WireGuard (server) Setup guide

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed Apr 01, 2020 10:44    Post subject: Reply with quote
boebeng wrote:
Hi all,

Thank you @egc for your excellent setup guidance and also the scripts (ddwrt-wireguard-client-script.sh)! I've managed to make a site to site connection with 2 dd-wrt routers. However i still have a problem that the WG server & it's LAN clients can't ping the WG client's LAN.

Here are the conditions:
1. I have a modem (192.168.1.1) with wrt1900ac behind it (192.168.1.2 with subnet 192.168.5.0/24, double NAT) and I've made necessary port forwarding to make WG works

2. wrt1900ac as the server with WG IP address 10.10.0.1, LAN subnet is 192.168.5.0/24, AC68U as client with WG IP address 10.10.0.5, LAN subnet is 10.19.1.0/24

3. wrt1900ac (10.10.0.1) and AC68U (10.10.0.5) can ping each other.
LAN client of AC68U (10.19.1.0/24) CAN ping wrt1900ac (10.10.0.1) & it's LAN client (192.168.5.0/24).
But wrt1900ac (10.10.0.1) and it's LAN client (192.168.5.0/24) CAN'T ping AC68U LAN client (10.19.1.0/24).
192.168.5.0/24 CAN ping only AC68U (10.10.0.5) but not it's LAN client (10.19.1.0/24)

4. I made a crosscheck, on the WG server/wrt1900ac:
root@WRT1900AC:~# ip route get 10.19.1.1
10.19.1.2 via 192.168.1.1 dev eth1 src 192.168.1.2

on WG client/AC68U
root@RT-AC68U:~# ip route get 192.168.5.1
192.168.5.1 dev oet1 src 10.10.0.5

It seems on the wrt1900ac, the existing iptables rules is routing 10.19.1.0/24 on eth0 to the modem (192.168.1.1), while it should be routed on oet1 to 10.10.0.1.

Question:
1. Does egc script for ddwrt client only allow access from WG client to WG server and not vice versa?
2. How to route the 10.19.1.0/24 via oet 1 to 10.10.0.1?

Thank you in advance!



Does the script only run on the client side?
Has it NAT enabled in the script?
Did you disable the CVE patch on the server side?

The route on the server indeed appears wrong, where does it come from?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
boebeng
DD-WRT Novice


Joined: 19 Dec 2016
Posts: 4

PostPosted: Wed Apr 01, 2020 11:11    Post subject: Reply with quote
egc wrote:
[size=12]
Does the script only run on the client side?
Has it NAT enabled in the script?
Did you disable the CVE patch on the server side?

The route on the server indeed appears wrong, where does it come from?


Hi,

Yes, script is running only on the client side
Yes, WGNAT enabled on the script
Yes, CVE is disabled on both server and client

I mistype the IP, it should be
root@WRT1900AC:~# ip route get 10.19.1.1
10.19.1.1 via 192.168.1.1 dev eth1 src 192.168.1.2

Sorry for the confusion!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed Apr 01, 2020 11:39    Post subject: Reply with quote
boebeng wrote:
egc wrote:
[size=12]
Does the script only run on the client side?
Has it NAT enabled in the script?
Did you disable the CVE patch on the server side?

The route on the server indeed appears wrong, where does it come from?


Hi,

Yes, script is running only on the client side
Yes, WGNAT enabled on the script
Yes, CVE is disabled on both server and client

I mistype the IP, it should be
root@WRT1900AC:~# ip route get 10.19.1.1
10.19.1.1 via 192.168.1.1 dev eth1 src 192.168.1.2

Sorry for the confusion!


On the server side you want to route everything for your local clients subnet via the tunnel so try the following: remove the other rule and add the rule below, save in Administration/Save Firewall:
Code:
ip route add 10.19.1.0/24 dev oet1

Assuming oet1 is your tunnel

reboot the router and hope for the best Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
boebeng
DD-WRT Novice


Joined: 19 Dec 2016
Posts: 4

PostPosted: Wed Apr 01, 2020 14:12    Post subject: Reply with quote
egc wrote:

On the server side you want to route everything for your local clients subnet via the tunnel so try the following: remove the other rule and add the rule below, save in Administration/Save Firewall:
Code:
ip route add 10.19.1.0/24 dev oet1

Assuming oet1 is your tunnel

reboot the router and hope for the best Smile


I've add the new route, but I still can't ping 10.19.1.0/24

Here are some more infos after I add the "ip route add 10.19.1.0/24 dev oet1" to save firewall & reboot

Code:
root@WRT1900AC:~# ip route show
default via 192.168.1.1 dev eth1
10.10.0.0/24 dev oet1 scope link  src 10.10.0.1
10.19.1.0/24 dev oet1 scope link
127.0.0.0/8 dev lo scope link
192.168.1.0/24 dev eth1 scope link  src 192.168.1.2
192.168.5.0/24 dev br0 scope link  src 192.168.5.1


Code:
root@WRT1900AC:~# ip route get 10.19.1.1
10.19.1.1 dev oet1  src 10.10.0.1


Code:
root@WRT1900AC:~# ping -c 4 10.19.1.1
PING 10.19.1.1 (10.19.1.1): 56 data bytes
ping: sendto: No error information


Anything that I miss? Shocked
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed Apr 01, 2020 14:43    Post subject: Reply with quote
Well perhaps i missed your build number older builds did not unbridge the oet interface and thus no firewall rules so make sure the oet interface is unbridged on Setup/Networking

Reboot both routers and if you do not have bidirectional access head over to the troubleshooting section of the guide and dump the necessary information, also show pictures of the WireGuard page from client and server so that I can see your settings

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
boebeng
DD-WRT Novice


Joined: 19 Dec 2016
Posts: 4

PostPosted: Wed Apr 01, 2020 17:43    Post subject: Reply with quote
egc wrote:
Well perhaps i missed your build number older builds did not unbridge the oet interface and thus no firewall rules so make sure the oet interface is unbridged on Setup/Networking

Reboot both routers and if you do not have bidirectional access head over to the troubleshooting section of the guide and dump the necessary information, also show pictures of the WireGuard page from client and server so that I can see your settings

Hi egc,

wrt1900ac is using r42557 and AC68U is using r42747.
On Setup - Networking, both routers have oet1 unbridged and Masquerade/NAT enabled.

Finally I managed to get it work by adding 10.19.1.0/24 on the server's allowed IP. I guess since this is a peer to peer connection, both sides must define which subnet they're intending to access.

So I learned a lot today and thank you very much for taking some time to look onto my problem and giving me some guidance, I'm a happy guy now!

Cheers! Very Happy
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed Apr 01, 2020 17:54    Post subject: Reply with quote
boebeng wrote:
egc wrote:
Well perhaps i missed your build number older builds did not unbridge the oet interface and thus no firewall rules so make sure the oet interface is unbridged on Setup/Networking

Reboot both routers and if you do not have bidirectional access head over to the troubleshooting section of the guide and dump the necessary information, also show pictures of the WireGuard page from client and server so that I can see your settings

Hi egc,

wrt1900ac is using r42557 and AC68U is using r42747.
On Setup - Networking, both routers have oet1 unbridged and Masquerade/NAT enabled.

Finally I managed to get it work by adding 10.19.1.0/24 on the server's allowed IP. I guess since this is a peer to peer connection, both sides must define which subnet they're intending to access.

So I learned a lot today and thank you very much for taking some time to look onto my problem and giving me some guidance, I'm a happy guy now!

Cheers! Very Happy


Glad you got it working Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
avalx
DD-WRT Novice


Joined: 23 Nov 2017
Posts: 5

PostPosted: Thu Apr 02, 2020 9:15    Post subject: Reply with quote
Just want to say thank you for this excellent guide. I got WireGuard working on my Netgear R7000 and Android client in no time. Very Happy Very Happy

The only thing that is causing me some problems is accessing SMB shares from my phone to my internal file server (Linux Samba). But that is another story and I'll have to check my Windows/SMB settings locally.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Apr 02, 2020 9:20    Post subject: Reply with quote
avalx wrote:
Just want to say thank you for this excellent guide. I got WireGuard working on my Netgear R7000 and Android client in no time. Very Happy Very Happy

The only thing that is causing me some problems is accessing SMB shares from my phone to my internal file server (Linux Samba). But that is another story and I'll have to check my Windows/SMB settings locally.


Good to hear, yes SMB is a real problem we switched to a new KSMBD which is a WIP, some Android apps appear to work , it sometimes helps to set the minimum protocol version to NT 1.0 (on Services /NAS tab) , but I myself switched back to the older Samba36

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tembares
DD-WRT Novice


Joined: 10 Jul 2012
Posts: 28
Location: Sint Maarten, D.W.I

PostPosted: Sat Apr 04, 2020 14:05    Post subject: Reply with quote
egc wrote:
Scripts for setup DDWRT router as a Wireguard client

#=======BEGIN ddwrt-wireguard-client-script.sh=========
SCRIPT="/tmp/ddwrt-wireguard-client-script.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
(
#DEBUG= # uncomment/comment to enable/disable debug mode
SLEEP=0 # runs continuously executing every [SLEEP] seconds, if SLEEP=0 it runs only once
WGNAT= # uncomment/comment to enable/disable SNAT over the oet interface
WGPEER=0 # do not change
WGDELRT="/tmp/wg-delete-routes"
[ ${DEBUG+x} ] && set -x
while :; do
#checks if interface is enabled if not continue
if [ "$(nvram get oet_tunnels)" -eq 1 ] && [ "$(nvram get oet1_en)" -eq 0 ]; then
logger "$(basename $0)[$$] No tunnel interface enabled, going to sleep"
(while read route; do $route; done < $WGDELRT) >/dev/null 2>&1
#WGIF= #this wil recreates routes when Disabled/Enabled
else
#wait for interface
SLEEPCT=0
#this will recreates all routes when run everytime
WGIF=
while [ -z $WGIF ]; do
sleep 10
WGIF="$(wg | awk '/interface/ {gsub("interface:", "", $2); print $2}')"
SLEEPCT=$((SLEEPCT+10))
if [ $SLEEPCT -gt 60 ]; then
logger "$(basename $0)[$$] Could not detect Wireguard interface after $SLEEPCT seconds, going to sleep"
break
elif [ ! -z $WGIF ]; then
(while read route; do $route; done < $WGDELRT) 2>&1 > /dev/null
logger "$(basename $0)[$$] it took $SLEEPCT seconds to get the Wireguard interface up, now excuting"
#egc: MASQUERADE over the wireguard interface
echo "iptables -t nat -D POSTROUTING -o $WGIF -j MASQUERADE" > $WGDELRT
[ ${WGNAT+x} ] && iptables -t nat -I POSTROUTING -o $WGIF -j MASQUERADE
#egc: provide way out if set to client and everything is routed vie the oet interface
# use route add -host because the endpoint can be a host name
echo "route del -host $(nvram get ${WGIF}_rem${WGPEER}) gw $(nvram get wan_gateway) dev $(get_wanface)" >> $WGDELRT
route add -host $(nvram get ${WGIF}_rem${WGPEER}) gw $(nvram get wan_gateway) dev $(get_wanface)
#egc:add routes based on allowed IP's
for aip in $(nvram get ${WGIF}_aip${WGPEER} | sed "s/,/ /g"); do
#echo $aip #debug
echo "ip route del $aip dev $WGIF" >> $WGDELRT
ip route add $aip dev $WGIF
done
#end add routes
ip route flush cache
fi
done
fi
#stop running if sleep=0
[ $SLEEP -gt 0 ] && sleep $SLEEP || break
done
) 2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT
nohup $SCRIPT > /dev/null 2>&1 &
#=======END ddwrt-wireguard-client-script.sh=========


I followed your instructions and used the script above to set up a WireGuard Client.

There is a handshake.
Code:
root@router:~# wg
interface: oet1
  public key: 1dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxJ=
  private key: (hidden)
  listening port: 51840

peer: FO1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxjzM=
  endpoint: 190.2.141.162:51840
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 12 seconds ago
  transfer: 184 B received, 584 B sent
  persistent keepalive: every 25 seconds


I reached this far with other scripts also. Then I had no internet connection, anymore. Maybe because of the routing.

AFAIK the routing table is not set the right way:
Code:
root@router:~# ip route show
default via 192.168.3.1 dev vlan2
127.0.0.0/8 dev lo scope link
172.16.0.0/24 dev br0 scope link  src 172.16.0.1
190.2.141.162 via 192.168.3.1 dev vlan2
192.168.3.0/24 dev vlan2 scope link  src 192.168.3.9


I don't have the knowledge to change it; can you assist me with it?

I saw in another thread you asked for results out of messages:
Code:
root@router:/tmp# grep -i wireguard /var/log/messages
Apr  4 17:31:20 router user.info root: Enable WireGuard interface oet1 on port 51840
Apr  4 17:31:20 router user.info root: Establish WireGuard tunnel with peer endpoint 190.2.141.162:51840
Apr  4 17:32:12 router user.info root: Enable WireGuard interface oet1 on port 51840
Apr  4 17:32:13 router user.info root: Establish WireGuard tunnel with peer endpoint 190.2.141.162:51840
Apr  4 17:32:14 router user.info root: Enable WireGuard interface oet1 on port 51840
Apr  4 17:32:14 router user.info root: Establish WireGuard tunnel with peer endpoint 190.2.141.162:51840
Apr  4 17:32:24 router user.notice ddwrt-wireguard-client-script.s: /tmp/ddwrt-wireguard-client-script.sh: line 28: can't open /tmp/wg-delete-routes: no such file
Apr  4 17:32:24 router user.notice root: ddwrt-wireguard-client-script.sh[2410] it took 10 seconds to get the Wireguard interface up, now excuting
Apr  4 17:32:24 router user.notice ddwrt-wireguard-client-script.s: ip: RTNETLINK answers: File exists
Apr  4 17:32:25 router user.notice ddwrt-wireguard-client-script.s: ip: RTNETLINK answers: No such process
Apr  4 17:32:25 router user.notice root: ddwrt-wireguard-client-script.sh[2611] it took 10 seconds to get the Wireguard interface up, now excuting
Apr  4 17:32:25 router user.notice ddwrt-wireguard-client-script.s: ip: RTNETLINK answers: File exists
Apr  4 17:47:06 router user.notice ddwrt-wireguard-client-script.s: ip: RTNETLINK answers: No such process
Apr  4 17:47:06 router user.notice root: ddwrt-wireguard-client-script.sh[3079] it took 10 seconds to get the Wireguard interface up, now excuting
Apr  4 17:47:06 router user.notice ddwrt-wireguard-client-script.s: ip: RTNETLINK answers: File exists


To complete it all, I attached a txt-file with more results you asked for in other threads.

I changed my router IP from 192.168.1.0/24 to 172.16.0.0/24 range, and set a static WAN IP (192.168.3.9, gateway 192.168.3.1). The 192.168.3.1 is also a router (not in my place). I added a port forwarding:
Code:
External Port Start           51820
External Port End             51850
Protocol                      TCP/UDP
Internal Port Start           51820
Internal Port End             51850
Server IP Address or Hostname 192.168.3.9


I hope you can help me getting it to work.

Thank you in advance.

_________________
Netgear R6700v3 (from MAR2020) - Firmware: DD-WRT v3.0-r42819 std (03/30/20)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Apr 04, 2020 14:23    Post subject: Reply with quote
What model router, what build number?

You are setting up a WireGuard client, to a VPN provider? If so to which one?

Your interface is maybe not setup at all at least there is no oet1 in your routing table

From the CLI do:
Code:
ifconfig

and show the output

Furthermore show picture of your Wireguard setup page

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tembares
DD-WRT Novice


Joined: 10 Jul 2012
Posts: 28
Location: Sint Maarten, D.W.I

PostPosted: Sat Apr 04, 2020 14:40    Post subject: Reply with quote
Firmware: DD-WRT v3.0-r42819 std (03/30/20)
Router: Netgear R6700v3

WireGuard provider: TunSafe (www.tunsafe.com)
At tunsafe.com I downloaded a configuration file. In that file, there is also a DNS: 1.1.1.1
I must not use it somewhere, right?

ifconfig
Code:
br0       Link encap:Ethernet  HWaddr 28:80:88:29:AE:A6
          inet addr:172.16.0.1  Bcast:172.16.0.255  Mask:255.255.255.0
          inet6 addr: fe80::2a80:88ff:fe29:aea6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:143426 errors:0 dropped:527 overruns:0 frame:0
          TX packets:146742 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:20062238 (19.1 MiB)  TX bytes:152161002 (145.1 MiB)

eth0      Link encap:Ethernet  HWaddr 28:80:88:29:AE:A6
          inet6 addr: fe80::2a80:88ff:fe29:aea6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:165259 errors:0 dropped:0 overruns:0 frame:0
          TX packets:131169 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:153521851 (146.4 MiB)  TX bytes:35507650 (33.8 MiB)
          Interrupt:179 Base address:0x4000

eth1      Link encap:Ethernet  HWaddr 28:80:88:29:AE:A8
          inet6 addr: fe80::2a80:88ff:fe29:aea8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:77278 errors:0 dropped:31 overruns:0 frame:18957
          TX packets:100138 errors:234 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:13584693 (12.9 MiB)  TX bytes:70959405 (67.6 MiB)
          Interrupt:163

eth2      Link encap:Ethernet  HWaddr 28:80:88:29:AE:B9
          inet6 addr: fe80::2a80:88ff:fe29:aeb9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:83 overruns:0 frame:435
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:169

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MULTICAST  MTU:65536  Metric:1
          RX packets:69 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:10559 (10.3 KiB)  TX bytes:10559 (10.3 KiB)

oet1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.12.199.205  P-t-P:10.12.199.205  Mask:255.0.0.0
          UP POINTOPOINT RUNNING NOARP PROMISC  MTU:1460  Metric:1
          RX packets:29 errors:0 dropped:0 overruns:0 frame:0
          TX packets:202 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:2668 (2.6 KiB)  TX bytes:9828 (9.5 KiB)

vlan1     Link encap:Ethernet  HWaddr 28:80:88:29:AE:A6
          inet6 addr: fe80::2a80:88ff:fe29:aea6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:31458 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39386 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4150877 (3.9 MiB)  TX bytes:23262559 (22.1 MiB)

vlan2     Link encap:Ethernet  HWaddr 28:80:88:29:AE:A7
          inet addr:192.168.3.9  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::2a80:88ff:fe29:aea7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:133801 errors:0 dropped:1 overruns:0 frame:0
          TX packets:91775 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:145735276 (138.9 MiB)  TX bytes:11719799 (11.1 MiB)

wl0.1     Link encap:Ethernet  HWaddr 2A:80:88:29:AE:A9
          inet6 addr: fe80::2880:88ff:fe29:aea9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:8 overruns:0 frame:18957
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl0.2     Link encap:Ethernet  HWaddr 2A:80:88:29:AE:AA
          inet6 addr: fe80::2880:88ff:fe29:aeaa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:39604 errors:0 dropped:8 overruns:0 frame:18957
          TX packets:72583 errors:100 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4983944 (4.7 MiB)  TX bytes:72877275 (69.5 MiB)


I attached a screenshot of the TUNNELS-page.

Thank you so much for looking into this.

_________________
Netgear R6700v3 (from MAR2020) - Firmware: DD-WRT v3.0-r42819 std (03/30/20)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Apr 04, 2020 14:51    Post subject: Reply with quote
OK ,there is something really odd , your interface oet1 is configured as a point-to-ppoint setup (netmask 255.255.255.255) therefore there is no route.

Your pictures show something different it show a netmask of 255.0.0.0 that is the right one and should make a route.

The Allowed IP's are also wrong it should be
Code:
0.0.0.0/1,128.0.0.0/1

That is detailed in the guide

Change the allowed IP's, Save/Apply and reboot the router then show (after about a minute):
ifconfig
ip route show
wg

The guide is not specifically for Tunsafe I will have a look if they have instructions

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tembares
DD-WRT Novice


Joined: 10 Jul 2012
Posts: 28
Location: Sint Maarten, D.W.I

PostPosted: Sat Apr 04, 2020 15:05    Post subject: Reply with quote
My apologizes, I saw the netmask mistake when I made the screenshot, but I put the ifconfig already in the text. I edited it later, but you were too fast in replying Smile

After making the adjustments, I have the following results:
Code:
root@router:~# ip route show
0.0.0.0/1 dev oet1 scope link
default via 192.168.3.1 dev vlan2
10.0.0.0/8 dev oet1 scope link  src 10.12.199.205
127.0.0.0/8 dev lo scope link
128.0.0.0/1 dev oet1 scope link
172.16.0.0/24 dev br0 scope link  src 172.16.0.1
190.2.141.162 via 192.168.3.1 dev vlan2
192.168.3.0/24 dev vlan2 scope link  src 192.168.3.9
root@router:~#
root@router:~#
root@router:~# wg
interface: oet1
  public key: 3xxxxxxxxxxxxxxxxxxxxxxxxxI=
  private key: (hidden)
  listening port: 51840

peer: Fxxxxxxxxxxxxxxxxxxxxxxxxxx=
  endpoint: 190.2.141.162:51840
  allowed ips: 0.0.0.0/1, 128.0.0.0/1
  latest handshake: 1 minute, 2 seconds ago
  transfer: 13.27 KiB received, 269.23 KiB sent
  persistent keepalive: every 25 seconds


The is no WAN internet connection. I had to delete the 'firewall script' to get connected to the world again.

Any suggestions?

_________________
Netgear R6700v3 (from MAR2020) - Firmware: DD-WRT v3.0-r42819 std (03/30/20)
tembares
DD-WRT Novice


Joined: 10 Jul 2012
Posts: 28
Location: Sint Maarten, D.W.I

PostPosted: Sat Apr 04, 2020 15:27    Post subject: Reply with quote
Another edit in the post I made was that TunSafe comes up with a DNS (1.1.1.1) that I do not put anywhere in the settings. Should I put it as Peer DNS?
_________________
Netgear R6700v3 (from MAR2020) - Firmware: DD-WRT v3.0-r42819 std (03/30/20)
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 3 of 5
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum