE



This is the longer version which will search for the right tunnel interface:

Code:
WGIF="$(wg | awk '/interface/ {gsub("interface:", "", $2); print $2}')"
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get ${WGIF}_ipaddr/$(nvram get ${WGIF}_netmask) -j MASQUERADE


I must do some more testing.

The upcoming build will let you disable the patch so you do not have to use the above rule.
If you should disable the patch or use the above rules is open to debate and can dependent on your threat level and how much trouble you get from SNATting all traffic.

If you are a high level government target I would enable the patch, for me where I have my IOT separated and nothing really to fear I probably just disable it.

Steve Gibson did not consider it a serious problem FWIW

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135


Last edited by egc on Sat Dec 28, 2019 12:09; edited 1 time in total
Zyxx
DD-WRT User


Joined: 28 Dec 2018
Posts: 56

PostPosted: Fri Dec 27, 2019 20:35    Post subject: Reply with quote
Thanks a lot!

Smile
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum