WireGuard guides and documentation

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12813
Location: Netherlands

PostPosted: Sat Dec 05, 2020 10:22    Post subject: WireGuard guides and documentation Reply with quote
WireGuard is an open-source VPN solution written in C by Jason Donenfeld and others, aiming to fix many of the problems that have plagued other modern server-to-server VPN offerings like IPSec/IKEv2, OpenVPN, or L2TP.

It can be seen as a replacement for OpenVPN but is much faster especially on lower-spec hardware such as Soho routers (my own R7800 goes from 85 Mb/s on OpenVPN to 290 Mb/s with WireGuard) and is easier to setup, the guides will help you with that.

DDWRT build 52242 or higher is mandatory, recommended is build 54738 or higher.

See Changelog at the bottom of this page.

WireGuard is usually available on routers with 8 MB Flash RAM or more (there are a few exceptions) and using at least Kernel 3.10 (so not on K2.6 builds).
Some Small target (4 MB flash using Kernel 3.10) also got WireGuard: https://svn.dd-wrt.com/changeset/51596


WireGuard client setup guide
Setup instructions to use your DDWRT router as WireGuard client.
For older builds, the second post contains a watchdog script to restart WireGuard or reboot the router when a connection is lost (usually WireGuard reconnects by itself), recent builds have this functionality built-in:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624

WireGuard server setup guide
Setup your router as WireGuard server including instructions to setup clients like phone, windows PC and other DDWRT routers, this thread also contains scripts for earlier versions of WireGuard and a Troubleshooting section:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206

VPN and DNS guide
Advanced reading for DNS setup using VPN clients (WireGuard/OpenVPN) including DNS leaks, routing of DNS servers, adding extra DNS servers, Split DNS etc.:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331017

WireGuard Advanced setup
examples of advanced setup like using a WAP, multiple tunnels e.g. one tunnel as server and one as client and Bridging solution:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787

VPN Troubleshooting guide with some tips for if you are really stuck, it is mainly for OpenVPN but also contains tips for WireGuard.

WireGuard Companion app/script, administer your WireGuard tunnels from command line
Discussion: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1294564


For questions or comments just open a thread in the Advanced Networking forum

Static routing
If the Built-in PBR possibilities are not sufficient you can use Static Routing See:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327810

Known Problems
Starting with build 49792, upstart code has been changed for a lot of services a.o. DNSMasq.
This means that it is not properly (re)started but only reloaded for services like WireGuard server and OpenVPN server this results in DNSMasq not properly listening on all interfaces hence no DNSMasq fo WG and OVPN clients unless DNSMasq is properly restarted with:
"stopservice dnsmasq && startservice dnsmasq"
You can add this to the Firewall script

Changelog
Build 47259
• Killswitch now works on a WAP. Because of the changing of the killswitch code it is recommended to check if your killswitch is still working, see page 11 of the WireGuard Client setup guide
• Status Window now adequately reflects the status of peers with the same key

Build 47284/47285
• Import Tunnel/Config added. This lets you import a config file from your provider or from your own server and adds a tunnel with it.
Not perfect yet, when deleting the tunnel make sure to disable all the tunnels first, Save and Apply. then delete the tunnel, Save/Apply and then Enable the tunnels again and Save/Apply.
Alternatively reboot the router after deleting a tunnel.
Problem can be in the DNS setting of the tunnel, DNS is not moved to the new tunnel number yet so reboot or restart DNSMasq. It is on the todo list.

Build 47602/47603/47604/47605/47612/47613/47615
(so after build 47608)
The DNS problem when a tunnel is deleted should be solved
Fail over/watchdog is added you can set one or more client tunnels in a fail over group if one is down the next will be started, if the last tunnel fails (so you can also set only one tunnel) WireGuard is resetted or the router is rebooted when nvram variable wg_onfail_reboot=1 is set.
Gui options to do this, also to start with random tunnel will be added later.
Important if you already have a client/or server running you need to click Save/Apply once on the tunnel page to start Wireguard after upgrading

Build 47692
Important if you upgrade from a build before 47692:
1. You can disable Query DNS in Strict Order on Services page. WireGuard no longer relies on strict-order to prevent a DNS leak and as there is a bug in strict-order you probably should disable it for DNS to work properly.
2. Entries in Policy Based Routing are not automatically converted, either put them in manually (if you want to retrieve the old values, from CLI telnet/Putty where X is the tunnel number: nvram get oetX_pbr
Or convert them with:
Code:
for i in $(seq 1 $(nvram get oet_tunnels)); do [[ ! -z "$(nvram get oet${i}_pbr)" ]] && { nvram set oet${i}_spbr_ip="$(nvram get oet${i}_pbr)"; done

Starting with this build Policy Based Routing has been upgraded, choice to route sources via WAN or VPN.
Split DNS, i.e. PBR sources using the tunnel can use the tunnels DNS all other use the WAN DNS.
GUI setting for Destination Based routing.
Changed DNS to stop possible Leak (Important: disable "Query DNS in strict-order")

For more information see the WireGuard Client setup guide

Build 47866
Upgraded WireGuard to version 1.0.20211208
Build 48141
Add settings for endpoint and keepalive when making config files
Add port to be able to escape the killswitch when PBR via WAN is used
Build 48214
Use domain names for Destination based routing
Build 48374
NAT rule for seamless LAN access
GUI option to set Watchdog Ping address
Build 48786
Locking and sequential executing of multiple tunnels, this should solve a bug where the WAN interface is not found on bootup when using PBR with routing via the WAN.
Build 48865
Removed some unnecessary syslog entries if there are no active tunnels
Build 49418
Remove route to endpoint on restart of tunnel, if you are using IPv6 as endpoint address skip this build and use a build after 49470
Build 49671
Increase maxlength of Tunnel address for more than one IPv6 address
Corrected a stall of the script when DNSmasq was not used but a DNS server was added to the tunnel
Added a trap to the script and added some debug information
50357:
Obfuscation for WireGuard: https://github.com/infinet/xt_wgobfs , this is still experimental
51058:
WireGuard used as server is now IPv6 compatible.
A setting has been added "Allow Clients WAN Access" which makes it possible to toggle internet access (NAT out via the servers WAN) for attached clients, both for IPv4 and IPv6 if applicable, this has been duplicated and overrides Networking Interface: Masquerade/NAT.
51506, 51515, 51545:
Making import and export configs IPv6 compatible
51535, 51550, 51569 :
IPv6 for WG client, NAT out via WG interface and Endpoint routing
51596:
Some Small target (4 MB flash) got WireGuard: https://svn.dd-wrt.com/changeset/51596
51972/51973:
Some bug fixes for routers without IPv6
54481:
Changed startup sequence and added locking to prevent some spurious race conditions.
Added debug option, by setting: nvram set wg_debug=1 you enable debug, you can view output with: grep -i -E 'oet|wireguard|eop' /var/log/messages
When you are done remove debug: nvram unset wg_debug
If you start WG manually just use the official restart command: /usr/bin/wireguard-restart.sh
54208
Add label to tunnel for easier identificaton
54738
Add fail safe to prevent dead lock

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sat Jan 06, 2024 8:53; edited 7 times in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12813
Location: Netherlands

PostPosted: Fri Dec 15, 2023 16:03    Post subject: WireGuard Companion app Reply with quote
The WireGuard Companion app is a script you can use via SSH to administer your WireGuard tunnels.
You can disable/enable tunnels, view status and log and restart WireGuard or the router.

Use your favourite SSH client from phone or laptop to automatically run the script on connection.

You can use e.g. Connectbot or JuiceSSH for your phone, make a profile and keys to connect to your router and automatically launch the script for easy access.

Download The wireguard-companion script (right click and choose Save as).
The repository with scripts and other DDWRT guides is at https://github.com/egc112/ddwrt

Instructions to download and add the script to your router:
# name: wireguard-companion.sh
# version: 0.93 beta, 14-jan-2024, by egc
# purpose: Toggle WireGuard tunnels on/off, show status and log
# script type: standalone
# installation:
# 1. enable jffs2 (administration->jffs2) or use USB stick for storage with /jffs
# 2. change to directory in which you want the script to download e.g.: cd /jffs
# 3. download script from github with:
# curl -LJO https://raw.githubusercontent.com/egc112/ddwrt/main/wireguard-companion.sh
# or
# wget --no-check-certificate --content-disposition https://raw.githubusercontent.com/egc112/ddwrt/main/wireguard-companion.sh
# 3. make this script executable with: chmod +x /jffs/wireguard-companion.sh
# 4. run from command line with /jfss/wireguard-companion.sh
# If you do not have persistent storage you can reinstall the script automatically on reboot by adding
# the following to Administration > Commands and Save as Startup:
# sleep 10
# cd /tmp
# curl -LJO https://raw.githubusercontent.com/egc112/ddwrt/main/wireguard-companion.sh
# chmod +x wireguard-companion.sh
# usage:
# toggle tunnels to enable/disable the tunnel and restart wireguard
# limitations:
# - requires dd-wrt build 52241 or later

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum