Wireguard

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 21:54, 18 July 2018 (edit)
Liverpoolatnight (Talk | contribs)

← Previous diff
Current revision (16:47, 13 May 2020) (edit) (undo)
Jeremywh7 (Talk | contribs)
(add new split-out forum guide links)
 
(11 intermediate revisions not shown.)
Line 1: Line 1:
-"[https://www.wireguard.com/ WireGuard] is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry."[1]+[[VPN]] -> '''[[Wireguard]]'''<br>
__TOC__ __TOC__
-=How it works=+[[Image:benchmark.PNG|thumbnail|Why WireGuard?]]
-[https://www.wireguard.com/quickstart/ Quick Start (from the developer site)]+[https://www.wireguard.com/ WireGuard®] is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.
-=Firewall rules=+[[Image:oet1.PNG|thumbnail|Instructions]]
-[https://www.dd-wrt.com/phpBB2/viewtopic.php?p=1122432#1122432 Add firewall rules] to successfully communicate through the tunnel on each unit:+[[Image:QR-Code.PNG|thumbnail|Instructions]]
- #for reaching the unit in/out+[[Image:Android.jpeg|thumbnail|Instructions]]
- iptables -I INPUT -i oet1 -j ACCEPT+[[Image:Enable.jpeg|thumbnail|Instructions]]
- iptables -I OUTPUT -o oet1 -j ACCEPT+[[Image:DecodeQRcode.PNG|thumbnail|Instructions]]
- #for forwarding packets to the networks behind in/out+[[Image:Vpn.jpg|thumbnail|Instructions]]
- iptables -I FORWARD -i oet1 -j ACCEPT+[[Image:Blabla.png|thumbnail|Instructions]]
- iptables -I FORWARD -o oet1 -j ACCEPT +
-Also set routes for the networks to reach:+Some key points about Wireguard:
- #to connect 192.168.1.0/24 and 192.168.2.0/24 via 10.10.10.2 put on the 192.168.1.0 gateway+*Layer 3 only - no bridging
- route add -net 192.168.2.0/24 gw 10.10.10.2+*UDP only
- #etc+*SSH authenticated keys
 +*Executes in-kernel (and is upstream since Linux 5.6)
 +*Static routing
-This firewall functionality may eventually get integrated into DD-WRT. SVN tickets:+==How it works==
-*[http://svn.dd-wrt.com/ticket/6217 add option to allow more than one allowed IP/Network]+[https://www.wireguard.com/quickstart/ Quick Start],
-*[http://svn.dd-wrt.com/ticket/6218 add option to set auto routes for oet*_aip0] - Done+
-*[http://svn.dd-wrt.com/ticket/6219 show private key in gui] - Done+
-*[http://svn.dd-wrt.com//ticket/6217#comment:1 add option to set a DNS in gui]+
- +
-=Reference=+
[https://www.wireguard.com/#conceptual-overview Conceptual Overview]<br> [https://www.wireguard.com/#conceptual-overview Conceptual Overview]<br>
-[https://git.zx2c4.com/WireGuard/ Git Repository]<br>+This tutorial shows the basics of securely creating a tunnel from a client device to DD-WRT. Before proceeding, verify a working reset button and configuration backup in case of problems.
 + 
 +==What is a QR Code?==
 +The "Quick Response" Code is a two-dimensional barcode with larger encoded data capacity and high fault tolerance. Since build 38581 in February 2019, a client config can be imported using a QR Code. The advantage of this approach is that there is no need to transfer sensitive information via potentially compromised data channels.
 + 
 +==Install and Setup Guides==
 +The WireGuard [https://www.wireguard.com/install/ installation/downloads] page has software and instructions per OS.<br>
 +<u>WireGuard Forum Guides</u>:
 + [https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206 Server setup] [https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624 Client setup] [https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787 Advanced setup]
 +'''These forum guides have the latest updated information and additional scripts such as:'''
 +*Setup DDWRT router as a Wireguard server
 +*Client devices setup
 +*Setup DDWRT router as a Wireguard client
 +*Policy Based Routing for Wireguard
 +*Wireguard PBR Kill Script
 +*Info regarding changes for CVE-2019-14899 ([https://svn.dd-wrt.com/ticket/6928 ticket 6928])
 + 
 + 
 +==Setup Instructions==
 +'''Create the Wireguard tunnel:'''<br>
 +DD-WRT ''Basic'' -> ''Tunnels'' tab: enable the ''Tunnel'' then select ''WireGuard'' for ''Protocol Type''.
 +*''Generate Key'' and enter the ''oet1'' interface IP: <font color=red>must be a network outside the local LAN range</font>
 +*E.g. if the router LAN IP is 192.168.2.1, for the oet1 IP address use 10.10.0.1.
 + 
 +'''Add Peers:'''<br>
 +For simple configurations, just enter Peer Tunnel IP within the oet1 interface ip range (e.g. 10.10.0.2) and Peer Tunnel DNS (8.8.8.8). Peer Tunnel MTU will be calculated automatically (WAN mtu-40) but can then be edited. Click ''Save'' then the ''QR-Code'' button to generate it.
 + 
 +'''Masquerade the tunnel:'''<br>
 +Wireguard must be unbridged, using Forwarding and NAT. Go to ''Networking'', unbridge the oet1 interface (automatic since r42067), and enable Masquerade / NAT to have internet on the tunnel. Click ''Apply''.
 + 
 +====Note for Access Point mode====
 +Add the following firewall rule under Administration/Commands and save as firewall then reboot:
 +<pre>iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)</pre>
 + 
 +====Android/iOS config import====
 +Android: [https://play.google.com/store/apps/details?id=com.wireguard.android Google Play Store], iOS: [https://itunes.apple.com/us/app/wireguard/id1441195209 Apple Store (12.0 or later)]<br>
 +WireGuard app: press "+" in the lower right corner, select "Create from QR code", scan from DD-WRT peer, then the app will prompt to name the tunnel. Public IP can be checked [http://whatismyip.akamai.com/advanced here].
 + 
 +====Linux config import====
 +Review the Wireguard install page, distribution wiki (e.g. for [https://wiki.archlinux.org/index.php/WireGuard Arch]) and/or forums for more details.
 +*Manager: systemd-networkd 237, networkmanager 1.16, connman 1.38
 +*Graphical QR Code decoder e.g. [https://launchpad.net/qr-tools '''qtqr''']
 +*Screenshot tool e.g. [https://flameshot.js.org/#/ '''flameshot''']
 +Using a network manager with Wireguard and preshared key support is optional but much easier.
 +*Go to ''Tunnels'' to generate then capture and save a QR Code screenshot
 +*Open the QR Code decoder and add the png file to decode
 +*You will be prompted with a decoded textual config file
 +*Use it to populate wireguard client config in the network manager
 + 
 +====Windows config import====
 +Windows Wireguard client: [https://www.wireguard.com/install/ Windows .msi installer]<br>
 +Graphical QRCode decoder e.g. [https://www.codetwo.com/freeware/qr-code-desktop-reader/ CodeTwo QR Code Reader]<br>
 + 
 +====Options====
 +'''Persistent Keep Alive:''' This is seconds between keep alive messages, and is optional. Default is 0 (Disabled). The recommended value for NAT'd devices is 25 seconds.
 + 
 +'''Allowed IPs:''' This is required and represents IP addresses that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through tunnel. Outgoing packets will be sent to the peer whose ''Allowed IP''s contain the destination address, and for multiple matches, the longest matching prefix is chosen. Incoming packets are only accepted if traffic to their source IP would be sent to the same peer. May be specified multiple times.
 + 
 +'''Preshared Key:'''
 +A base64 preshared key generated by wg genpsk. This is optional and may be omitted. This adds an additional layer of symmetric-key cryptography into the existing public-key cryptography, for post-quantum resistance.
 + 
 +==Troubleshooting==
 +If you find any bugs report to: team@wireguard.com
 +*Start with rebooting all Peers
 +*Enable syslogd at Services/Services/Sytem Log
 +*In the script enable DEBUG by uncommenting the line:
 + #DEBUG= # uncomment/comment to enable/disable debug mode
 + 
 +====Useful [[Telnet/SSH_and_the_command_line#The_DD-WRT_Command_Line|console commands]]====
 +Check the tunnel status:
 + # wg
 +
 + interface: oet1
 + public key: blablaPyAN3eOyINB5JKNu4mHyKwrg3Mblabla=
 + private key: (hidden)
 + listening port: 51820
 +
 + peer: BLABLAT3TQJwIE0OYx2qeZWYystRb9BLABLAbla=
 + endpoint: 212.200.181.116:9208
 + allowed ips: 0.0.0.0/0
 + latest handshake: 7 seconds ago
 + transfer: 14.11 KiB received, 39.85 KiB sent
 + 
 +Check if the oet1 network is NAT'd:
 + # iptables -t nat -v -n -L
 +
 + Chain POSTROUTING (policy ACCEPT 75 packets, 5466 bytes)
 + pkts bytes target prot opt in out source destination
 + 71 14687 SNAT 0 -- * ppp0 192.168.2.0/24 0.0.0.0/0 to:your_router_public_ip
 + 38 2381 SNAT 0 -- * ppp0 10.0.0.0/24 0.0.0.0/0 to:your_router_public_ip
 + 
 + wg showconf oet1
 + 
 + ip addr
 + 
 + ip route show
 + 
 +*More: ''ifconfig'', ''traceroute'', and ''ping''
 + 
 +====Dynamic WAN IP on router====
 +After importing configs from DD-WRT to Android/iOS app, edit the ''Endpoint'' in the ''Peer'' section e.g.:
 +*my.ddns.address.com:51820
 + 
 +====Adding a second peer breaks the first====
 +Allowed IPs of 0.0.0.0/0 cannot be used for both peers as it causes a collision. Instead set separate peer IPs e.g. 10.10.0.2/32 and 10.10.0.3/32. The Allowed IP's feature is for crypto routing. The key is valid for the entire allowed IP space.
 + 
 +====Resolving local hostnames in the tunnel====
 +DD-WRT GUI ''Services'' -> DNSMasq section: enable "Local DNS" and disable "No DNS Rebind", go to ''Tunnels'' to enter local DNS IP (e.g. 192.168.1.1) for Peer Tunnel DNS (repeat for every peer). Since Wireguard cannot be bridged, the wireguard interface or it's local IP needs specified in dnsmasq as an additional binding interface / listener (interface=oet1). There is also an nvram parameter "dnsmasq_addif" to specify custom additional interfaces (''nvram set dnsmasq_addif=oet1'').
 +*The easiest way is to simply add a DHCP interface at ''Setup'' -> ''Networking'' since the client is not requesting any IP, nothing special will happen. DHCP is present and reachable, but unused.
 + 
 +==Reference==
 +DD-WRT source: [https://svn.dd-wrt.com/log/src/router/wireguard Wireguard changesets]<br>
 +DD-WRT forum: [https://www.dd-wrt.com/phpBB2/viewtopic.php?t=312522 Wireguard]<br>
 + 
 +[https://git.zx2c4.com/WireGuard/ Wireguard Git Repository]<br>
[https://lists.zx2c4.com/mailman/listinfo/wireguard/ WireGuard Mailing Lists]<br> [https://lists.zx2c4.com/mailman/listinfo/wireguard/ WireGuard Mailing Lists]<br>
-[https://svn.dd-wrt.com/search?q=wireguard&noquickjump=1&changeset=on DD-WRT SVN Changesets]<br>+[https://github.com/wuruxu/wireguard-ddwrt Wireguard DD-WRT setup (by wuruxu on Github)]<br>
-[https://www.dd-wrt.com/phpBB2/viewtopic.php?t=312522 Forum]<br>+ 
-[[VPN|Virtual Private Network (VPN)]] (DD-WRT wiki)+[[Category:Tunneling]][[Category:Basic tutorials]]
-[[Category:Tunneling]]+

Current revision

VPN -> Wireguard

Contents


Why WireGuard?
Why WireGuard?

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.

Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions
Instructions

Some key points about Wireguard:

  • Layer 3 only - no bridging
  • UDP only
  • SSH authenticated keys
  • Executes in-kernel (and is upstream since Linux 5.6)
  • Static routing

[edit] How it works

Quick Start, Conceptual Overview
This tutorial shows the basics of securely creating a tunnel from a client device to DD-WRT. Before proceeding, verify a working reset button and configuration backup in case of problems.

[edit] What is a QR Code?

The "Quick Response" Code is a two-dimensional barcode with larger encoded data capacity and high fault tolerance. Since build 38581 in February 2019, a client config can be imported using a QR Code. The advantage of this approach is that there is no need to transfer sensitive information via potentially compromised data channels.

[edit] Install and Setup Guides

The WireGuard installation/downloads page has software and instructions per OS.
WireGuard Forum Guides:

Server setup    Client setup    Advanced setup

These forum guides have the latest updated information and additional scripts such as:

  • Setup DDWRT router as a Wireguard server
  • Client devices setup
  • Setup DDWRT router as a Wireguard client
  • Policy Based Routing for Wireguard
  • Wireguard PBR Kill Script
  • Info regarding changes for CVE-2019-14899 (ticket 6928)


[edit] Setup Instructions

Create the Wireguard tunnel:
DD-WRT Basic -> Tunnels tab: enable the Tunnel then select WireGuard for Protocol Type.

  • Generate Key and enter the oet1 interface IP: must be a network outside the local LAN range
  • E.g. if the router LAN IP is 192.168.2.1, for the oet1 IP address use 10.10.0.1.

Add Peers:
For simple configurations, just enter Peer Tunnel IP within the oet1 interface ip range (e.g. 10.10.0.2) and Peer Tunnel DNS (8.8.8.8). Peer Tunnel MTU will be calculated automatically (WAN mtu-40) but can then be edited. Click Save then the QR-Code button to generate it.

Masquerade the tunnel:
Wireguard must be unbridged, using Forwarding and NAT. Go to Networking, unbridge the oet1 interface (automatic since r42067), and enable Masquerade / NAT to have internet on the tunnel. Click Apply.

[edit] Note for Access Point mode

Add the following firewall rule under Administration/Commands and save as firewall then reboot:

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

[edit] Android/iOS config import

Android: Google Play Store, iOS: Apple Store (12.0 or later)
WireGuard app: press "+" in the lower right corner, select "Create from QR code", scan from DD-WRT peer, then the app will prompt to name the tunnel. Public IP can be checked here.

[edit] Linux config import

Review the Wireguard install page, distribution wiki (e.g. for Arch) and/or forums for more details.

  • Manager: systemd-networkd 237, networkmanager 1.16, connman 1.38
  • Graphical QR Code decoder e.g. qtqr
  • Screenshot tool e.g. flameshot

Using a network manager with Wireguard and preshared key support is optional but much easier.

  • Go to Tunnels to generate then capture and save a QR Code screenshot
  • Open the QR Code decoder and add the png file to decode
  • You will be prompted with a decoded textual config file
  • Use it to populate wireguard client config in the network manager

[edit] Windows config import

Windows Wireguard client: Windows .msi installer
Graphical QRCode decoder e.g. CodeTwo QR Code Reader

[edit] Options

Persistent Keep Alive: This is seconds between keep alive messages, and is optional. Default is 0 (Disabled). The recommended value for NAT'd devices is 25 seconds.

Allowed IPs: This is required and represents IP addresses that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through tunnel. Outgoing packets will be sent to the peer whose Allowed IPs contain the destination address, and for multiple matches, the longest matching prefix is chosen. Incoming packets are only accepted if traffic to their source IP would be sent to the same peer. May be specified multiple times.

Preshared Key: A base64 preshared key generated by wg genpsk. This is optional and may be omitted. This adds an additional layer of symmetric-key cryptography into the existing public-key cryptography, for post-quantum resistance.

[edit] Troubleshooting

If you find any bugs report to: team@wireguard.com

  • Start with rebooting all Peers
  • Enable syslogd at Services/Services/Sytem Log
  • In the script enable DEBUG by uncommenting the line:
#DEBUG= # uncomment/comment to enable/disable debug mode

[edit] Useful console commands

Check the tunnel status:

# wg

interface: oet1
  public key: blablaPyAN3eOyINB5JKNu4mHyKwrg3Mblabla=
  private key: (hidden)
  listening port: 51820

peer: BLABLAT3TQJwIE0OYx2qeZWYystRb9BLABLAbla=
  endpoint: 212.200.181.116:9208
  allowed ips: 0.0.0.0/0
  latest handshake: 7 seconds ago
  transfer: 14.11 KiB received, 39.85 KiB sent

Check if the oet1 network is NAT'd:

# iptables -t nat -v -n -L 

Chain POSTROUTING (policy ACCEPT 75 packets, 5466 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   71 14687 SNAT       0    --  *      ppp0    192.168.2.0/24       0.0.0.0/0           to:your_router_public_ip
   38  2381 SNAT       0    --  *      ppp0    10.0.0.0/24          0.0.0.0/0           to:your_router_public_ip
 wg showconf oet1
 ip addr 
 ip route show
  • More: ifconfig, traceroute, and ping

[edit] Dynamic WAN IP on router

After importing configs from DD-WRT to Android/iOS app, edit the Endpoint in the Peer section e.g.:

  • my.ddns.address.com:51820

[edit] Adding a second peer breaks the first

Allowed IPs of 0.0.0.0/0 cannot be used for both peers as it causes a collision. Instead set separate peer IPs e.g. 10.10.0.2/32 and 10.10.0.3/32. The Allowed IP's feature is for crypto routing. The key is valid for the entire allowed IP space.

[edit] Resolving local hostnames in the tunnel

DD-WRT GUI Services -> DNSMasq section: enable "Local DNS" and disable "No DNS Rebind", go to Tunnels to enter local DNS IP (e.g. 192.168.1.1) for Peer Tunnel DNS (repeat for every peer). Since Wireguard cannot be bridged, the wireguard interface or it's local IP needs specified in dnsmasq as an additional binding interface / listener (interface=oet1). There is also an nvram parameter "dnsmasq_addif" to specify custom additional interfaces (nvram set dnsmasq_addif=oet1).

  • The easiest way is to simply add a DHCP interface at Setup -> Networking since the client is not requesting any IP, nothing special will happen. DHCP is present and reachable, but unused.

[edit] Reference

DD-WRT source: Wireguard changesets
DD-WRT forum: Wireguard

Wireguard Git Repository
WireGuard Mailing Lists
Wireguard DD-WRT setup (by wuruxu on Github)