egc
DD-WRT Guru
Joined: 18 Mar 2014
Posts: 9594
Location: Netherlands
|
 Posted: Sat Dec 05, 2020 10:22 Post subject: WireGuard guides and documentation |
 |
WireGuard is an open-source VPN solution written in C by Jason Donenfeld and others, aiming to fix many of the problems that have plagued other modern server-to-server VPN offerings like IPSec/IKEv2, OpenVPN, or L2TP.
It can be seen as a replacement for OpenVPN although it does not have the versatility, possibilities and track record of OpenVPN yet.
However, it has two advantages over OpenVPN, it is much faster especially on lower-spec hardware such as Soho routers (my own R7800 goes from 85 Mb/s on OpenVPN to 270 Mb/s with WireGuard) and is easy to setup if you know how, the guides will help you with that.
To work with these guides DDWRT build 48214 or higher is mandatory.
See Changelog at the bottom of this page.
WireGuard is usually available on routers with 8 MB Flash RAM or more (there are a few exceptions) and using at least Kernel 3.10 (so not on K2.6 builds).
WireGuard client setup guide
Setup instructions to use your DDWRT router as WireGuard client.
For older builds, the second post contains a watchdog script to restart WireGuard or reboot the router when a connection is lost (usually WireGuard reconnects by itself), recent builds have this functionality built-in:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
VPN and DNS guide
Advanced reading for DNS setup using VPN clients (WireGuard/OpenVPN) including DNS leaks, routing of DNS servers, adding extra DNS servers, Split DNS etc.:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331017
WireGuard server setup guide
Setup your router as WireGuard server including instructions to setup clients like phone, windows PC and other DDWRT routers, this thread also contains scripts for earlier versions of WireGuard and a Troubleshooting section:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206
WireGuard Advanced setup
examples of advanced setup like using a WAP, multiple tunnels and Bridging solution:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
VPN Troubleshooting guide with some tips for if you are really stuck, it is mainly for OpenVPN but also contains tips for WireGuard.
For questions or comments just open a thread in the Advanced Networking forum
Static routing
If the Built-in PBR possibilities are not sufficient you can use Static Routing See:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327810
Changelog
Build 47259
• Killswitch now works on a WAP. Because of the changing of the killswitch code it is recommended to check if your killswitch is still working, see page 11 of the WireGuard Client setup guide
• Status Window now adequately reflects the status of peers with the same key
Build 47284/47285
• Import Tunnel/Config added. This lets you import a config file from your provider or from your own server and adds a tunnel with it.
Not perfect yet, when deleting the tunnel make sure to disable all the tunnels first, Save and Apply. then delete the tunnel, Save/Apply and then Enable the tunnels again and Save/Apply.
Alternatively reboot the router after deleting a tunnel.
Problem can be in the DNS setting of the tunnel, DNS is not moved to the new tunnel number yet so reboot or restart DNSMasq. It is on the todo list.
Build 47602/47603/47604/47605/47612/47613/47615
(so after build 47608)
The DNS problem when a tunnel is deleted should be solved
Fail over/watchdog is added you can set one or more client tunnels in a fail over group if one is down the next will be started, if the last tunnel fails (so you can also set only one tunnel) WireGuard is resetted or the router is rebooted when nvram variable wg_onfail_reboot=1 is set.
Gui options to do this, also to start with random tunnel will be added later.
Important if you already have a client/or server running you need to click Save/Apply once on the tunnel page to start Wireguard after upgrading
Build 47692
Important if you upgrade from a build before 47692:
1. You can disable Query DNS in Strict Order on Services page. WireGuard no longer relies on strict-order to prevent a DNS leak and as there is a bug in strict-order you probably should disable it for DNS to work properly.
2. Entries in Policy Based Routing are not automatically converted, either put them in manually (if you want to retrieve the old values, from CLI telnet/Putty where X is the tunnel number: nvram get oetX_pbr
Or convert them with:
| Code: | | for i in $(seq 1 $(nvram get oet_tunnels)); do [[ ! -z "$(nvram get oet${i}_pbr)" ]] && { nvram set oet${i}_spbr_ip="$(nvram get oet${i}_pbr)"; done |
Starting with this build Policy Based Routing has been upgraded, choice to route sources via WAN or VPN.
Split DNS, i.e. PBR sources using the tunnel can use the tunnels DNS all other use the WAN DNS.
GUI setting for Destination Based routing.
Changed DNS to stop possible Leak (Important: disable "Query DNS in strict-order")
For more information see the WireGuard Client setup guide
Build 47866
Upgraded WireGuard to version 1.0.20211208
Build 48141
Add settings for endpoint and keepalive when making config files
Add port to be able to escape the killswitch when PBR via WAN is used
Build 48214
Use domain names for Destination based routing
Build 48374
NAT rule for seamless LAN access
GUI option to set Watchdog Ping address
Build 48786
Locking and sequential executing of multiple tunnels, this should solve a bug where the WAN interface is not found on bootup when using PBR with routing via the WAN.
Build 488865
Removed some unnecessary syslog entries if there are no active tunnels
To come:
To research:
Use domain name for DNS server
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087 |
|
