Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sat Dec 12, 2020 12:24 Post subject: Test users wanted to test upgraded and reworked WireGuard
I am looking for test users who want to test build 44980.
This build has an upgraded and reworked WireGuard.
It has among other things:
• Interface with Advanced option to hide advanced options and make it cleaner.
• Set DNS server with routing via tunnel
• Use CIDR notation for address/netmask so it could also work IPv6 (not tested and no routing rules)
• Upgraded PBR so to also allow things like "iif" and "from to" and if we get Kernel 4.17 or later port routing
• Firewall settings the same as for OpenVPN i.e. no extra rules for normal client behaviour (the client can initiate outbound traffic by default) and accepting new inbound traffic for server'
• Added possibilities for route-up, route down scripts and Firewall mark settings
• Added detection if there is no WAN (like in a Wireless Access Point) to set default route via the LAN
• Instead of setting a fixed wait time (35 seconds) variable wait time waiting for time server to come up
• If a route up script is present wait for usb /jffs to be accessible with is-mounted.sh utility (usr/bin/is-mounted.sh)
If the test is successful some or all of these upgrades can be incorporated in the next public Beta build, but I need your help to test.
The build is an official build by BS and I have it running on Broadcom R6400 Linksys EA8500 and Netgear R7800, which runs fine (The Qualcomm Atheros have improved WiFi throughput and Samba is working 😊 )
Your WireGuard settings are retained except for the IP address and Net mask of the WG tunnel.
Old builds have e.g. 10.4.0.5 with netmask 255.255.255.0, new builds will use CIDR notation e.g. 10.4.0.5/24 (this as a preparation for IPv6, and normally your provider will also use this notation)
You have to refresh your browser cache with CTRL+F5 and enable the tunnel, but as said settings should be retained except for the IP address/netmask.
Just upgraded to 44980 with the new WG. Working well so far, but it's only been up about 10 minutes. _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Sun Dec 13, 2020 0:21 Post subject:
whats the difference between the dns server setting on wireguard page vs using forced dns redirection for wireguard interface on the networking page im currently using? _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sun Dec 13, 2020 10:12 Post subject:
tatsuya46 wrote:
whats the difference between the dns server setting on wireguard page vs using forced dns redirection for wireguard interface on the networking page im currently using?
That is a very good question.
The Optional DNS target uses iptables rules to redirect queries on port 53.
I assumed that it would not work as the interface is not unbridged.
Your question led me to actually try it
I set an optional DNS target to 11.0.0.0 (non existent so it should stop DNS) and nothing happened and the rules are not hit either:
When the DNS server (or servers you can set more than one) are set in the WG GUI those are placed in resolv.dnsmasq to use by DNSMasq but only after the connection is made and the route is setup so that when a DNS server is not publicly available you will not get in a dead lock situation where DNSMasq tries to resolve the time server and endpoint URL but cannot.
Furthermore a static route is made so that the DNS server is always routed via the tunnel. _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sun Dec 13, 2020 10:19 Post subject:
Per Yngve Berg wrote:
I'm running a Site-Site WG between a R7800 and a RT-AC66U. Couldn't find the file for the latter.
I have made IPv6 work through manual configuration.
1) The oet interface does not have a Link Local Address (FE80:. Probably because it does not have a MAC either.
2) DHCP6C does not assign a PD when one interface that is given a SLA ID is not up when run.
Per Yngve, thanks for testing, BS decided to go forward and have the build publicly available already (a bit to soon for my liking as I wanted more time to test)
I do not have IPv6 (and only have basic knowledge about it) so could not test/try anything.
Can you give some instruction how to setup IPv6 for other users?
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sun Dec 13, 2020 11:10 Post subject:
All your suggestions or errors you spotted or ideas for improvement are very welcome I cannot do it alone
A special note for a small utility I added /usr/bin/is-mounted.sh
It waits for a maximum of 35 seconds for a directory to be available and writable, can probably also be used in startup to wait for the usb stick.
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Sun Dec 13, 2020 11:34 Post subject:
Hi egc,
I would like to try WG, but im unaware, how its going to work with DoT...im using...last time i tried WG i messed up with PIA settings and was not working.
Ill give it a go again...
Any tips...?? Will it work with stubb resolver...??? or any resolver that works on loopback interface...
I guess, it must not be an issue...???
So, far the advantage of Open VPN prior WG is only in terms of options and configuration, but speed could be a major 'plus' for WG, that outcomes the cons of it... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sun Dec 13, 2020 11:39 Post subject:
All good questions, but I have never tried it.
Will put it on my list to research, a DNS query out in the open is of course not very safe, however if you are using a provider with its own DNS server internally the query will go encrypted via the tunnel to the provider and resolved there
Joined: 28 Sep 2018 Posts: 29 Location: Buenos Aires, Argentina
Posted: Sun Dec 13, 2020 20:34 Post subject:
Router Model Netgear Nighthawk X10
Firmware Version DD-WRT v3.0-r44980 std (12/12/20)
Kernel Version Linux 4.9.247 #519 SMP Sun Dec 6 19:24:53 +07 2020 armv7l
Wireguard (Torguard) OK after update. Settings retained. Everything works OK.
Anyway I manually added IP Address/Netmask(CIDR notation)