The Easiest Tunnel Ever

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 14:54, 31 January 2019 (edit)
Ian5142 (Talk | contribs)
(Added Categories on the bottom.)
← Previous diff
Revision as of 10:33, 5 February 2019 (edit) (undo)
Mile-Lile (Talk | contribs)

Next diff →
Line 50: Line 50:
=Troubleshooting= =Troubleshooting=
 +==Adding a second peer breaks the first==
 +You cannot use allowed ips of for both peer. This causes a collision. What works is setting of and
 +The allowed ip's feature is for crypto routing. The key is valid for the allowed ip space. So, one single key is valid for the whole space.
==Persistent Keep Alive== ==Persistent Keep Alive==

Revision as of 10:33, 5 February 2019

The Easiest Tunnel Ever



This tutorial is for beginners, and therefore before proceeding make sure you have working reset button and have backed up you configuration (so you can reset your router and restore configuration if you stuck somewhere). This guide will show you the basics of creating tunnel from your Android/iOS device to dd-wrt unit in a secure way.

Why WireGuard?
Why WireGuard?

Why WireGuard?

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.

Why WireGuard + DD-WRT tunnel?

Starting from february 2019 and courtesy of Mr. BrainsLayer (Sebastian, lead dd-wrt developer) client config can be imported to Android/iOS in a very simple way using QR Code. No more complicated key generation, copy-paste and other headaches. The advantage of this approache is that there is no need to transfer sensitive information via data channels that can potentially be compromised and there is no need of any other supplementary software besides a WireGuard app (Android/iOS) and DD-WRT GUI.

What is a QR Code?

The QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. Originally developed for process optimization in the logistics of the automotive industry, the QR Code has found its way into mobile marketing with the widespread adoption of smartphones. "QR" stands for "Quick Response", which refers to the instant access to the information hidden in the Code. QR Codes are gaining popularity because the technology is "open source", i.e. available for everyone. Significant advantages of QR Codes over conventional barcodes are larger data capacity and high fault tolerance.


Creating tunnel

First, enable tunnel on eop-tunnel.asp page of your dd-wrt unit (http://your_router_ip/eop-tunnel.asp). From drop down menu of Protocol Type, choose WireGuard. Generate Key and enter IP Address (this will be oet1 interface ip and must be out of your local lan range, on a separate network. E.g. if your lan ip (router ip) is, for an ip address of oet1 put

Adding Peer

For a simple configuration you just need to enter Peer Tunnel IP within oet1 interface ip range (e.g. and Peer Tunnel DNS ( Peer tunnel MTU will be calculated automatically (wan mtu - 80) but you can edit it ofcourse. Click Save. Generate QR-Code by pressing QR-Code button.

Masquerading tunnel

The disadvantage of wireguard is that you cannot bridge anything. You always have to forward and do nat. No other way! So, head to Networking.asp and unbridge oet1 interface and enable Masquerade / NAT. Apply. This way, you'll have internet on other side of your tunnel.

Importing config to Android/iOS

Start your WireGuard app. In lower right corner press "+" and select "Create from QR code", scan QO-Code within DD-WRT GUI (peer section). After transfering config file from dd-wrt you will be prompted to name your tunnel. Go to to check you public IP.


Adding a second peer breaks the first

You cannot use allowed ips of for both peer. This causes a collision. What works is setting of and The allowed ip's feature is for crypto routing. The key is valid for the allowed ip space. So, one single key is valid for the whole space.

Persistent Keep Alive

This is optional, it's seconds between keep alive messages. Default is 0 (Disabled). Recommended value for NATed devices is 25.

Allowed IPs

This is required. Represent IP addresses that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through tunnel.


A base64 preshared key generated by wg genpsk. Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.

to check if tunnel is active


interface: oet1
  public key: blablaPyAN3eOyINB5JKNu4mHyKwrg3Mblabla=
  private key: (hidden)
  listening port: 51820

  allowed ips:
  latest handshake: 7 seconds ago
  transfer: 14.11 KiB received, 39.85 KiB sent

to check if you nat-ed your oet1 network

iptables -t nat -v -n -L 

Chain POSTROUTING (policy ACCEPT 75 packets, 5466 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   71 14687 SNAT       0    --  *      ppp0           to:your_router_public_ip
   38  2381 SNAT       0    --  *      ppp0           to:your_router_public_ip

Usefull console directives

 ip addr 
 ip route show