Joined: 10 Jul 2012 Posts: 28 Location: Sint Maarten, D.W.I
Posted: Sat Apr 04, 2020 15:43 Post subject:
In my search towards a solution, I found the traceroute test.
These are my results.
Code:
root@router:~# traceroute -i oet1 www.google.nl
traceroute: bad address 'www.google.nl'
root@router:~# traceroute -i oet1 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
1 10.0.0.1 (10.0.0.1) 162.606 ms 164.505 ms 161.484 ms
2 190.2.141.2 (190.2.141.2) 163.003 ms 162.613 ms 162.337 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * *^C
root@router:~#
For sure, there's no DNS available, else google.nl was resolved.
That's why I changed google.nl to their DNS, 8.8.8.8
I am not a specialist and don't know the CLI commands, but what can you analyse from these results? _________________ Netgear R6700v3 (from MAR2020) - Firmware: DD-WRT v3.0-r42819 std (03/30/20)
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sat Apr 04, 2020 15:48 Post subject:
That looks OK, and no there is no WAN connection as everything is routed via the tunnel.
That is what 0.0.0.0/1,128.0.0.0/1 do that will route everything through the tunnel
Of course your VPN provider can block things but everything looks OK.
There is traffic across the tunnel from although very little received.
From the first post I can see that the firewall rules are there, NAT is enabled and now your routing is also OK.
The only thing which can be wrong is your Key pair check private and public key.
I think you generate a key pair on the tunsafe website and then put those keys in using "nvram set ...." like is describe in the guide?
If so double check with wg and wg showconf oet1
Keys must end with a =
Otherwise make a new key pair.
Also double check endpoint and port settings.
It can be helpful to run the windows client and ifit works check the keys, endpoint and port
As far as I can see everything should work if you are sure the keys are working just reboot and cross your fingers.
I'm wondering why the Transmit queue length for wireguard is set so low (1) by default. Shouldn't it be much higher? I'm going to experiment since I can't find anything that has a way to determine what it should be. From what I've learned, the higher the setting the better the performance but it may have a negative impact on devices that have latency issues.
One more question: what is the purpose of Peer Tunnel DNS in the server? It doesn't appear to be pushed out to the clients and it doesn't seem to have any effect on DNS.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed Apr 08, 2020 5:57 Post subject:
johnnyNobody999 wrote:
One more question: what is the purpose of Peer Tunnel DNS in the server? It doesn't appear to be pushed out to the clients and it doesn't seem to have any effect on DNS.
Good question and the answer is it has no meaning in DDWRT itself (the same holds true for the Peer tunnel IP).
It is for making the client files and QR code for Windows and Android.
Windows need to set this DNS server set otherwise it cannot resolve the endpoint url.
DDWRT has its own DNS servers _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed Apr 08, 2020 11:02 Post subject:
They have started a closed beta, unfortunately they do not let me take part, but DDWRT is working with a lot of other providers already, so it probably will work. But if anyone is taking part I really would love to hear some details.
You need some tricks to do so but BS has just merged some of my patches so that in builds after 42861 you do not need a script to get it working any more, so we are making progress.
Next step will be the possibility to simply set your private key from the GUI (already working in my build)
Policy based routing (also running in my build)
Kill switch (you guessed right, also running in my build)
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sat Apr 11, 2020 8:32 Post subject:
For all of you who also use DDWRT as a WireGuard client in build 42872 from 11-April-2020, you no longer need a client script.
just do the following:
Enable: NAT via Tunnel
Allowed IP's: 0.0.0.0/1,128.0.0.0/1
Enable: Route Allowed IP's via tunnel
For those setting up to a commercial VPN provider:
From your VPN providers settings file:
Enter the local port, Endpoint address and port, set Persistent Keepalive at 25, enter Peer public key, enter IP address and netmask (for conversion: https://kb.wisc.edu/page.php?id=3493)
Enable: NAT via Tunnel
Allowed IP's: 0.0.0.0/1,128.0.0.0/1
Enable: Route Allowed IP's via tunnel
Set private key via the CLI (telnet/putty):
Code:
nvram set oet1_private=enter_your_private_key
nvram commit
As per guide I configured my android client to connect only to my local LAN via wireguard, i.e. setting Allowed IPs to include wireguard server and my LAN IP: 10.4.0.1/32, 10.55.66.0/24
Now I would like to also reach one specific host on the Internet via the wireguard interface - something like a new route to this host.
Is this possible to configure with the Allowed IPs and if yes what shoud I put in the config on the client side?