[egc]

You can consider using the following rule which will SNAT the wireguard adddress to the routers address, you then can enable the CVE patch again.

iptables -t nat -I POSTROUTING -o br0 -s $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j MASQUERADE

Now all your clients do not see the Wireguard source address but your routers address

glad you got it working

[tatsuya46]

that firewall rule worked able to access lan without any firewall rules on lan client devices, but gateway on the phone still shows as 10.149.10.1 not 10.150.10.1. with that firewall rule on, and cve mitigation enabled, it will still break ping to wg clients. but i do think that firewall rule should become an option in the wg tunnel gui page (like the cve mitigation did).

there is also a throughput issue, i have 315 down, 21 up, when using wireguard while connected to lan ssid, its capping at 110mbps. turn off wireguard it returns to normal speeds. the wireguard server is on the x86 router, the cpu is at 2% usage during the test.

edit: cant see lan games in server lists, such as borderlands 2 etc, doesnt find any games on the lan..

[mac913]

I have been looking at AzireVPN WireGuard and the they support OpenWRT Routers with both IPv4 & IPv6. I signed up for a month to see if I can port it DD-WRT. I was unable to get IPv6 working on WireGuard.

Question will/does DD-WRT WireGuard support IPv6?

[egc]

[mac913]

[mac913]

[mac913]

egc,

Since current DDWRT builds do not support ip6tables -t nat, I can load Entware. Any guidance on how to get IPv6 working through WireGuard?

TIA!!

[egc]

[mac913]

egc, thanks for your reply.

Currently, wireguard and dated iptables implemented with DDWRT is lacking. I took offline the 3rd R7800 with 3x WireGuard connections with a provider that supports WireGuard IPv4 & IPv6. When I have time I will take a different approach and install Entware's iptables and wireguard.

[mac913]

This morning 2 of the 3 WireGuard connection where down with over 6 hours since the Last Handshake. DD-WRT doesn't support or implemented wg-quick. But I was able to get the connections working by changing the Listen-Port number to a different number.

For example if your Listen-Port is 50000 changed it 50100 with this command wg set oet1 listen-port 50100. This command only changes the current config in RAM which is viewed with wg show oet1 and not changed in NVRAM or GUI.

This can be incorporated in a cron job to be done automatically.

UPDATE2: Changed Script to read nvram port number and cycle from base, +100, +200 and back. Also in case WAN is down 1 hour or more to Override and do port changes if Last Handshake has hour in it.

UPDATE: Here's a script I created to keep WireGuard up and running.

[egc]

It is not totally clear what you want and how you have setup.
Your Asus/DDWRT router is a WireGuard client to your hosted WireGuard server?
You mention the Asus is hooked up through a bridge, what do you mean by this how did you exactly setup?

Does your ISP router not allow to port forward or DMZ?

Do you want to connect with your phone on cellular with a WireGuard client to connect to your Algo WireGuard server and then via that server to connect to your Asus?

If so, you have to setup routing on the server, WireGuard is routed, you are not on the same subnet

[dionhouston]

[mac913]

Sorry don't mean to get off topic.

I have run into issues with ISP's technical support not helping to configure the modem/router combo to bridge mode. Google is your friend!

I have one off-side on a Cable service with a Arris SBG6580 Cable Modem/Router with forced Gateway and Wireless features that I am billed for and I had no choice with their limited plans. Thanks to Google I was able to configure it in Bridged Mode and use my DD-WRT R7000 Router.

At my home I had GigaBit Backbone with VLANs at the time (now 10GE) and when Fibre was getting connected. The installer gave me a hard time with the network at my home and would tell me that there equipment doesn't support 3rd party network devices... So much bull. In the end they were surprised it worked (I wasn't). Later I have removed their Router and broke up TV Services to my DD-WRT E3000 Router and Internet to my DD-WRT R7800s. I only have the ISP's Fiber Optic Modem (ONT) and a my 4-port GigaBit Switch to connect the E3000 & R7800 for TWO Public Addresses (with the ISP wisdom, they only have ONE of the 4 1GE ports enabled on the ONT modem and I had to use a 4-port switch to access the 2 Public Addresses).

[dionhouston]

I definitely don't mind the response and I agree with it! In my case, I live in military housing overseas. Only one ISP, and they're in a special contract. The modem/router (Technicolor - yeah I didn't know they made routers either!) allows separate admin and customer users.

Naturally, they won't give me an admin password, and I've looked at every document I could find on it - it's apparently different from anything - even their outside business customers. I did the same for the PPP username / passwords which is really the key factor - I can reset the modem to factory settings, but without those it's a white brick.

I'm not super upset about it because I had a digital ocean droplet anyway, but no where in the U.S. did I ever have such locked down internet. All well, Sicily is gorgeous any time the whole country isn't on lockdown - I can't complain.

[boebeng]

Hi all,

Thank you @egc for your excellent setup guidance and also the scripts (ddwrt-wireguard-client-script.sh)! I've managed to make a site to site connection with 2 dd-wrt routers. However i still have a problem that the WG server & it's LAN clients can't ping the WG client's LAN.

Here are the conditions:
1. I have a modem (192.168.1.1) with wrt1900ac behind it (192.168.1.2 with subnet 192.168.5.0/24, double NAT) and I've made necessary port forwarding to make WG works

2. wrt1900ac as the server with WG IP address 10.10.0.1, LAN subnet is 192.168.5.0/24, AC68U as client with WG IP address 10.10.0.5, LAN subnet is 10.19.1.0/24

3. wrt1900ac (10.10.0.1) and AC68U (10.10.0.5) can ping each other.
LAN client of AC68U (10.19.1.0/24) CAN ping wrt1900ac (10.10.0.1) & it's LAN client (192.168.5.0/24).
But wrt1900ac (10.10.0.1) and it's LAN client (192.168.5.0/24) CAN'T ping AC68U LAN client (10.19.1.0/24).
192.168.5.0/24 CAN ping only AC68U (10.10.0.5) but not it's LAN client (10.19.1.0/24)

4. I made a crosscheck, on the WG server/wrt1900ac:
root@WRT1900AC:~# ip route get 10.19.1.1
10.19.1.2 via 192.168.1.1 dev eth1 src 192.168.1.2

on WG client/AC68U
root@RT-AC68U:~# ip route get 192.168.5.1
192.168.5.1 dev oet1 src 10.10.0.5

It seems on the wrt1900ac, the existing iptables rules is routing 10.19.1.0/24 on eth0 to the modem (192.168.1.1), while it should be routed on oet1 to 10.10.0.1.

Question:
1. Does egc script for ddwrt client only allow access from WG client to WG server and not vice versa?
2. How to route the 10.19.1.0/24 via oet 1 to 10.10.0.1?

Thank you in advance!