Joined: 18 Mar 2014 Posts: 12840 Location: Netherlands
Posted: Mon Nov 25, 2019 16:55 Post subject: WireGuard (server) Setup guide
WireGuard (server) setup guide
Note: you can only see and download the guide if you are logged in!
WireGuard is an open-source VPN solution written in C by Jason Donenfeld and others, aiming to fix many of the problems that have plagued other modern server-to-server VPN offerings like IPSec/IKEv2, OpenVPN, or L2TP.
It can be seen as a replacement for OpenVPN although it does not have the versatility, possibilities and track record of OpenVPN.
However, it has two advantages over OpenVPN, it is much faster especially on lower-spec hardware such as Soho routers (my own R7800 goes from 85 Mb/s on OpenVPN to 300 Mb/s with WireGuard) and is easy to setup if you know how, the guides will help you with that.
Some key points about WireGuard:
• Layer 3 only no bridging
• UDP only punches through firewall
• Like SSH authenticated keys
• Executes in Linux Kernel
• Static routing
What makes it so much faster then OpenVPN is not the cryptography, this is more or less the same (use of PKI to calculate/exchange a key with PFS for symmetric encryption). It is the fact that all is done in Kernel space while OpenVPN has to constantly switch between User and Kernel space.
Inherently the executing in Kernel space is less secure, if security is broken than you are compromised big time.
Another disadvantage is that it only supports static routing, so if you use WireGuard to connect to a commercial VPN provider they keep track of your IP address.
A lot of VPN providers are taking measure to mitigate this by using double NAT or special no log servers ( https://www.azirevpn.com/docs/security ) but be sure to look into it.
This guide is to walk you through the setup of WireGuard on DDWRT and will cover both setup as a WireGuard server and setup Android and Windows clients and DDWRT as a client.
v0.04 first draft
v0.08, added DDWRT as client, Killswitch, Troubleshooting, Pre-shared key, using DNS server and how to use on a WAP
v10 tidying up
v14 CVE-14899 vulnerability and workarounds
v16 added information to set private key
v17 instructions for builds past build number 42067
v18 corrected typo in Kill switch
v20 added references for ipv6
v21 added link to script
v22 some clarifications
v24 update pictures to reflect upcoming changes
v30 added known problems and solutions
v33 for use with options starting with build 43290
v38 for builds 44980 and later
v41 for builds 47040 or later
v43 build 47822 or later
v44 Add Linux Client setup instructions (not tested)
v46 Some corrections
v48 Added setting "Allow Clients WAN Access" and IPv6 compatibility for WireGuard used as Server
v51 Add debug option under Troubleshooting _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Last edited by egc on Mon Jan 22, 2024 14:05; edited 80 times in total
Joined: 18 Mar 2014 Posts: 12840 Location: Netherlands
Posted: Mon Nov 25, 2019 16:56 Post subject:
Scripts for setup DDWRT router as a Wireguard client
Downloads are only visible when you are logged in !
This script is only useful in builds prior to build 43055, later builds can use GUI options (Nat via tunnel and Route Allowed IP's via tunnel)
You can download the attached script, unzip it and put it in /jffs or in an other place of your liking for permanent storage and execute the script from Firewall.
In the script you will find instructions.
You can also copy and paste the script below and place in Administration/Commands and Save as Firewall.
The script will run once at startup or if you change anything because the firewall is then re-initialized and thus the script will run.
As Wireguard uses static routing it normally is not necessary to run the script periodically, this is only necessary if you are using an endpoint with a DDNS/URL which changes frequently. In that case set SLEEP=90 and save the script as Startup. The script will run every 90 seconds.
#!/bin/sh
# * name: ddwrt-wireguard-client-script.sh
# * version: 1.1, 7-apr-2020 by egc
# * modify parameters in script if necessary, make sure not to include Windows style line endings <CR>
# * Copy and paste text between BEGIN and END to Administration/Commands and Save as Firewall
# * You can run the script every x seconds from Startup but the smart way is to run it only once from the Firewall, if something changes it will rerun
# * After changing anything REBOOT the router
#=======BEGIN ddwrt-wireguard-client-script.sh=========
SCRIPT="/tmp/ddwrt-wireguard-client-script.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
(
#DEBUG= # uncomment/comment to enable/disable debug mode
SLEEP=0 # runs continuously executing every [SLEEP] seconds, if SLEEP=0 it runs only once
WGNAT= # uncomment/comment to enable/disable SNAT over the oet interface
WGPEER=0 # do not change
WGDELRT="/tmp/wg-delete-routes"
[ ${DEBUG+x} ] && set -x
while :; do
#checks if interface is enabled if not continue
if [ "$(nvram get oet_tunnels)" -eq 1 ] && [ "$(nvram get oet1_en)" -eq 0 ]; then
logger "$(basename $0)[$$] No tunnel interface enabled, going to sleep"
(while read route; do $route; done < $WGDELRT) >/dev/null 2>&1
#WGIF= #this wil recreates routes when Disabled/Enabled
else
#wait for interface
SLEEPCT=0
#this will recreates all routes when run everytime
WGIF=
while [ -z $WGIF ]; do
sleep 10
WGIF="$(wg | awk '/interface/ {gsub("interface:", "", $2); print $2}')"
SLEEPCT=$((SLEEPCT+10))
if [ $SLEEPCT -gt 60 ]; then
logger "$(basename $0)[$$] Could not detect Wireguard interface after $SLEEPCT seconds, going to sleep"
break
elif [ ! -z $WGIF ]; then
(while read route; do $route; done < $WGDELRT) 2>&1 > /dev/null
logger "$(basename $0)[$$] it took $SLEEPCT seconds to get the Wireguard interface up, now excuting"
#egc: MASQUERADE over the wireguard interface
echo "iptables -t nat -D POSTROUTING -o $WGIF -j MASQUERADE" > $WGDELRT
[ ${WGNAT+x} ] && iptables -t nat -I POSTROUTING -o $WGIF -j MASQUERADE
#egc: provide way out if set to client and everything is routed vie the oet interface
# use route add -host because the endpoint can be a host name
echo "route del -host $(nvram get ${WGIF}_rem${WGPEER}) gw $(nvram get wan_gateway) dev $(get_wanface)" >> $WGDELRT
route add -host $(nvram get ${WGIF}_rem${WGPEER}) gw $(nvram get wan_gateway) dev $(get_wanface)
#egc:add routes based on allowed IP's
for aip in $(nvram get ${WGIF}_aip${WGPEER} | sed "s/,/ /g"); do
#echo $aip #debug
echo "ip route del $aip dev $WGIF" >> $WGDELRT
ip route add $aip dev $WGIF
done
#end add routes
ip route flush cache
fi
done
fi
#stop running if sleep=0
[ $SLEEP -gt 0 ] && sleep $SLEEP || break
done
) 2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT
$SCRIPT > /dev/null 2>&1 &
#=======END ddwrt-wireguard-client-script.sh=========
Joined: 18 Mar 2014 Posts: 12840 Location: Netherlands
Posted: Mon Nov 25, 2019 16:57 Post subject:
Policy Based Routing for Wireguard
It is advised to use a built with build number 43055 or higher you then use the PBR script -post-43055.
If you cannot do that use the other script
If you do not alter anything in the script, the default route is via the WAN, this is useful if you have incoming connections like SSH or Port Forwards or OpenVPN which need the WAN to be default.
In this case the IP addresses entered in the add_rules section are using the Wireguard route.
You can add addresses and interfaces in the section between ==BEGIN RULES== and ===END RULES===
I already gave a few possibilities as an example.
You can reverse the working of the script (everything via Wireguard route except the addresses entered in the add_rules section) by commenting the line:
Code:
WANGW_DEFAULT= # when uncommented the main table will use the WAN as default and the Alternate table will use Wireguard route
Version 0.9 can work together with the automatic kill switch script in the next post.
This will automatically set a kill switch, preventing WAN access for the clients you want to use the Wireguard VPN.
(Note, this works only when using the WAN as default gateway in the main routing table so leave the `WANGW_DEFAULT=` uncommented.)
If you want to have this kill switch, uncomment the following line and set the path to the kill switch script and copy the script from the next post to that path:
Code:
#KS="/jffs/ddwrt-wireguard-kill-script.sh" # uncomment/comment to enable/disable automatic Kill Script, set path for kill-script
Setup Instructions
Unzip the downloaded file, setup instructions are in the file
Trouble shooting
In the script, enable DEBUG by uncommenting the line:
Code:
#DEBUG= # uncomment/comment to enable/disable debug mode
Reboot
Via CLI (telnet/Putty)
Code:
grep -i wireguard /var/log/messages
ifconfig
wg showconf oet1
wg (look for traffic Rx/Tx)
ip route show
ip route show table 15
ip rule show
iptables -vnL -t nat
Joined: 18 Mar 2014 Posts: 12840 Location: Netherlands
Posted: Mon Nov 25, 2019 16:57 Post subject:
Wireguard PBR Kill Script
This is the accompanying script for the ddwrt-wireguard-pbr-script v 0.9 and higher which can be downloaded below.
This will automatically set a kill switch, preventing WAN access for the clients you want to use the Wireguard VPN and which are set in the aforementioned ddwrt-wireguard-pbr-script.
This script is triggered from the ddwrt-wireguard-pbr-script, you just have to upload the script in the same directory as that script and activate the kill switch from that script (see there for instructions)
# instructions:
# 0. Unzip if necessary and place in same directory as the ddwrt-wireguard-pbr-script.sh which will invoke this script
# 1. Set WG_ENABLED_ONLY to your preference
# 2. Set FW_STATE to your preference
# 4. Reboot router
# state checking: "state NEW" vs. no state
# state NEW (default):
# * any pre-existing LAN->WAN connections persist until/unless they timeout/close
# * remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
# * more efficient (only LAN->WAN packets used to establish NEW connections are inspected)
# no state:
# * any pre-existing LAN->WAN connections are stopped/blocked
# * remote access (WAN->LAN) is denied (even if port forwarding is enabled)
# * less efficient (every LAN->WAN packet is inspected)
thank you for this guide!
It worked without a flaw until the most recent release r41791 (12/24/19).
You are aware of it, I know
(https://svn.dd-wrt.com/ticket/6928)
What is your opinion about this?
Should I wait for an upcoming release or enter a new rule into iptables?
Will upcoming releases enable local access by default again?
Am currently not sure how to proceed... feels bad.
The upcoming build will let you disable the patch so you do not have to use the above rule.
If you should disable the patch or use the above rules is open to debate and can dependent on your threat level and how much trouble you get from SNATting all traffic.
If you are a high level government target I would enable the patch, for me where I have my IOT separated and nothing really to fear I probably just disable it.
When going to Hotels I like using some kind of personal VPN connection over the Hotel's WiFi. I was using an R7000 with OpenVPN but it was too bulky in my laptop bag. Now with DD-WRT support and some VPN Providers, WireGuard brings new life to old hardware like the E3000 with dual-band radios. Hotel WiFi speed are very poor so the E3000 works well. I've only tested the Travel E3000 at home and I'm able to bypass the FORCED DNS on my Network when connected to WireGuard. On E3000 overclocked to 533MHz (not all support this speed and may brick, plus the USB will not work at this speed) having the wl0 Client radio connected to the home wifi and a laptop connected to the E3000's wl1 5Ghz AP to WireGuard I get 30-35Mbps (Down & Up).
WL0 Wireless Mode: Client (SSID and Password must match the AP it's connecting too)
WL1 Wireless Mode: AP (use what ever settings you want to connect your devices)
Also VAP WL1.1 is added for Client Connection. In a Hotel environment after setting up the SSID and Password on the Client Radio the device will not get internet access until you go through a Hotel Web Page. So with a device like a laptop connect to the E3000's VAP and go through the Hotel Web Page to give the E3000 Internet Access. Once you have access you may need to reboot the E3000 to get WireGuard connected.
Here is my E3000 Travel Router with WireGuard configuration.
Goto (Setup -> Basic Setup) and change the Network Setup to...
Local IP Address: 10.254.110.1
Subnet Mask: 255.255.255.0
Enable NTP Client and select Time-Zone, I leave Server blank and I get the correct time.
<--------FOR OTHER ROUTERS USE CORRECT METHOD TO CREATE BR1 & VLAN3 AND ASSINGMENTS-------->
With the E3000 setting up vlans is simple goto (setup -> Switch Config) put at least one port on vlan3 (not tagged). This will be used for wired devices accessing WireGuard.
Goto (Setup -> Network) Create Bridge and add br1 after applying configure br1 with IP Address and Subnet Mask (I used 10.254.111.1 & 255.255.255.0) and applying.
Also do "Assign to Bridge" you will need 2...
- br1 to vlan3
- br1 to eth2
And apply.
<------------------------------------------------------------------------------------------------------->
Setup DNSMasq at (Services -> Services) Only have Dnsmasq Enabled all others disabled.
Add to Additional Dnsmasq Options the following and save...
This is my Startup Script from (Administration -> Commands)...
Code:
# Travel Router Startup
# Tested Working on E3000 with Build 42132
#
# Re-Start Broadcom Radios to Fix connection to VAP <--------REMOVE FOR NON-BOARDCOM OR OTHER ROUTERS
# For Builds 36366+ with Bridged VAPs
stopservice nas
stopservice wlconf
sleep 5
wlconf eth1 up
wlconf eth2 up
startservice nas
#
# Wait Time
sleep 10 # <--------USE 15 IF RE-START RADIO IS NOT USED
#
# Create New Gateway Tables for WireGuard
# http://cornasdf.blogspot.ca/2012/10/dd-wrt-openvpn-and-selectively-routing.html
# http://www.dd-wrt.com/phpBB2/viewtopic.php?p=954940
#
# Delete and Flush Table
ip route flush table 111
ip route del default table 111
ip rule del fwmark 111 table 111
#ip route flush cache # Flushing is done near end when route tables are done
iptables -t mangle -F PREROUTING
#
# Copy all non-default routes from the main table into table 111(WireGuard).
ip route show table main | grep -Ev ^default | while read ROUTE ; do
ip route add table 111 $ROUTE
done
#
# Create fwmark to table bindings
ip rule add fwmark 110 table main # ISP
ip rule add fwmark 111 table 111 # Tunnel 1 WireGuard
#
# Check that Default Root was created in WireGuard Table
ip route del default table 111
oet_def=
while [ -z $oet_def]; do
sleep 10
ip route add default dev oet1 table 111
oet_def="$(ip route show table 111 | awk '/default/ {gsub("default","",$3); print $3}')"
done
#
# ADD WireGuard Host in MAIN Table
DEF_GW=$(/usr/sbin/nvram get wan_gateway)
DEF_IF="eth1" # (wl0) 2.4Ghz Radio is used as Client <--------2.4GHZ RADIO I/F
WG_HOSTNAME1=$(/usr/sbin/nvram get oet1_rem0)
route add -host $WG_HOSTNAME1 gw $DEF_GW dev $DEF_IF
#
# Clear route cache
ip route flush cache
#
# With Build 42132 these RULES will not load under Firewall - ADDED to Startup
# PREROUTING RULES
iptables -t mangle -D PREROUTING -s 10.254.110.0/24 -j MARK --set-mark 110
iptables -t mangle -A PREROUTING -s 10.254.110.0/24 -j MARK --set-mark 110
iptables -t mangle -D PREROUTING -s 10.254.111.0/24 -j MARK --set-mark 111
iptables -t mangle -A PREROUTING -s 10.254.111.0/24 -j MARK --set-mark 111
This is my Firewall Script from (Administration -> Commands)...
Code:
# Travel Router Firewall
# Tested Working on E3000 with Build 42132
#
# FORWARD RULES
# br0=Client Network & br1=WireGuard Network
# Added these Rules for stopping leaks to different gateways (from StrongVPN WireGuard Configuration Script Gen)
# br0 is only for connecting to Client Network so block WireGuard Network
iptables -I FORWARD 5 -i br0 -o oet1 -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD 5 -i br0 -p tcp -o oet1 -m state --state NEW -j REJECT --reject-with tcp-reset
# br1 is only for connecting to WireGuard Network so block Client Network
iptables -I FORWARD 5 -i br1 -o eth1 -m state --state NEW -j REJECT --reject-with icmp-host-prohibited # <--------2.4GHZ RADIO I/F
iptables -I FORWARD 5 -i br1 -p tcp -o eth1 -m state --state NEW -j REJECT --reject-with tcp-reset # <--------2.4GHZ RADIO I/F
# Put back on TOP
iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# This calculates the proper MSS for your link
# http://lartc.org/howto/lartc.cookbook.mtu-mss.html
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#
# POSTROUTING RULES
iptables -t nat -I POSTROUTING -o oet1 -j MASQUERADE
Reboot E3000, connect and test. Sorry I didn't make the script more universal for other routers like egc scripting. Good-Luck.
ADDED <-------- to show what changes are required to use on other routers. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
I do have the VPN client running and push only one IP via PBR (SAT receiver) through the VPN. (PBR 192.168.2.98/32)
I don´t use the PBR script. Is this OK for using Wireguard or do I need to change something first?
Further I do use the DD-WRT router as WAP and gateway mode is set.
Joined: 18 Mar 2014 Posts: 12840 Location: Netherlands
Posted: Sat Feb 08, 2020 8:23 Post subject:
boris03 wrote:
I do have the VPN client running and push only one IP via PBR (SAT receiver) through the VPN. (PBR 192.168.2.98/32)
I don´t use the PBR script. Is this OK for using Wireguard or do I need to change something first?
Further I do use the DD-WRT router as WAP and gateway mode is set.
In theory that should be no problem.
Depending on your setup you might need the following firewall rule:
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Mon Feb 10, 2020 9:15 Post subject:
followed the guide, it worked, testing on ios for now. using my router dnsmasq as dns server for adblocking etc works. i can ping (most) of my lan devices and their domain names resolve fine.. but i cant access smb share from windows pc, it will never detect it and manually connecting to it dont work either..
no amount if static routing fixes this, and if i static route my subnet again (+ the default), it blocks my devices from accessing the lan and i have to access router remotely to remove the static route to restore access.
my lan is 10.150.10.0/24, currently using 10.149.10.0/24 for wireguard, but i think the issue is the different subnet, i need it to be PART of my lan isnt that a big point about vpn? how do i get that?
with l2tp, pptp, i can access smb share fine over vpn, simple username/password, everything just works. _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Joined: 18 Mar 2014 Posts: 12840 Location: Netherlands
Posted: Mon Feb 10, 2020 9:27 Post subject:
tatsuya46 wrote:
followed the guide, it worked, testing on ios for now. using my router dnsmasq as dns server for adblocking etc works. i can ping (most) of my lan devices and their domain names resolve fine.. but i cant access smb share from windows pc, it will never detect it and manually connecting to it dont work either..
no amount if static routing fixes this, and if i static route my subnet again (+ the default), it blocks my devices from accessing the lan and i have to access router remotely to remove the static route to restore access.
with l2tp, pptp, i can access smb share fine over vpn.
I still need setup instructions for iOS client, if you can spare the time pleas provide some instructions and screenshots or if you have a link with instructions that is also fine.
Have you tried with the CVE patch disabled?
Maybe I am mistaken but you have a Windows client on your LAN and can not connect to its shares when using Wireguard.
If so consider that the Windows client has its own firewall, I also have to open up the Windows firewall for the subnet of Wireguard when I want to access that from outside via Wireguard.
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Mon Feb 10, 2020 9:47 Post subject:
egc wrote:
tatsuya46 wrote:
followed the guide, it worked, testing on ios for now. using my router dnsmasq as dns server for adblocking etc works. i can ping (most) of my lan devices and their domain names resolve fine.. but i cant access smb share from windows pc, it will never detect it and manually connecting to it dont work either..
no amount if static routing fixes this, and if i static route my subnet again (+ the default), it blocks my devices from accessing the lan and i have to access router remotely to remove the static route to restore access.
with l2tp, pptp, i can access smb share fine over vpn.
I still need setup instructions for iOS client, if you can spare the time pleas provide some instructions and screenshots or if you have a link with instructions that is also fine.
Have you tried with the CVE patch disabled?
Maybe I am mistaken but you have a Windows client on your LAN and can not connect to its shares when using Wireguard.
If so consider that the Windows client has its own firewall, I also have to open up the Windows firewall for the subnet of Wireguard when I want to access that from outside via Wireguard.
As a test perhaps disable the Windows Firewall
it looks basically the same as the android screenshot in the pdf https://imgur.com/a/fbocz9V after scanning the QR code i didnt need to change anything on the client for it to work.
cve mitigation is disabled, when its enabled i cant ping my lan (any device) from the phone, disabled i can as expected.
when i disabled the windows firewall smb shared worked. EDIT: my inbound rule was wrong, got it working now while having firewall on.
is there a way to just have wireguard integrate with the lan subnet so it has direct access more easily? _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers