The Easiest Tunnel Ever

From DD-WRT Wiki

Revision as of 21:01, 16 January 2020 by Jeremywh7 (Talk | contribs)
Jump to: navigation, search

VPN -> Wireguard -> The Easiest Tunnel Ever



This Wireguard guide will show you the basics of creating tunnel from a client device to DD-WRT unit in a secure way. Before proceeding, verify a working reset button and configuration backup in case of problems.



Why WireGuard + DD-WRT tunnel?

Starting since build 38581 in February 2019, a client config can be imported using QR Code. The advantage of this approach is that there is no need to transfer sensitive information via data channels that can potentially be compromised and there is no need of any other supplementary software besides WireGuard and the DD-WRT GUI.

What is a QR Code?

The QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. Originally developed for process optimization in the logistics of the automotive industry, the QR Code has found its way into mobile marketing with the widespread adoption of smartphones. "QR" stands for "Quick Response", which refers to the instant access to the information hidden in the Code. QR Codes are gaining popularity because the technology is "open source", i.e. available for everyone. Significant advantages of QR Codes over conventional barcodes are larger data capacity and high fault tolerance.


Creating tunnel

First, enable the tunnel on the DD-WRT Basic -> Tunnels tab (eop-tunnel.asp). From the Protocol Type drop-down menu, choose WireGuard. Generate Key and enter IP Address (this will be oet1 interface ip and must be out of your local lan range, on a separate network.

  • E.g. if the router LAN IP is, for the oet1 IP address use

Adding Peer

For a simple configuration you just need to enter Peer Tunnel IP within oet1 interface ip range (e.g. and Peer Tunnel DNS ( Peer Tunnel MTU will be calculated automatically (WAN mtu-40) but can then be edited. Click Save. Generate QR-Code by pressing QR-Code button.

Masquerading tunnel

Wireguard cannot bridge anything, you always have use Forward and NAT. Go to Networking and unbridge the oet1 interface and enable Masquerade / NAT to have internet on other side of the tunnel. Click Apply.

Note for Access Point mode

Add the following firewall rule under Administration/Commands and save as firewall then reboot:

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

Importing config to Android/iOS

Start your WireGuard app. In lower right corner press "+" and select "Create from QR code", scan QO-Code within DD-WRT GUI (peer section). After transferring config file from dd-wrt you will be prompted to name your tunnel. Go to whats is my ip to check you public IP. Android Apple iOS (iOS 12.0 or later)

Importing config to Linux

These packages are needed:

  • networkmanager-wireguard-git (dkms)
  • A graphical QRCode decoder e.g. qtqr
  • Screenshot tool e.g. flameshot

Review your distribution's wiki and forums for more specific details.

  • Go to the eop-tunnel.asp of your router, and grab a screenshot of the qrcode.
  • Save it but remember location and name of png file.
  • Open the qrcode decoder and add the png file to decode
  • You will be prompted with a decoded txt config file.
  • Use it to populate wireguard client side config in the network manager.

Importing config to Windows


Instructions Instructions


For more details and Troubleshooting see the parent Wireguard wiki
For the latest updated information and additional scripts see the Wireguard setup guide.