The Easiest Tunnel Ever
From DD-WRT Wiki
The Easiest Tunnel Ever
Contents |
Introduction
This tutorial is for beginners, and therefore before proceeding make sure you have working reset button and have backed up you configuration (so you can reset your router and restore configuration if you stuck somewhere). This guide will show you the basics of creating tunnel from your Android/iOS device to dd-wrt unit in a secure way.
Why WireGuard?
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.
Why WireGuard + DD-WRT tunnel?
Starting from february 2019 and courtesy of Mr. BrainsLayer (Sebastian, lead dd-wrt developer) client config can be imported to Android/iOS in a very simple way using QR Code. No more complicated key generation, copy-paste and other headaches. The advantage of this approache is that there is no need to transfer sensitive information via data channels that can potentially be compromised and there is no need of any other supplementary software besides a WireGuard app (Android/iOS) and DD-WRT GUI.
What is a QR Code?
The QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. Originally developed for process optimization in the logistics of the automotive industry, the QR Code has found its way into mobile marketing with the widespread adoption of smartphones. "QR" stands for "Quick Response", which refers to the instant access to the information hidden in the Code. QR Codes are gaining popularity because the technology is "open source", i.e. available for everyone. Significant advantages of QR Codes over conventional barcodes are larger data capacity and high fault tolerance.
Instructions
Creating tunnel
First, enable tunnel on eop-tunnel.asp page of your dd-wrt unit (http://your_router_ip/eop-tunnel.asp). From drop down menu of Protocol Type, choose WireGuard. Generate Key and enter IP Address (this will be oet1 interface ip and must be out of your local lan range, on a separate network. E.g. if your lan ip (router ip) is 192.168.2.1, for an ip address of oet1 put 10.10.0.1.
Adding Peer
For a simple configuration you just need to enter Peer Tunnel IP within oet1 interface ip range (e.g. 10.10.0.2) and Peer Tunnel DNS (8.8.8.8). Peer tunnel MTU will be calculated automatically (wan mtu - 80) but you can edit it ofcourse. Click Save. Generate QR-Code by pressing QR-Code button.
Masquerading tunnel
The disadvantage of wireguard is that you cannot bridge anything. You always have to forward and do nat. No other way! So, head to Networking.asp and unbridge oet1 interface and enable Masquerade / NAT. Apply. This way, you'll have internet on other side of your tunnel.
Importing config to Android/iOS
Start your WireGuard app. In lower right corner press "+" and select "Create from QR code", scan QO-Code within DD-WRT GUI (peer section). After transfering config file from dd-wrt you will be prompted to name your tunnel. Go to http://whatismyip.akamai.com/advanced to check you public IP.
Troubleshooting
Persistent Keep Alive
This is optional, it's seconds between keep alive messages. Default is 0 (Disabled). Recommended value for NATed devices is 25.
to check if tunnel is active
wg interface: oet1 public key: blablaPyAN3eOyINB5JKNu4mHyKwrg3Mblabla= private key: (hidden) listening port: 51820 peer: BLABLAT3TQJwIE0OYx2qeZWYystRb9BLABLAbla= endpoint: 212.200.181.116:9208 allowed ips: 0.0.0.0/0 latest handshake: 7 seconds ago transfer: 14.11 KiB received, 39.85 KiB sent
to check if you nat-ed your oet1 network
iptables -t nat -v -n -L
Chain POSTROUTING (policy ACCEPT 75 packets, 5466 bytes) pkts bytes target prot opt in out source destination 71 14687 SNAT 0 -- * ppp0 192.168.2.0/24 0.0.0.0/0 to:your_router_public_ip 38 2381 SNAT 0 -- * ppp0 10.0.0.0/24 0.0.0.0/0 to:your_router_public_ip
Usefull console directives
ip addr
ip route show
ifconfig
traceroute
ping