Wireguard

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 21:17, 18 July 2018 (edit)
Liverpoolatnight (Talk | contribs)
(Methord 2 - If Double NATed (DONT USE, WIP))
← Previous diff
Current revision (22:07, 4 February 2024) (edit) (undo)
Kernel-panic69 (Talk | contribs)
((add note regarding current documentation))
 
(13 intermediate revisions not shown.)
Line 1: Line 1:
-"[https://www.wireguard.com/ WireGuard] is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry."[1]+[[VPN]] -> '''[[Wireguard]]'''<br>
 +'''NOTE: The most updated WireGuard documentation is currently in the forum: [https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397 WireGuard guides and documentation]'''
__TOC__ __TOC__
-=How it works=+[[Image:benchmark.PNG|thumbnail|Why WireGuard?]]
-[https://www.wireguard.com/quickstart/ Quick Start (from the developer site)]+[https://www.wireguard.com/ WireGuard®] is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.
-=Firewall rules=+[[Image:oet1.PNG|thumbnail|Instructions]]
-[https://www.dd-wrt.com/phpBB2/viewtopic.php?p=1122432#1122432 Add firewall rules] to successfully communicate through the tunnel on each unit:+[[Image:QR-Code.PNG|thumbnail|Instructions]]
- #for reaching the unit in/out+[[Image:Android.jpeg|thumbnail|Instructions]]
- iptables -I INPUT -i oet1 -j ACCEPT+[[Image:Enable.jpeg|thumbnail|Instructions]]
- iptables -I OUTPUT -o oet1 -j ACCEPT+[[Image:DecodeQRcode.PNG|thumbnail|Instructions]]
- #for forwarding packets to the networks behind in/out+[[Image:Vpn.jpg|thumbnail|Instructions]]
- iptables -I FORWARD -i oet1 -j ACCEPT+[[Image:Blabla.png|thumbnail|Instructions]]
- iptables -I FORWARD -o oet1 -j ACCEPT +
-Also set routes for the networks to reach:+Some key points about Wireguard:
- #to connect 192.168.1.0/24 and 192.168.2.0/24 via 10.10.10.2 put on the 192.168.1.0 gateway+*Layer 3 only - no bridging
- route add -net 192.168.2.0/24 gw 10.10.10.2+*UDP only
- #etc+*SSH authenticated keys
 +*Executes in-kernel (and is upstream since Linux 5.6)
 +*Static routing
-This firewall functionality may eventually get integrated into DD-WRT. SVN tickets:+==How it works==
-*[http://svn.dd-wrt.com/ticket/6217 add option to allow more than one allowed IP/Network]+[https://www.wireguard.com/quickstart/ Quick Start],
-*[http://svn.dd-wrt.com/ticket/6218 add option to set auto routes for oet*_aip0] - Done+[https://www.wireguard.com/#conceptual-overview Conceptual Overview]<br>
-*[http://svn.dd-wrt.com/ticket/6219 show private key in gui] - Done+This tutorial shows the basics of securely creating a tunnel from a client device to DD-WRT. Before proceeding, verify a working reset button and configuration backup in case of problems.
-*[http://svn.dd-wrt.com//ticket/6217#comment:1 add option to set a DNS in gui]+
-=Methord 2 - If Double NATed (DONT USE, WIP)=+==What is a QR Code?==
- wg set oet1 fwmark 51820+The "Quick Response" Code is a two-dimensional barcode with larger encoded data capacity and high fault tolerance. Since build 38581 in February 2019, a client config can be imported using a QR Code. The advantage of this approach is that there is no need to transfer sensitive information via potentially compromised data channels.
- # This sets the Firewall Mark of the wireguard interface called oet1 to 51820+
- # 51820 is attached to outgoing packets and can be used in firewall rules+
- # SSH into the Router and use wg to see it applyed.+
- ip route add 0.0.0.0/0 dev oet1 table 51820+==Install and Setup Guides==
- ip rule add not fwmark 51820 table 51820+The WireGuard [https://www.wireguard.com/install/ installation/downloads] page has software and instructions per OS.<br>
 +<u>WireGuard Forum Guides</u>:
 + [https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206 Server setup] [https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624 Client setup] [https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787 Advanced setup]
 +'''These forum guides have the latest updated information and additional scripts such as:'''
 +*Setup DDWRT router as a Wireguard server
 +*Client devices setup
 +*Setup DDWRT router as a Wireguard client
 +*Policy Based Routing for Wireguard
 +*Wireguard PBR Kill Script
 +*Info regarding changes for CVE-2019-14899 ([https://svn.dd-wrt.com/ticket/6928 ticket 6928])
-=Reference=+ 
-[https://www.wireguard.com/#conceptual-overview Conceptual Overview]<br>+==Setup Instructions==
-[https://git.zx2c4.com/WireGuard/ Git Repository]<br>+'''Create the Wireguard tunnel:'''<br>
 +DD-WRT ''Basic'' -> ''Tunnels'' tab: enable the ''Tunnel'' then select ''WireGuard'' for ''Protocol Type''.
 +*''Generate Key'' and enter the ''oet1'' interface IP: <font color=red>must be a network outside the local LAN range</font>
 +*E.g. if the router LAN IP is 192.168.2.1, for the oet1 IP address use 10.10.0.1.
 + 
 +'''Add Peers:'''<br>
 +For simple configurations, just enter Peer Tunnel IP within the oet1 interface ip range (e.g. 10.10.0.2) and Peer Tunnel DNS (8.8.8.8). Peer Tunnel MTU will be calculated automatically (WAN mtu-40) but can then be edited. Click ''Save'' then the ''QR-Code'' button to generate it.
 + 
 +'''Masquerade the tunnel:'''<br>
 +Wireguard must be unbridged, using Forwarding and NAT. Go to ''Networking'', unbridge the oet1 interface (automatic since r42067), and enable Masquerade / NAT to have internet on the tunnel. Click ''Apply''.
 + 
 +====Note for Access Point mode====
 +Add the following firewall rule under Administration/Commands and save as firewall then reboot:
 +<pre>iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)</pre>
 + 
 +====Android/iOS config import====
 +Android: [https://play.google.com/store/apps/details?id=com.wireguard.android Google Play Store], iOS: [https://itunes.apple.com/us/app/wireguard/id1441195209 Apple Store (12.0 or later)]<br>
 +WireGuard app: press "+" in the lower right corner, select "Create from QR code", scan from DD-WRT peer, then the app will prompt to name the tunnel. Public IP can be checked [http://whatismyip.akamai.com/advanced here].
 + 
 +====Linux config import====
 +Review the Wireguard install page, distribution wiki (e.g. for [https://wiki.archlinux.org/index.php/WireGuard Arch]) and/or forums for more details.
 +*Manager: systemd-networkd 237, networkmanager 1.16, connman 1.38
 +*Graphical QR Code decoder e.g. [https://launchpad.net/qr-tools '''qtqr''']
 +*Screenshot tool e.g. [https://flameshot.js.org/#/ '''flameshot''']
 +Using a network manager with Wireguard and preshared key support is optional but much easier.
 +*Go to ''Tunnels'' to generate then capture and save a QR Code screenshot
 +*Open the QR Code decoder and add the png file to decode
 +*You will be prompted with a decoded textual config file
 +*Use it to populate wireguard client config in the network manager
 + 
 +====Windows config import====
 +Windows Wireguard client: [https://www.wireguard.com/install/ Windows .msi installer]<br>
 +Graphical QRCode decoder e.g. [https://www.codetwo.com/freeware/qr-code-desktop-reader/ CodeTwo QR Code Reader]<br>
 + 
 +====Options====
 +'''Persistent Keep Alive:''' This is seconds between keep alive messages, and is optional. Default is 0 (Disabled). The recommended value for NAT'd devices is 25 seconds.
 + 
 +'''Allowed IPs:''' This is required and represents IP addresses that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through tunnel. Outgoing packets will be sent to the peer whose ''Allowed IP''s contain the destination address, and for multiple matches, the longest matching prefix is chosen. Incoming packets are only accepted if traffic to their source IP would be sent to the same peer. May be specified multiple times.
 + 
 +'''Preshared Key:'''
 +A base64 preshared key generated by wg genpsk. This is optional and may be omitted. This adds an additional layer of symmetric-key cryptography into the existing public-key cryptography, for post-quantum resistance.
 + 
 +==Troubleshooting==
 +If you find any bugs report to: team@wireguard.com
 +*Start with rebooting all Peers
 +*Enable syslogd at Services/Services/Sytem Log
 +*In the script enable DEBUG by uncommenting the line:
 + #DEBUG= # uncomment/comment to enable/disable debug mode
 + 
 +====Useful [[Telnet/SSH_and_the_command_line#The_DD-WRT_Command_Line|console commands]]====
 +Check the tunnel status:
 + # wg
 +
 + interface: oet1
 + public key: blablaPyAN3eOyINB5JKNu4mHyKwrg3Mblabla=
 + private key: (hidden)
 + listening port: 51820
 +
 + peer: BLABLAT3TQJwIE0OYx2qeZWYystRb9BLABLAbla=
 + endpoint: 212.200.181.116:9208
 + allowed ips: 0.0.0.0/0
 + latest handshake: 7 seconds ago
 + transfer: 14.11 KiB received, 39.85 KiB sent
 + 
 +Check if the oet1 network is NAT'd:
 + # iptables -t nat -v -n -L
 +
 + Chain POSTROUTING (policy ACCEPT 75 packets, 5466 bytes)
 + pkts bytes target prot opt in out source destination
 + 71 14687 SNAT 0 -- * ppp0 192.168.2.0/24 0.0.0.0/0 to:your_router_public_ip
 + 38 2381 SNAT 0 -- * ppp0 10.0.0.0/24 0.0.0.0/0 to:your_router_public_ip
 + 
 + wg showconf oet1
 + 
 + ip addr
 + 
 + ip route show
 + 
 +*More: ''ifconfig'', ''traceroute'', and ''ping''
 + 
 +====Dynamic WAN IP on router====
 +After importing configs from DD-WRT to Android/iOS app, edit the ''Endpoint'' in the ''Peer'' section e.g.:
 +*my.ddns.address.com:51820
 + 
 +====Adding a second peer breaks the first====
 +Allowed IPs of 0.0.0.0/0 cannot be used for both peers as it causes a collision. Instead set separate peer IPs e.g. 10.10.0.2/32 and 10.10.0.3/32. The Allowed IP's feature is for crypto routing. The key is valid for the entire allowed IP space.
 + 
 +====Resolving local hostnames in the tunnel====
 +DD-WRT GUI ''Services'' -> DNSMasq section: enable "Local DNS" and disable "No DNS Rebind", go to ''Tunnels'' to enter local DNS IP (e.g. 192.168.1.1) for Peer Tunnel DNS (repeat for every peer). Since Wireguard cannot be bridged, the wireguard interface or it's local IP needs specified in dnsmasq as an additional binding interface / listener (interface=oet1). There is also an nvram parameter "dnsmasq_addif" to specify custom additional interfaces (''nvram set dnsmasq_addif=oet1'').
 +*The easiest way is to simply add a DHCP interface at ''Setup'' -> ''Networking'' since the client is not requesting any IP, nothing special will happen. DHCP is present and reachable, but unused.
 + 
 +==Reference==
 +DD-WRT source: [https://svn.dd-wrt.com/log/src/router/wireguard Wireguard changesets]<br>
 +DD-WRT forum: [https://www.dd-wrt.com/phpBB2/viewtopic.php?t=312522 Wireguard]<br>
 + 
 +[https://git.zx2c4.com/WireGuard/ Wireguard Git Repository]<br>
[https://lists.zx2c4.com/mailman/listinfo/wireguard/ WireGuard Mailing Lists]<br> [https://lists.zx2c4.com/mailman/listinfo/wireguard/ WireGuard Mailing Lists]<br>
-[https://svn.dd-wrt.com/search?q=wireguard&noquickjump=1&changeset=on DD-WRT SVN Changesets]<br>+[https://github.com/wuruxu/wireguard-ddwrt Wireguard DD-WRT setup (by wuruxu on Github)]<br>
-[https://www.dd-wrt.com/phpBB2/viewtopic.php?t=312522 Forum thread, Broadcom]<br>+ 
-[https://www.dd-wrt.com/phpBB2/viewtopic.php?t=315874 Forum thread, Atheros]<br>+
-[[VPN|Virtual Private Network (VPN)]] (DD-WRT wiki)+
-[[Category:Tunneling]]+[[Category:Tunneling]][[Category:Basic tutorials]]

Current revision

VPN -> Wireguard

NOTE: The most updated WireGuard documentation is currently in the forum: WireGuard guides and documentation

Contents


Why WireGuard?
Why WireGuard?

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.

Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions

Some key points about Wireguard:

  • Layer 3 only - no bridging
  • UDP only
  • SSH authenticated keys
  • Executes in-kernel (and is upstream since Linux 5.6)
  • Static routing

[edit] How it works

Quick Start, Conceptual Overview
This tutorial shows the basics of securely creating a tunnel from a client device to DD-WRT. Before proceeding, verify a working reset button and configuration backup in case of problems.

[edit] What is a QR Code?

The "Quick Response" Code is a two-dimensional barcode with larger encoded data capacity and high fault tolerance. Since build 38581 in February 2019, a client config can be imported using a QR Code. The advantage of this approach is that there is no need to transfer sensitive information via potentially compromised data channels.

[edit] Install and Setup Guides

The WireGuard installation/downloads page has software and instructions per OS.
WireGuard Forum Guides:

Server setup    Client setup    Advanced setup

These forum guides have the latest updated information and additional scripts such as:

  • Setup DDWRT router as a Wireguard server
  • Client devices setup
  • Setup DDWRT router as a Wireguard client
  • Policy Based Routing for Wireguard
  • Wireguard PBR Kill Script
  • Info regarding changes for CVE-2019-14899 (ticket 6928)


[edit] Setup Instructions

Create the Wireguard tunnel:
DD-WRT Basic -> Tunnels tab: enable the Tunnel then select WireGuard for Protocol Type.

  • Generate Key and enter the oet1 interface IP: must be a network outside the local LAN range
  • E.g. if the router LAN IP is 192.168.2.1, for the oet1 IP address use 10.10.0.1.

Add Peers:
For simple configurations, just enter Peer Tunnel IP within the oet1 interface ip range (e.g. 10.10.0.2) and Peer Tunnel DNS (8.8.8.8). Peer Tunnel MTU will be calculated automatically (WAN mtu-40) but can then be edited. Click Save then the QR-Code button to generate it.

Masquerade the tunnel:
Wireguard must be unbridged, using Forwarding and NAT. Go to Networking, unbridge the oet1 interface (automatic since r42067), and enable Masquerade / NAT to have internet on the tunnel. Click Apply.

[edit] Note for Access Point mode

Add the following firewall rule under Administration/Commands and save as firewall then reboot:

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

[edit] Android/iOS config import

Android: Google Play Store, iOS: Apple Store (12.0 or later)
WireGuard app: press "+" in the lower right corner, select "Create from QR code", scan from DD-WRT peer, then the app will prompt to name the tunnel. Public IP can be checked here.

[edit] Linux config import

Review the Wireguard install page, distribution wiki (e.g. for Arch) and/or forums for more details.

  • Manager: systemd-networkd 237, networkmanager 1.16, connman 1.38
  • Graphical QR Code decoder e.g. qtqr
  • Screenshot tool e.g. flameshot

Using a network manager with Wireguard and preshared key support is optional but much easier.

  • Go to Tunnels to generate then capture and save a QR Code screenshot
  • Open the QR Code decoder and add the png file to decode
  • You will be prompted with a decoded textual config file
  • Use it to populate wireguard client config in the network manager

[edit] Windows config import

Windows Wireguard client: Windows .msi installer
Graphical QRCode decoder e.g. CodeTwo QR Code Reader

[edit] Options

Persistent Keep Alive: This is seconds between keep alive messages, and is optional. Default is 0 (Disabled). The recommended value for NAT'd devices is 25 seconds.

Allowed IPs: This is required and represents IP addresses that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through tunnel. Outgoing packets will be sent to the peer whose Allowed IPs contain the destination address, and for multiple matches, the longest matching prefix is chosen. Incoming packets are only accepted if traffic to their source IP would be sent to the same peer. May be specified multiple times.

Preshared Key: A base64 preshared key generated by wg genpsk. This is optional and may be omitted. This adds an additional layer of symmetric-key cryptography into the existing public-key cryptography, for post-quantum resistance.

[edit] Troubleshooting

If you find any bugs report to: team@wireguard.com

  • Start with rebooting all Peers
  • Enable syslogd at Services/Services/Sytem Log
  • In the script enable DEBUG by uncommenting the line:
#DEBUG= # uncomment/comment to enable/disable debug mode

[edit] Useful console commands

Check the tunnel status:

# wg

interface: oet1
  public key: blablaPyAN3eOyINB5JKNu4mHyKwrg3Mblabla=
  private key: (hidden)
  listening port: 51820

peer: BLABLAT3TQJwIE0OYx2qeZWYystRb9BLABLAbla=
  endpoint: 212.200.181.116:9208
  allowed ips: 0.0.0.0/0
  latest handshake: 7 seconds ago
  transfer: 14.11 KiB received, 39.85 KiB sent

Check if the oet1 network is NAT'd:

# iptables -t nat -v -n -L 

Chain POSTROUTING (policy ACCEPT 75 packets, 5466 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   71 14687 SNAT       0    --  *      ppp0    192.168.2.0/24       0.0.0.0/0           to:your_router_public_ip
   38  2381 SNAT       0    --  *      ppp0    10.0.0.0/24          0.0.0.0/0           to:your_router_public_ip
 wg showconf oet1
 ip addr 
 ip route show
  • More: ifconfig, traceroute, and ping

[edit] Dynamic WAN IP on router

After importing configs from DD-WRT to Android/iOS app, edit the Endpoint in the Peer section e.g.:

  • my.ddns.address.com:51820

[edit] Adding a second peer breaks the first

Allowed IPs of 0.0.0.0/0 cannot be used for both peers as it causes a collision. Instead set separate peer IPs e.g. 10.10.0.2/32 and 10.10.0.3/32. The Allowed IP's feature is for crypto routing. The key is valid for the entire allowed IP space.

[edit] Resolving local hostnames in the tunnel

DD-WRT GUI Services -> DNSMasq section: enable "Local DNS" and disable "No DNS Rebind", go to Tunnels to enter local DNS IP (e.g. 192.168.1.1) for Peer Tunnel DNS (repeat for every peer). Since Wireguard cannot be bridged, the wireguard interface or it's local IP needs specified in dnsmasq as an additional binding interface / listener (interface=oet1). There is also an nvram parameter "dnsmasq_addif" to specify custom additional interfaces (nvram set dnsmasq_addif=oet1).

  • The easiest way is to simply add a DHCP interface at Setup -> Networking since the client is not requesting any IP, nothing special will happen. DHCP is present and reachable, but unused.

[edit] Reference

DD-WRT source: Wireguard changesets
DD-WRT forum: Wireguard

Wireguard Git Repository
WireGuard Mailing Lists
Wireguard DD-WRT setup (by wuruxu on Github)