Joined: 30 Dec 2018
|Posted: Sat Jan 05, 2019 17:50 Post subject: WireGuard VPN client running on DDWRT
I have posted this information as an additional resource to the two following threads:
Special thanks to @Shinzu and @Pandora-Box for their posts.
I have WireGuard server running on a VPS in the USA, and 2 DDWRT routers, ASUS RT-AC68U and Netgear R7000 running as WireGuard clients on the latest Kong firmware (Sept 23/18). Many devices are using the VPN, including Chromecast, Roku, Google Home Mini, several MacOS machines, Samsung Tablets and Samsung Phones. The setup has been rock stable for several days now. The WG client routers are each on their own separate LAN subnet. My main router is also an R7000 running a recent Kong firmware, but minus the WG client software. I previously used Algo VPN client software, which was terrific and first introduced me to WireGuard last summer when TrailofBits included it in their Algo install scripts.
I run the minimum IPV4 instance available at Vultr. Its 20gb/1vcpu/512mb/500GB combo @ 3.50 per month is a winner. We're on 50mbit DSL about 150km from the server, we get no speed loss or packet loss whatsoever running through the WG server at such a close distance. There is zero speed/ping difference between the VPN connection and our regular ISP connection. I keep a WG base install (with all security settings in place) backup up as a snapshot, so destroying and redeploying a WG server instance is literally a 5 minute operation. At home, a couple of IP changes in the router NVRAM and everything is back up really quickly. I like that.
Just like @Pandora-Box, my WireGuard server setup was done by following the guide on the following site:
DDWRT WG Client Setup
I've been running DDWRT for over a decade, and am partial to the Kong builds. I purchase my routers based on compatibility with his releases. After reading Shinzu's post about modding the Kong firmware via the commandline to run WireGuard, I went out and purchased two compatible routers on a Boxing Day sale. I didn't want to risk compromising my main R7000, as I knew this could be a challenging and time consuming venture before all was running to plan. Besides that, I wanted WireGuard on separate deeper subnets anyway, not directly facing the internet.
The fresh out-of-the-box Netgear R7000 was chosen first for the operating table. I saw the @liverpoolatnight post on https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=312522&postdays=0&postorder=asc&start=30 (Thanks!) and noticed the 'WireGuard' option in a pulldown menu portion of the graphic that he included in the post. I decided (like @Pandora-Box) that installing the BS firmware would allow me to grab the required WG files and nvram settings directly off the router before reinstalling DDWRT with a Kong build. I kept a list of steps as I went through the process. This list may seem redundant for experienced users, but I wrote is so as even a newcomer to DDWRT may find this useful.
Netgear R7000 Wireguard Client Installation
1. Install BrainSlayer r37860 first
2. Mount /JFFS to USB storage and share it via Samba
3. Moved all required files (as per Shinzu's post) to /JFFS and grab with MacOS
4. Copiy all oet1 settings from nvram to a text file in MacOS
5. Save all files in a secure location for later use
Install Kong DDWRT on R7000
1. Flash dd-wrt.K3_R7000.chk from http://www.desipro.de/ddwrt/K3-AC-Arm/
2. Enable SSH and set RSA Authorized Key
3. SSH into email@example.com and 'erase nvram' / Reboot
4. Flash dd-wrt.v24-K3_AC_ARM_STD.bin from http://www.desipro.de/ddwrt/K3-AC-Arm/
5. Reboot / Enable SSH / Set RSA Authorized Key
6. SSH into firstname.lastname@example.org and 'erase nvram' / Reboot
7. Set up WiFi / Enable SSH / Set RSA Authorized Key
Create Linux USB Stick for external storage
1. Use a small USB stick <= 8GB
2. Follow instructions at:
(Make sure to include the JFFS partition on the USB)
3. Plug USB into R7000
4. Services/USB -
enable Core USB Support / enable USB Storage Support / enable Automatic Drive Mount
5. Disk Info - /opt and swap should now both be mounted
6. Administration/JFFS2 Support - enable Internal Flash Storage / enable Clean Internal Flash Storage
7. Reboot R7000
Required Software Installation
1. SSH into R7000
2. Install Entware -
3. Install Nano - opkg install nano
4. Install SFTP - opkg install openssh-sftp-server
5. Test SFTP - sftp email@example.com (SSH Authorized Key must be properly configured)
Install Wireguard Binaries & Scripts
(Please note that all Supporting Code for scripts/firewall is at the end of this post)
1. Use SSH connected to ddwrt
2. Use sftp connected to ddwrt as in (5) above (using binaries stored on local filesystem)
put <local binaries folder>/wg /opt/bin/wg
put <local binaries folder>/libmnl.so /opt/lib/libmnl.so
put <local binaries folder>/libmnl.so.0 /opt/lib/libmnl.so.0
put <local binaries folder>/libmnl.so.0.2.0 /opt/lib/libmnl.so.0.2.0
put <local binaries folder>/wireguard.ko /opt/etc/wireguard/wireguard.ko
put <local binaries folder>/eop-tunnel.firewall
put <local binaries folder>/eop-tunnel.startup /jffs/etc/config/eop-tunnel.startup
put <local binaries folder>/wireguard-init.sh /jffs/etc/wireguard/wireguard-init.sh
put <local binaries folder>/wireguard-nvram.sh /jffs/etc/wireguard/wireguard-nvram.sh
put <local binaries folder>/wireguard-firewall.txt /jffs/etc/wireguard/wireguard-firewall.txt
3. SSH into ddwrt and use Nano to edit eop-tunnel.startup
Change line 27 that says 'insmod wireguard' to 'insmod /opt/etc/wireguard/wireguard.ko'
CTRL-X and Save file
4. SSH into ddwrt and use Nano to edit wireguard-nvram.sh
Change all variables to match the current WireGuard configuration
CTRL-X and Save file
5. Copy the content of wireguard-firewall.txt to the clipboard
6. Paste the clipboard into the DDWRT GUI Administration Commands box and Save Firewall
7. Execute the nvram script in /jffs/etc/wireguard
8. Execute init and route fix scripts in /jffs/etc/wireguard
(Cross fingers and verify that WireGuard is running and handshake with server has occurred)
Supporting Code for Scripts and Firewall
echo "Configuring WireGuard tunnel..."
nvram set oet1_en="1"
echo "Configuring Firewall..."
echo "Modifying Route tables..."
WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
WANGWY=$(/usr/sbin/nvram get wan_gateway)
/sbin/route add -host $WGSERVER gw $WANGWY dev vlan2
/sbin/route del default
/sbin/route add default dev oet1
echo "Completed WireGuard Setup."
firewall.txt (paste this into DDWRT GUI Firewall)
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/24 -j MASQUERADE
iptables -I FORWARD -i br0 -o oet1 -j ACCEPT
iptables -I FORWARD -i oet1 -o br0 -j ACCEPT
iptables -I FORWARD -s 'nvram get lan_ipaddr'/16 -j ACCEPT
echo "Write variables"
# number of tunnel my case only 1
nvram set oet_tunnels="1"
# if you want to use a preshared key set 1
nvram set oet1_usepsk0="0"
nvram set oet1_txq="1"
nvram set oet1_shaper="0"
nvram set oet1_rem0="*** SERVER PUBLIC IP GOES HERE ***"
nvram set oet1_rem="192.168.90.1"
# pub key of local endpoint
nvram set oet1_public="*** CLIENT PUBLICKEY GOES HERE ***"
nvram set oet1_pt="0"
# set here the pre shared key if you want to use one
nvram set oet1_psk0=""
# proto 2 is wireguard
nvram set oet1_proto="2"
# private key of local endpoint
nvram set oet1_private="*** CLIENT PRIVATEKEY GOES HERE ***"
# public port where wireguard tunnel is reachable
nvram set oet1_port="51821"
# number of peers
nvram set oet1_peers="1"
nvram set oet1_peerport0="51820"
nvram set oet1_peerkey0="*** SERVER PUBLICKEY GOES HERE ***"
# netmask of the wireguard network
nvram set oet1_netmask="255.255.255.0"
nvram set oet1_nat="1"
nvram set oet1_multicast="0"
nvram set oet1_mtu="1500"
nvram set oet1_mssfix="0"
nvram set oet1_local="0.0.0.0"
nvram set oet1_ka0="25"
nvram set oet1_isolation="0"
# ipaddress of the endpoint on the dd-wrt device
nvram set oet1_ipaddr="10.19.51.3 *** CHANGE THIS IP TO SUIT ***"
nvram set oet1_id="1"
nvram set oet1_hwaddr="00:00:00:00:00:00"
nvram set oet1_fragment="0"
nvram set oet1_endpoint0="1"
# for now leave the tunnel disabled
nvram set oet1_en="0"
nvram set oet1_dns_redirect="0"
nvram set oet1_dns_ipaddr="0.0.0.0"
nvram set oet1_comp="0"
# set bridge to 0 otherwise the iptables rules are not added
nvram set oet1_bridged="0"
# ipaddress of the peer
nvram set oet1_aip0="0.0.0.0/0"
# Commit variables
echo "Save variables to nvram"
This is the complete WG setup onto Kong DDWRT that worked for me. Hopefully others will find this information helpful. The WireGuard VPN has worked flawlessly for several days already connected through both routers, no additional software or settings on any client devices required. WG shows a ton of promise for DDWRT users running the hardware to support it.