Posted: Sun Sep 26, 2021 20:49 Post subject: [SOLVED]Wireguard commands to enable, disable tunnels
Firmware: DD-WRT v3.0-r47481 std (09/24/21)
Router: ASUS RT AC68U
I'm looking for Wireguard commands to enable, disable or switch tunnels through SSH terminal. I have setup 2 tunnels, oet1 and oet2, through GUI, and they are working just fine.
Code:
wg --help
doesn't list `up` or `down` that I would use on Linux machine, e.g:
Code:
wg-quick up wg0
And it sounds like
Code:
wg-quick
is not there on the router.
Also, can I create/edit config files directly through terminal (not using GUI at all)? like:
Code:
sudo nano /etc/wireguard/wg0.conf
As I couldn't find Wireguard directory under /etc.
Thank you. Also, is it possible to create/edit tunnel through SSH terminal?
Just in case anyone come across, here are complete commands (thanks to egc):
To enable and start:
Code:
ssh root@192.168.1.1 "nvram set oet1_en=1 && nvram commit && ip link set oet1 up && /etc/config/eop-tunnel.prewall && /etc/config/eop-tunnel.firewall" > /dev/null 2>&1;
To disable and stop:
Code:
ssh root@192.168.1.1 "nvram set oet1_en=0 && nvram commit && ip link set oet1 down" > /dev/null 2>&1;
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Tue Sep 28, 2021 15:36 Post subject:
You can configure as many tunnels as you want and stop/start these.
The Gui is basically setting nvram variables so in theory you can change anything from command line.
Next update will add a fail over group so you can set a number of tunnels in a fail group and if one goes down the next in line is started automatically
You can configure as many tunnels as you want and stop/start these.
The Gui is basically setting nvram variables so in theory you can change anything from command line.
Thanks a lot, and how could I create a new tunnel using command line please. I'm looking for a location of oet1 conf file or something similar. I have read Wireguard server and client guides but did not find any commands there.
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Wed Sep 29, 2021 6:53 Post subject:
Squashfs (the filesystem of DDWRT and many embedded devices) is a read only file system (it makes some temporary settings but these are gone on reboot)
To store settings it use nvram commands to store things in flash.
The settings of wg can be viewed from command line with:
nvram show | grep oet1
wg is setup with the usual wg set commands retrieved from the nvram parameters.
To setup a tunnel there is an Import config button that let you import wg.conf files and setup a tunnel for you with only a few mouse clicks.
Basically that is translating the conf parameters in nvram parameters and setup the new tunnel for you.
Of course you can use the wg set command to setup a tunnel all by yourself, DDWRT is just basic Linux but of course you have to setup the interface, do the routing and firewall etc. all by yourself
You can configure as many tunnels as you want and stop/start these.
The Gui is basically setting nvram variables so in theory you can change anything from command line.
Next update will add a fail over group so you can set a number of tunnels in a fail group and if one goes down the next in line is started automatically
It will also add more granular policy based routing.
_________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Thu Sep 30, 2021 10:39 Post subject:
It is feature complete and running on my test router.
Currently I am on holiday but will return in two weeks, I then have to do some more testing so I hope you can see it in about 4 weeks give or take (if it is accepted )
Squashfs (the filesystem of DDWRT and many embedded devices) is a read only file system (it makes some temporary settings but these are gone on reboot)
This answers most of the questions I had.
egc wrote:
Perhaps tell us what your problem is you are trying to solve so that we can think of different solutions?
There aren't any problems I am having at the moment. I was just wondering about command line so I can implement Wireguard on quite a few routers with similar configuration, but you've answered that already.
It is feature complete and running on my test router.
Currently I am on holiday but will return in two weeks, I then have to do some more testing so I hope you can see it in about 4 weeks give or take (if it is accepted )
After that you will hopefully get some enhancements for PBR see picture
_________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
ssh root@192.168.1.1 "nvram set oet1_en=1 && nvram commit && ip link set oet1 up && /etc/config/eop-tunnel.prewall && /etc/config/eop-tunnel.firewall" > /dev/null 2>&1;
To disable and stop:
Code:
ssh root@192.168.1.1 "nvram set oet1_en=0 && nvram commit && ip link set oet1 down" > /dev/null 2>&1;
Very interested in having this work and ran across this helpful post. Having 16 WG tunnels, I modified the code in order to disable WHATEVER oet<x> tunnel is enabled. Then one can simply enter the number of the tunnel they would like to enable afterwards.
To Disable Current Tunnel:
Code:
INTERFACE=$(ifconfig -a | awk '/oet/{print $1}')
nvram set ${INTERFACE}_en=0 && nvram commit && ip link set $INTERFACE down > /dev/null 2>&1
echo "Interface ${INTERFACE} is now disabled."
To Enable Specific Tunnel (Enter ONLY single digit when prompted, i.e. entering "3" will enable oet3):
Code:
read -p "Enter the interface number: " INTERFACE_NUMBER;INTERFACE="oet${INTERFACE_NUMBER}";nvram set ${INTERFACE}_en=1 && nvram commit && ip link set ${INTERFACE} up && /etc/config/eop-tunnel.prewall && /etc/config/eop-tunnel.firewall > /dev/null 2>&1;echo "Interface ${INTERFACE} is now enabled."
The disable command doesn't seem to actually STOP the WG tunnel, like if you were in the GUI and only the SAVE button was pressed but not APPLY SETTINGS. The same with the enable command, it doesn't actually start the tunnel, it just enables it. Hoping someone can shed some light on this because using just a couple of SH snippets to switch tunnels would be great. _________________ Linksys EA8500
v3.0-r53562 std (10/03/23)