WireGuard (server) Setup guide

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4, 5  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6168
Location: Netherlands

PostPosted: Mon Nov 25, 2019 16:55    Post subject: WireGuard (server) Setup guide Reply with quote
WireGuard (server) setup guide

You can only see and download the WireGuard setup guide below if you are logged in!

WireGuard is a BETA/WIP open-source VPN solution written in C by Jason Donenfeld and others, aiming to fix many of the problems that have plagued other modern server-to-server VPN offerings like IPSec/IKEv2, OpenVPN, or L2TP.
It can be seen as a replacement for OpenVPN although it does not have the versatility, possibilities and track record of OpenVPN.
However, it has two advantages over OpenVPN, it is much faster especially on lower-spec hardware such as Soho routers (my own R7800 goes from 90 Mb/s on OpenVPN to 240 Mb/s with Wireguard) and is easy to setup if you know how, but it is not yet mature and there are sometimes frustrating hiccups.

Some key points about Wireguard:
• Layer 3 only no bridging
• UDP only punches through firewall
• Like SSH authenticated keys
• Executes in Linux Kernel
• Static routing

What makes it so much faster then OpenVPN is not the cryptography, this is more or less the same (use of PKI to calculate/exchange a key with PFS for symmetric encryption). It is the fact that all is done in Kernel space while OpenVPN has to constantly switch between User and Kernel space.
Inherently the executing in Kernel space is less secure, if security is broken than you are compromised big time.
Another disadvantage is that it only supports static routing, so if you use Wireguard to connect to a commercial VPN provider (Mullvad is one of them) they keep track of your IP address. Mullvad implements some NAT'ting and is not tracking your IP address but still it is more insecure then OpenVPN.
Bottom line if you are a high level government target do not use Wireguard yet.

This guide is to walk you through the setup of Wireguard on DDWRT and will cover both setup as a Wireguard server and setup Android and Windows clients and DDWRT as a client.

For using Wireguard as client to connect to a commercial VPN provider see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Advanced WireGuard setup: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787

Just as Wireguard itself both the DDWRT implementation and this guide is a work in progress so not without hiccups.

I will try to keep the guide updated, but your help, remarks and recommendations are crucial in getting this done so please notify me of any errors or inconsistencies (there shall be many in the beginning).

You can post in the thread or send me a PM (personal mail) : https://forum.dd-wrt.com/phpBB2/privmsg.php?mode=post&u=342338

This guide is based on the existing and very informative wiki: https://wiki.dd-wrt.com/wiki/index.php/Wireguard

v0.04 first draft
v0.08, added DDWRT as client, Killswitch, Troubleshooting, Pre-shared key, using DNS server and how to use on a WAP
v10 tidying up
v14 CVE-14899 vulnerability and workarounds
v16 added information to set private key
v17 instructions for builds past build number 42067
v18 corrected typo in Kill switch
v20 added references for ipv6
v21 added link to script
v22 some clarifications
v24 update pictures to reflect upcoming changes
v30 added known problems and solutions
v33 for use with options starting with build 43290

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Mon Jun 01, 2020 10:09; edited 35 times in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6168
Location: Netherlands

PostPosted: Mon Nov 25, 2019 16:56    Post subject: Reply with quote
Scripts for setup DDWRT router as a Wireguard client

Downloads are only visible when you are logged in !

This is script is only useful in builds prior to build 43055, later builds can use GUI options (Nat via tunnel and Route Allowed IP's via tunnel)

You can download the attached script, unzip it and put it in /jffs or in an other place of your liking for permanent storage and execute the script from Firewall.
In the script you will find instructions.

You can also copy and paste the script below and place in Administration/Commands and Save as Firewall.

The script will run once at startup or if you change anything because the firewall is then re-initialized and thus the script will run.
As Wireguard uses static routing it normally is not necessary to run the script periodically, this is only necessary if you are using an endpoint with a DDNS/URL which changes frequently. In that case set SLEEP=90 and save the script as Startup. The script will run every 90 seconds.


#!/bin/sh
# * name: ddwrt-wireguard-client-script.sh
# * version: 1.1, 7-apr-2020 by egc
# * modify parameters in script if necessary, make sure not to include Windows style line endings <CR>
# * Copy and paste text between BEGIN and END to Administration/Commands and Save as Firewall
# * You can run the script every x seconds from Startup but the smart way is to run it only once from the Firewall, if something changes it will rerun
# * After changing anything REBOOT the router


#=======BEGIN ddwrt-wireguard-client-script.sh=========
SCRIPT="/tmp/ddwrt-wireguard-client-script.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
(
#DEBUG= # uncomment/comment to enable/disable debug mode
SLEEP=0 # runs continuously executing every [SLEEP] seconds, if SLEEP=0 it runs only once
WGNAT= # uncomment/comment to enable/disable SNAT over the oet interface
WGPEER=0 # do not change
WGDELRT="/tmp/wg-delete-routes"
[ ${DEBUG+x} ] && set -x
while :; do
#checks if interface is enabled if not continue
if [ "$(nvram get oet_tunnels)" -eq 1 ] && [ "$(nvram get oet1_en)" -eq 0 ]; then
logger "$(basename $0)[$$] No tunnel interface enabled, going to sleep"
(while read route; do $route; done < $WGDELRT) >/dev/null 2>&1
#WGIF= #this wil recreates routes when Disabled/Enabled
else
#wait for interface
SLEEPCT=0
#this will recreates all routes when run everytime
WGIF=
while [ -z $WGIF ]; do
sleep 10
WGIF="$(wg | awk '/interface/ {gsub("interface:", "", $2); print $2}')"
SLEEPCT=$((SLEEPCT+10))
if [ $SLEEPCT -gt 60 ]; then
logger "$(basename $0)[$$] Could not detect Wireguard interface after $SLEEPCT seconds, going to sleep"
break
elif [ ! -z $WGIF ]; then
(while read route; do $route; done < $WGDELRT) 2>&1 > /dev/null
logger "$(basename $0)[$$] it took $SLEEPCT seconds to get the Wireguard interface up, now excuting"
#egc: MASQUERADE over the wireguard interface
echo "iptables -t nat -D POSTROUTING -o $WGIF -j MASQUERADE" > $WGDELRT
[ ${WGNAT+x} ] && iptables -t nat -I POSTROUTING -o $WGIF -j MASQUERADE
#egc: provide way out if set to client and everything is routed vie the oet interface
# use route add -host because the endpoint can be a host name
echo "route del -host $(nvram get ${WGIF}_rem${WGPEER}) gw $(nvram get wan_gateway) dev $(get_wanface)" >> $WGDELRT
route add -host $(nvram get ${WGIF}_rem${WGPEER}) gw $(nvram get wan_gateway) dev $(get_wanface)
#egc:add routes based on allowed IP's
for aip in $(nvram get ${WGIF}_aip${WGPEER} | sed "s/,/ /g"); do
#echo $aip #debug
echo "ip route del $aip dev $WGIF" >> $WGDELRT
ip route add $aip dev $WGIF
done
#end add routes
ip route flush cache
fi
done
fi
#stop running if sleep=0
[ $SLEEP -gt 0 ] && sleep $SLEEP || break
done
) 2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT
$SCRIPT > /dev/null 2>&1 &
#=======END ddwrt-wireguard-client-script.sh=========

version 1.1 Removed 'nohup' from the last line, some routers did not support it and as the startup and firewall scripts keep running so will the script even without nohup

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sun May 17, 2020 7:28; edited 27 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6168
Location: Netherlands

PostPosted: Mon Nov 25, 2019 16:57    Post subject: Reply with quote
Policy Based Routing for Wireguard

It is advised to use a built with build number 43055 or higher you then use the PBR script -post-43055.
If you cannot do that use the other script


If you do not alter anything in the script, the default route is via the WAN, this is useful if you have incoming connections like SSH or Port Forwards or OpenVPN which need the WAN to be default.
In this case the IP addresses entered in the add_rules section are using the Wireguard route.
You can add addresses and interfaces in the section between ==BEGIN RULES== and ===END RULES===
I already gave a few possibilities as an example.

You can reverse the working of the script (everything via Wireguard route except the addresses entered in the add_rules section) by commenting the line:
Code:
WANGW_DEFAULT= # when uncommented the main table will use the WAN as default and the Alternate table will use Wireguard route


Version 0.9 can work together with the automatic kill switch script in the next post.
This will automatically set a kill switch, preventing WAN access for the clients you want to use the Wireguard VPN.
(Note, this works only when using the WAN as default gateway in the main routing table so leave the `WANGW_DEFAULT=` uncommented.)
If you want to have this kill switch, uncomment the following line and set the path to the kill switch script and copy the script from the next post to that path:
Code:
#KS="/jffs/ddwrt-wireguard-kill-script.sh" # uncomment/comment to enable/disable automatic Kill Script, set path for kill-script


Setup Instructions

Unzip the downloaded file, setup instructions are in the file

Trouble shooting
In the script, enable DEBUG by uncommenting the line:
Code:
#DEBUG= # uncomment/comment to enable/disable debug mode

Reboot

Via CLI (telnet/Putty)
Code:

grep -i wireguard /var/log/messages
ifconfig
wg showconf oet1
wg (look for traffic Rx/Tx)
ip route show
ip route show table 15
ip rule show
iptables -vnL -t nat


Downloads are only visible when you are logged in !

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Thu May 14, 2020 14:26; edited 35 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6168
Location: Netherlands

PostPosted: Mon Nov 25, 2019 16:57    Post subject: Reply with quote
Wireguard PBR Kill Script

This is the accompanying script for the ddwrt-wireguard-pbr-script v 0.9 and higher which can be downloaded below.

This will automatically set a kill switch, preventing WAN access for the clients you want to use the Wireguard VPN and which are set in the aforementioned ddwrt-wireguard-pbr-script.

This script is triggered from the ddwrt-wireguard-pbr-script, you just have to upload the script in the same directory as that script and activate the kill switch from that script (see there for instructions)


# instructions:
# 0. Unzip if necessary and place in same directory as the ddwrt-wireguard-pbr-script.sh which will invoke this script
# 1. Set WG_ENABLED_ONLY to your preference
# 2. Set FW_STATE to your preference
# 4. Reboot router

# state checking: "state NEW" vs. no state
# state NEW (default):
# * any pre-existing LAN->WAN connections persist until/unless they timeout/close
# * remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
# * more efficient (only LAN->WAN packets used to establish NEW connections are inspected)
# no state:
# * any pre-existing LAN->WAN connections are stopped/blocked
# * remote access (WAN->LAN) is denied (even if port forwarding is enabled)
# * less efficient (every LAN->WAN packet is inspected)

Downloads/attachments are only visible when you are logged in !

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Zyxx
DD-WRT User


Joined: 28 Dec 2018
Posts: 261

PostPosted: Fri Dec 27, 2019 16:54    Post subject: Reply with quote
Dear egc,

thank you for this guide!
It worked without a flaw until the most recent release r41791 (12/24/19).

You are aware of it, I know Wink
(https://svn.dd-wrt.com/ticket/6928)

What is your opinion about this?
Should I wait for an upcoming release or enter a new rule into iptables?
Will upcoming releases enable local access by default again?

Am currently not sure how to proceed... feels bad.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6168
Location: Netherlands

PostPosted: Fri Dec 27, 2019 17:14    Post subject: Reply with quote
Yes I have been working on an update of the guide.

You can use the following rule on the latest build:

this is the short version which supposes you are using the first tunnel:

Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j MASQUERADE



This is the longer version which will search for the right tunnel interface:

Code:
WGIF="$(wg | awk '/interface/ {gsub("interface:", "", $2); print $2}')"
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get ${WGIF}_ipaddr/$(nvram get ${WGIF}_netmask) -j MASQUERADE


I must do some more testing.

The upcoming build will let you disable the patch so you do not have to use the above rule.
If you should disable the patch or use the above rules is open to debate and can dependent on your threat level and how much trouble you get from SNATting all traffic.

If you are a high level government target I would enable the patch, for me where I have my IOT separated and nothing really to fear I probably just disable it.

Steve Gibson did not consider it a serious problem FWIW

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sat Dec 28, 2019 12:09; edited 1 time in total
Zyxx
DD-WRT User


Joined: 28 Dec 2018
Posts: 261

PostPosted: Fri Dec 27, 2019 20:35    Post subject: Reply with quote
Thanks a lot!

Smile
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1577
Location: Canada

PostPosted: Thu Feb 06, 2020 19:24    Post subject: Reply with quote
When going to Hotels I like using some kind of personal VPN connection over the Hotel's WiFi. I was using an R7000 with OpenVPN but it was too bulky in my laptop bag. Now with DD-WRT support and some VPN Providers, WireGuard brings new life to old hardware like the E3000 with dual-band radios. Hotel WiFi speed are very poor so the E3000 works well. I've only tested the Travel E3000 at home and I'm able to bypass the FORCED DNS on my Network when connected to WireGuard. On E3000 overclocked to 533MHz (not all support this speed and may brick, plus the USB will not work at this speed) having the wl0 Client radio connected to the home wifi and a laptop connected to the E3000's wl1 5Ghz AP to WireGuard I get 30-35Mbps (Down & Up).

WL0 Wireless Mode: Client (SSID and Password must match the AP it's connecting too)

WL1 Wireless Mode: AP (use what ever settings you want to connect your devices)
Also VAP WL1.1 is added for Client Connection. In a Hotel environment after setting up the SSID and Password on the Client Radio the device will not get internet access until you go through a Hotel Web Page. So with a device like a laptop connect to the E3000's VAP and go through the Hotel Web Page to give the E3000 Internet Access. Once you have access you may need to reboot the E3000 to get WireGuard connected.

Here is my E3000 Travel Router with WireGuard configuration.

Goto (Setup -> Basic Setup) and change the Network Setup to...
Local IP Address: 10.254.110.1
Subnet Mask: 255.255.255.0
Enable NTP Client and select Time-Zone, I leave Server blank and I get the correct time.


<--------FOR OTHER ROUTERS USE CORRECT METHOD TO CREATE BR1 & VLAN3 AND ASSINGMENTS-------->
With the E3000 setting up vlans is simple goto (setup -> Switch Config) put at least one port on vlan3 (not tagged). This will be used for wired devices accessing WireGuard.

Goto (Setup -> Network) Create Bridge and add br1 after applying configure br1 with IP Address and Subnet Mask (I used 10.254.111.1 & 255.255.255.0) and applying.
Also do "Assign to Bridge" you will need 2...
- br1 to vlan3
- br1 to eth2
And apply.
<------------------------------------------------------------------------------------------------------->

Setup DNSMasq at (Services -> Services) Only have Dnsmasq Enabled all others disabled.
Add to Additional Dnsmasq Options the following and save...
Code:

no-resolv
interface=br1
dhcp-option=br0,6,9.9.9.9,9.9.9.10
dhcp-range=br1,10.254.111.160,10.254.111.223,255.255.255.0,1440m
dhcp-option=br1,3,10.254.111.1
dhcp-option=br1,6,9.9.9.9,9.9.9.10
quiet-dhcp

I also enable Syslogd, Telnet and disable ttraff Daemon.

To setup WireGuard goto (Setup -> Tunnels) and Add Tunnel and setup as instructed by your WireGuard Provider. Or checkout https://wiki.dd-wrt.com/wiki/index.php/Wireguard

This is my Startup Script from (Administration -> Commands)...
Code:

# Travel Router Startup
# Tested Working on E3000 with Build 42132
#
# Re-Start Broadcom Radios to Fix connection to VAP <--------REMOVE FOR NON-BOARDCOM OR OTHER ROUTERS
# For Builds 36366+ with Bridged VAPs
stopservice nas
stopservice wlconf
sleep 5
wlconf eth1 up
wlconf eth2 up
startservice nas
#
# Wait Time
sleep 10 # <--------USE 15 IF RE-START RADIO IS NOT USED
#
# Create New Gateway Tables for WireGuard
# http://cornasdf.blogspot.ca/2012/10/dd-wrt-openvpn-and-selectively-routing.html
# http://www.dd-wrt.com/phpBB2/viewtopic.php?p=954940
#
# Delete and Flush Table
ip route flush table 111
ip route del default table 111
ip rule del fwmark 111 table 111
#ip route flush cache # Flushing is done near end when route tables are done
iptables -t mangle -F PREROUTING
#
# Copy all non-default routes from the main table into table 111(WireGuard).
ip route show table main | grep -Ev ^default | while read ROUTE ; do
   ip route add table 111 $ROUTE
done
#
# Create fwmark to table bindings
ip rule add fwmark 110 table main # ISP
ip rule add fwmark 111 table 111 # Tunnel 1 WireGuard
#
# Check that Default Root was created in WireGuard Table
ip route del default table 111
oet_def=
while [ -z $oet_def]; do
 sleep 10
 ip route add default dev oet1 table 111
 oet_def="$(ip route show table 111 | awk '/default/ {gsub("default","",$3); print $3}')"
done
#
# ADD WireGuard Host in MAIN Table
DEF_GW=$(/usr/sbin/nvram get wan_gateway)
DEF_IF="eth1" # (wl0) 2.4Ghz Radio is used as Client <--------2.4GHZ RADIO I/F
WG_HOSTNAME1=$(/usr/sbin/nvram get oet1_rem0)
route add -host $WG_HOSTNAME1 gw $DEF_GW dev $DEF_IF
#
# Clear route cache
ip route flush cache
#
# With Build 42132 these RULES will not load under Firewall - ADDED to Startup
# PREROUTING RULES
iptables -t mangle -D PREROUTING -s 10.254.110.0/24 -j MARK --set-mark 110
iptables -t mangle -A PREROUTING -s 10.254.110.0/24 -j MARK --set-mark 110
iptables -t mangle -D PREROUTING -s 10.254.111.0/24 -j MARK --set-mark 111
iptables -t mangle -A PREROUTING -s 10.254.111.0/24 -j MARK --set-mark 111


This is my Firewall Script from (Administration -> Commands)...
Code:

# Travel Router Firewall
# Tested Working on E3000 with Build 42132
#
# FORWARD RULES
# br0=Client Network & br1=WireGuard Network
# Added these Rules for stopping leaks to different gateways (from StrongVPN WireGuard Configuration Script Gen)
# br0 is only for connecting to Client Network so block WireGuard Network
iptables -I FORWARD 5 -i br0 -o oet1 -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD 5 -i br0 -p tcp -o oet1 -m state --state NEW -j REJECT --reject-with tcp-reset
# br1 is only for connecting to WireGuard Network so block Client Network
iptables -I FORWARD 5 -i br1 -o eth1 -m state --state NEW -j REJECT --reject-with icmp-host-prohibited # <--------2.4GHZ RADIO I/F
iptables -I FORWARD 5 -i br1 -p tcp -o eth1 -m state --state NEW -j REJECT --reject-with tcp-reset # <--------2.4GHZ RADIO I/F
# Put back on TOP
iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# This calculates the proper MSS for your link
# http://lartc.org/howto/lartc.cookbook.mtu-mss.html
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#
# POSTROUTING RULES
iptables -t nat -I POSTROUTING -o oet1 -j MASQUERADE


Reboot E3000, connect and test. Sorry I didn't make the script more universal for other routers like egc scripting. Good-Luck.

ADDED <-------- to show what changes are required to use on other routers.

_________________
Home Network on Telus PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r44406 Std
R7000 - Wired ISP 4K IPTV Gateway - DDWRT r44406 Std

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r44406 Std
WRT610Nv1 - Client Bridge - DDWRT r33679 Mega K2.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r44406 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2


Last edited by mac913 on Fri Feb 07, 2020 17:43; edited 1 time in total
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 148

PostPosted: Fri Feb 07, 2020 16:07    Post subject: Reply with quote
Hi egc,

I am using OVPN server and client incl. watchdog (all with your help).
Can I use wireguard on top of this, did you try?

The OVPN server runs absolutely stable but the speed of wireguard could make it worth a try.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6168
Location: Netherlands

PostPosted: Fri Feb 07, 2020 16:12    Post subject: Reply with quote
Sure, I have it running side by side even with an OpenVPN client also running on the router (of course with PBR)

I actually use my Wireguard server now to connect from outside so the OVPN server is mostly idle but still there for backup Smile

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 148

PostPosted: Fri Feb 07, 2020 17:09    Post subject: Reply with quote
I do have the VPN client running and push only one IP via PBR (SAT receiver) through the VPN. (PBR 192.168.2.98/32)

I don´t use the PBR script. Is this OK for using Wireguard or do I need to change something first?
Further I do use the DD-WRT router as WAP and gateway mode is set.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6168
Location: Netherlands

PostPosted: Sat Feb 08, 2020 8:23    Post subject: Reply with quote
boris03 wrote:
I do have the VPN client running and push only one IP via PBR (SAT receiver) through the VPN. (PBR 192.168.2.98/32)

I don´t use the PBR script. Is this OK for using Wireguard or do I need to change something first?
Further I do use the DD-WRT router as WAP and gateway mode is set.


In theory that should be no problem.
Depending on your setup you might need the following firewall rule:
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

on the WAP

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7364
Location: YWG, Canada

PostPosted: Mon Feb 10, 2020 9:15    Post subject: Reply with quote
followed the guide, it worked, testing on ios for now. using my router dnsmasq as dns server for adblocking etc works. i can ping (most) of my lan devices and their domain names resolve fine.. but i cant access smb share from windows pc, it will never detect it and manually connecting to it dont work either..

no amount if static routing fixes this, and if i static route my subnet again (+ the default), it blocks my devices from accessing the lan and i have to access router remotely to remove the static route to restore access.

my lan is 10.150.10.0/24, currently using 10.149.10.0/24 for wireguard, but i think the issue is the different subnet, i need it to be PART of my lan isnt that a big point about vpn? how do i get that?

with l2tp, pptp, i can access smb share fine over vpn, simple username/password, everything just works.

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ----> DD-WRT v3.0-r44425 std
[QUALCOMM] DIR-862L ------------------------------> DD-WRT v3.0-r44412 std
[QUALCOMM] WNDR4300 v1 ------------------------> DD-WRT v3.0-r44412 std
[QUALCOMM] DIR-862L ------------------------------> DD-WRT v3.0-r44412 std
▲ ACTIVE / INACTIVE ▼
[BROADCOM] DIR-860L A1 --------------------------> DD-WRT v3.0-r44251 std


If you use DSLReports please enable hi-res bufferbloat.


Sigh.. why do i exist anyway..
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6168
Location: Netherlands

PostPosted: Mon Feb 10, 2020 9:27    Post subject: Reply with quote
tatsuya46 wrote:
followed the guide, it worked, testing on ios for now. using my router dnsmasq as dns server for adblocking etc works. i can ping (most) of my lan devices and their domain names resolve fine.. but i cant access smb share from windows pc, it will never detect it and manually connecting to it dont work either..

no amount if static routing fixes this, and if i static route my subnet again (+ the default), it blocks my devices from accessing the lan and i have to access router remotely to remove the static route to restore access.

with l2tp, pptp, i can access smb share fine over vpn.


I still need setup instructions for iOS client, if you can spare the time pleas provide some instructions and screenshots or if you have a link with instructions that is also fine.

Have you tried with the CVE patch disabled?

Maybe I am mistaken but you have a Windows client on your LAN and can not connect to its shares when using Wireguard.
If so consider that the Windows client has its own firewall, I also have to open up the Windows firewall for the subnet of Wireguard when I want to access that from outside via Wireguard.

As a test perhaps disable the Windows Firewall

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7364
Location: YWG, Canada

PostPosted: Mon Feb 10, 2020 9:47    Post subject: Reply with quote
egc wrote:
tatsuya46 wrote:
followed the guide, it worked, testing on ios for now. using my router dnsmasq as dns server for adblocking etc works. i can ping (most) of my lan devices and their domain names resolve fine.. but i cant access smb share from windows pc, it will never detect it and manually connecting to it dont work either..

no amount if static routing fixes this, and if i static route my subnet again (+ the default), it blocks my devices from accessing the lan and i have to access router remotely to remove the static route to restore access.

with l2tp, pptp, i can access smb share fine over vpn.


I still need setup instructions for iOS client, if you can spare the time pleas provide some instructions and screenshots or if you have a link with instructions that is also fine.

Have you tried with the CVE patch disabled?

Maybe I am mistaken but you have a Windows client on your LAN and can not connect to its shares when using Wireguard.
If so consider that the Windows client has its own firewall, I also have to open up the Windows firewall for the subnet of Wireguard when I want to access that from outside via Wireguard.

As a test perhaps disable the Windows Firewall


it looks basically the same as the android screenshot in the pdf https://imgur.com/a/fbocz9V after scanning the QR code i didnt need to change anything on the client for it to work.

cve mitigation is disabled, when its enabled i cant ping my lan (any device) from the phone, disabled i can as expected.

when i disabled the windows firewall smb shared worked. EDIT: my inbound rule was wrong, got it working now while having firewall on.

is there a way to just have wireguard integrate with the lan subnet so it has direct access more easily?

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ----> DD-WRT v3.0-r44425 std
[QUALCOMM] DIR-862L ------------------------------> DD-WRT v3.0-r44412 std
[QUALCOMM] WNDR4300 v1 ------------------------> DD-WRT v3.0-r44412 std
[QUALCOMM] DIR-862L ------------------------------> DD-WRT v3.0-r44412 std
▲ ACTIVE / INACTIVE ▼
[BROADCOM] DIR-860L A1 --------------------------> DD-WRT v3.0-r44251 std


If you use DSLReports please enable hi-res bufferbloat.


Sigh.. why do i exist anyway..
Goto page 1, 2, 3, 4, 5  Next Display posts from previous:    Page 1 of 5
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum