WireGuard VPN client running on DDWRT

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
ersterhernd
DD-WRT Novice


Joined: 30 Dec 2018
Posts: 5

PostPosted: Sat Jan 05, 2019 17:50    Post subject: WireGuard VPN client running on DDWRT Reply with quote
Hello,

I have posted this information as an additional resource to the two following threads:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318016&sid=532d73d9879b44d65b74ca35deecca61

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=312522&start=30&sid=52d6e075fb31df770da602e0ee487bcc

Special thanks to @Shinzu and @Pandora-Box for their posts.

I have WireGuard server running on a VPS in the USA, and 2 DDWRT routers, ASUS RT-AC68U and Netgear R7000 running as WireGuard clients on the latest Kong firmware (Sept 23/18). Many devices are using the VPN, including Chromecast, Roku, Google Home Mini, several MacOS machines, Samsung Tablets and Samsung Phones. The setup has been rock stable for several days now. The WG client routers are each on their own separate LAN subnet. My main router is also an R7000 running a recent Kong firmware, but minus the WG client software. I previously used Algo VPN client software, which was terrific and first introduced me to WireGuard last summer when TrailofBits included it in their Algo install scripts.

Server Setup

I run the minimum IPV4 instance available at Vultr. Its 20gb/1vcpu/512mb/500GB combo @ 3.50 per month is a winner. We're on 50mbit DSL about 150km from the server, we get no speed loss or packet loss whatsoever running through the WG server at such a close distance. There is zero speed/ping difference between the VPN connection and our regular ISP connection. I keep a WG base install (with all security settings in place) backup up as a snapshot, so destroying and redeploying a WG server instance is literally a 5 minute operation. At home, a couple of IP changes in the router NVRAM and everything is back up really quickly. I like that.

Just like @Pandora-Box, my WireGuard server setup was done by following the guide on the following site:

https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/



DDWRT WG Client Setup

I've been running DDWRT for over a decade, and am partial to the Kong builds. I purchase my routers based on compatibility with his releases. After reading Shinzu's post about modding the Kong firmware via the commandline to run WireGuard, I went out and purchased two compatible routers on a Boxing Day sale. I didn't want to risk compromising my main R7000, as I knew this could be a challenging and time consuming venture before all was running to plan. Besides that, I wanted WireGuard on separate deeper subnets anyway, not directly facing the internet.

The fresh out-of-the-box Netgear R7000 was chosen first for the operating table. I saw the @liverpoolatnight post on https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=312522&postdays=0&postorder=asc&start=30 (Thanks!) and noticed the 'WireGuard' option in a pulldown menu portion of the graphic that he included in the post. I decided (like @Pandora-Box) that installing the BS firmware would allow me to grab the required WG files and nvram settings directly off the router before reinstalling DDWRT with a Kong build. I kept a list of steps as I went through the process. This list may seem redundant for experienced users, but I wrote is so as even a newcomer to DDWRT may find this useful.


Netgear R7000 Wireguard Client Installation

1. Install BrainSlayer r37860 first
2. Mount /JFFS to USB storage and share it via Samba
3. Moved all required files (as per Shinzu's post) to /JFFS and grab with MacOS
4. Copiy all oet1 settings from nvram to a text file in MacOS
5. Save all files in a secure location for later use

Install Kong DDWRT on R7000

1. Flash dd-wrt.K3_R7000.chk from http://www.desipro.de/ddwrt/K3-AC-Arm/
2. Enable SSH and set RSA Authorized Key
3. SSH into root@192.168.1.1 and 'erase nvram' / Reboot
4. Flash dd-wrt.v24-K3_AC_ARM_STD.bin from http://www.desipro.de/ddwrt/K3-AC-Arm/
5. Reboot / Enable SSH / Set RSA Authorized Key
6. SSH into root@192.168.1.1 and 'erase nvram' / Reboot
7. Set up WiFi / Enable SSH / Set RSA Authorized Key

Create Linux USB Stick for external storage

1. Use a small USB stick <= 8GB
2. Follow instructions at:
https://wiki.dd-wrt.com/wiki/index.php/How_to_-_Format_and_Partition_External_Storage_Device
(Make sure to include the JFFS partition on the USB)
3. Plug USB into R7000
4. Services/USB -
enable Core USB Support / enable USB Storage Support / enable Automatic Drive Mount
5. Disk Info - /opt and swap should now both be mounted
6. Administration/JFFS2 Support - enable Internal Flash Storage / enable Clean Internal Flash Storage
7. Reboot R7000

Required Software Installation

1. SSH into R7000
2. Install Entware -
cd /opt
wget http://bin.entware.net/armv7sf-k3.2/installer/generic.sh
sh generic.sh
3. Install Nano - opkg install nano
4. Install SFTP - opkg install openssh-sftp-server
5. Test SFTP - sftp root@192.168.1.1 (SSH Authorized Key must be properly configured)

Install Wireguard Binaries & Scripts
(Please note that all Supporting Code for scripts/firewall is at the end of this post)

1. Use SSH connected to ddwrt
cd /opt/etc
mkdir wireguard
cd /jffs/etc
mkdir config
mkdir wireguard
2. Use sftp connected to ddwrt as in (5) above (using binaries stored on local filesystem)
put <local binaries folder>/wg /opt/bin/wg
put <local binaries folder>/libmnl.so /opt/lib/libmnl.so
put <local binaries folder>/libmnl.so.0 /opt/lib/libmnl.so.0
put <local binaries folder>/libmnl.so.0.2.0 /opt/lib/libmnl.so.0.2.0
put <local binaries folder>/wireguard.ko /opt/etc/wireguard/wireguard.ko
put <local binaries folder>/eop-tunnel.firewall
put <local binaries folder>/eop-tunnel.startup /jffs/etc/config/eop-tunnel.startup
put <local binaries folder>/wireguard-init.sh /jffs/etc/wireguard/wireguard-init.sh
put <local binaries folder>/wireguard-nvram.sh /jffs/etc/wireguard/wireguard-nvram.sh
put <local binaries folder>/wireguard-firewall.txt /jffs/etc/wireguard/wireguard-firewall.txt
3. SSH into ddwrt and use Nano to edit eop-tunnel.startup
cd /jffs/etc/config
nano eop-tunnel.startup
Change line 27 that says 'insmod wireguard' to 'insmod /opt/etc/wireguard/wireguard.ko'
CTRL-X and Save file
4. SSH into ddwrt and use Nano to edit wireguard-nvram.sh
cd /jffs/etc/wireguard
nano wireguard-nvram.sh
Change all variables to match the current WireGuard configuration
CTRL-X and Save file
5. Copy the content of wireguard-firewall.txt to the clipboard
6. Paste the clipboard into the DDWRT GUI Administration Commands box and Save Firewall
7. Execute the nvram script in /jffs/etc/wireguard
sh wireguard-nvram.sh
reboot
8. Execute init and route fix scripts in /jffs/etc/wireguard
sh wireguard-init.sh
wg
(Cross fingers and verify that WireGuard is running and handshake with server has occurred)


Supporting Code for Scripts and Firewall


wireguard-init.sh

Code:

#!/bin/sh
echo "Configuring WireGuard tunnel..."
nvram set oet1_en="1"
sleep 2
/jffs/etc/config/eop-tunnel.startup
sleep 2
echo "Configuring Firewall..."
/jffs/etc/config/eop-tunnel.firewall
sleep 2
echo "Modifying Route tables..."
WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
WANGWY=$(/usr/sbin/nvram get wan_gateway)
/sbin/route add -host $WGSERVER gw $WANGWY dev vlan2
/sbin/route del default
/sbin/route add default dev oet1
echo "Completed WireGuard Setup."



firewall.txt (paste this into DDWRT GUI Firewall)

Code:

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/24 -j MASQUERADE
iptables -I FORWARD -i br0 -o oet1 -j ACCEPT
iptables -I FORWARD -i oet1 -o br0 -j ACCEPT
iptables -I FORWARD -s 'nvram get lan_ipaddr'/16 -j ACCEPT



wireguard-nvram.sh

Code:

#!/bin/sh

echo "Write variables"

# number of tunnel my case only 1
nvram set oet_tunnels="1"
# if you want to use a preshared key set 1
nvram set oet1_usepsk0="0"
nvram set oet1_txq="1"
nvram set oet1_shaper="0"
nvram set oet1_rem0="*** SERVER PUBLIC IP GOES HERE ***"
nvram set oet1_rem="192.168.90.1"
# pub key of local endpoint
nvram set oet1_public="***   CLIENT PUBLICKEY GOES HERE   ***"
nvram set oet1_pt="0"
# set here the pre shared key if you want to use one
nvram set oet1_psk0=""
# proto 2 is wireguard
nvram set oet1_proto="2"
# private key of local endpoint
nvram set oet1_private="***   CLIENT PRIVATEKEY GOES HERE   ***"
# public port where wireguard tunnel is reachable
nvram set oet1_port="51821"
# number of peers
nvram set oet1_peers="1"
nvram set oet1_peerport0="51820"
nvram set oet1_peerkey0="***   SERVER PUBLICKEY GOES HERE   ***"
# netmask of the wireguard network
nvram set oet1_netmask="255.255.255.0"
nvram set oet1_nat="1"
nvram set oet1_multicast="0"
nvram set oet1_mtu="1500"
nvram set oet1_mssfix="0"
nvram set oet1_local="0.0.0.0"
nvram set oet1_ka0="25"
nvram set oet1_isolation="0"
# ipaddress of the endpoint on the dd-wrt device
nvram set oet1_ipaddr="10.19.51.3 *** CHANGE THIS IP TO SUIT ***"
nvram set oet1_id="1"
nvram set oet1_hwaddr="00:00:00:00:00:00"
nvram set oet1_fragment="0"
nvram set oet1_endpoint0="1"
# for now leave the tunnel disabled
nvram set oet1_en="0"
nvram set oet1_dns_redirect="0"
nvram set oet1_dns_ipaddr="0.0.0.0"
nvram set oet1_comp="0"
# set bridge to 0 otherwise the iptables rules are not added
nvram set oet1_bridged="0"
# ipaddress of the peer
nvram set oet1_aip0="0.0.0.0/0"
# Commit variables
echo "Save variables to nvram"
nvram commit



This is the complete WG setup onto Kong DDWRT that worked for me. Hopefully others will find this information helpful. The WireGuard VPN has worked flawlessly for several days already connected through both routers, no additional software or settings on any client devices required. WG shows a ton of promise for DDWRT users running the hardware to support it.


Cheers!
Ersterhernd
Sponsor
liverpoolatnight
DD-WRT User


Joined: 29 May 2008
Posts: 243
Location: United Kingdom

PostPosted: Thu Feb 07, 2019 6:14    Post subject: Reply with quote
You dont need to go though all this as the DD-WRT GUI now dos the job and heres how to.

1st) Setup the WG info (see attachments, May need to login to see this)

2nd) traceroute to make sure the pockets is working correctly
Quote:
traceroute -i oet1 www.google.nl

if you see something like this

root@ddwrt:~# traceroute -i oet1 www.google.nl
traceroute to www.google.nl (216.58.206.67), 30 hops max, 38 byte packets
1 ** *** ***

something wrong with configuration

if you see something like this

root@ddwrt:~# traceroute -i oet1 www.google.nl
traceroute to www.google.nl (216.58.206.67), 30 hops max, 38 byte packets
1 172.16.0.1 12ms 14ms 11ms 13ms 13ms 12ms
2 1.1.1.1 12ms 14ms 11ms 13ms 13ms 12ms

etc, then you can add the following into the DD-WRT GUI

Go to administration > commands

Save Startup

Quote:
sleep 30
WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
WANGWY=$(/usr/sbin/nvram get wan_gateway)
route add -host $WGSERVER gw $WANGWY dev vlan2
route del default
route add default dev oet1


I put in a 30 second sleep so the WAN interface has time to come up before the command executes

Save Firewall

Quote:
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/20 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -j MASQUERADE
iptables -I FORWARD -i br0 -o oet1 -j ACCEPT
iptables -I FORWARD -i oet1 -o br0 -j ACCEPT


Reboot, then test http://zx2c4.com/ip to see if your routed to your VPS/VPN IP

also note the following

Quote:
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/20 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -j MASQUERADE


Double check the CIDR subnets are correct, Im using an /20 subnet https://www.aelius.com/njh/subnet_sheet.html

using build r38581



WGClient.png
 Description:
 Filesize:  32.6 KB
 Viewed:  623 Time(s)

WGClient.png



_________________
TP-Link TL-WDR3600 v1 [EU]: r36330 (07/16/18 )
D-Link DIR-615 D2 [EU]: r36330 (07/16/18 )
Mikrotik RB750r2 (OpenWrt 17.01.4)
EE BrightBox 1 aka A4001N (OpenWrt 17.01.4)
Sagemcom FAST@5364 (VDSL2,FTTC (Fibre to the Cabinet) Synced 65/17

Twitter: @francisuk1989
---------------------------------
Found a bug? Report it http://svn.dd-wrt.com
DD-WRT Official FB Group: https://www.facebook.com/groups/493762527744455
rainin
DD-WRT Novice


Joined: 04 Dec 2016
Posts: 7

PostPosted: Sat Feb 16, 2019 8:39    Post subject: Reply with quote
Thanks for your detailed explanation on how to get Wireguard running on DD-WRT.

Personally, for me, the wg interface handshakes correctly, traceroute also working perfectly, the only issue is that the Internet is routed through WAN IP Address instead of OET1, despite saving and implementing the required Firewall settings.

What seems to be the issue? How can I redirect all the Internet traffic to OET1 tunnel?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum