From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 21:02, 16 January 2020 (edit)
Jeremywh7 (Talk | contribs)
(Integrated with The Easiest Tunnel Ever so this point to it for the setup)
← Previous diff
Revision as of 18:33, 17 January 2020 (edit) (undo)
Jeremywh7 (Talk | contribs)
m (Setup Instructions)
Next diff →
Line 20: Line 20:
==Setup Instructions== ==Setup Instructions==
-'''See [[The Easiest Tunnel Ever]].'''+'''See [[The Easiest Tunnel Ever]].'''<br>
-*For the latest updated information and additional scripts see the [https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206 Wireguard setup guide]. This includes:+For the latest updated information and additional scripts see the [https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206 Wireguard setup guide]. This includes:
*Scripts for setup DDWRT router as a Wireguard client *Scripts for setup DDWRT router as a Wireguard client
*Policy Based Routing for Wireguard *Policy Based Routing for Wireguard
Line 28: Line 28:
SVN tickets: SVN tickets:
-*[http://svn.dd-wrt.com/ticket/6217 add option to allow more than one allowed IP/Network]+*[http://svn.dd-wrt.com/ticket/6218 add option to set auto routes for oet*_aip0]
-*[http://svn.dd-wrt.com/ticket/6218 add option to set auto routes for oet*_aip0] - Done+
*[http://svn.dd-wrt.com//ticket/6217#comment:1 add option to set a DNS in gui] *[http://svn.dd-wrt.com//ticket/6217#comment:1 add option to set a DNS in gui]

Revision as of 18:33, 17 January 2020

VPN -> Wireguard -> The Easiest Tunnel Ever


Why WireGuard?
Why WireGuard?

Why WireGuard?

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.

Some key points about Wireguard:

  • Layer 3 only - no bridging
  • UDP only
  • SSH authenticated keys
  • Executes within the Linux kernel
  • Static routing

How it works

Quick Start (from the developer site)
Conceptual Overview

Setup Instructions

See The Easiest Tunnel Ever.
For the latest updated information and additional scripts see the Wireguard setup guide. This includes:

  • Scripts for setup DDWRT router as a Wireguard client
  • Policy Based Routing for Wireguard
  • Wireguard PBR Kill Script
  • Info regarding changes stemming from CVE-2019-14899 (ticket 6928)

SVN tickets:

Useful console commands

Check the tunnel status:

# wg

interface: oet1
  public key: blablaPyAN3eOyINB5JKNu4mHyKwrg3Mblabla=
  private key: (hidden)
  listening port: 51820

  allowed ips:
  latest handshake: 7 seconds ago
  transfer: 14.11 KiB received, 39.85 KiB sent

Check if the oet1 network is NAT'd:

# iptables -t nat -v -n -L 

Chain POSTROUTING (policy ACCEPT 75 packets, 5466 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   71 14687 SNAT       0    --  *      ppp0           to:your_router_public_ip
   38  2381 SNAT       0    --  *      ppp0           to:your_router_public_ip
 ip addr 
 ip route show


If you find any bugs report to: team@wireguard.com

Dynamic WAN IP on router

After importing configs from ddwrt to Android/iOS app you can edit peer section (tap on pencil in upper right corner) - Endpoint. Enter something like this Endpoint = my.ddns.address.com:51820. This way you will be able to access your router even after reboot and changing IP.

Adding a second peer breaks the first

You cannot use allowed IPs of for both peers, as it causes a collision. What works are setting of e.g. and The Allowed IP's feature is for crypto routing. The key is valid for the entire allowed IP space.

Resolving local hostnames across wg tunnel with dnsmasq

First of all you need to enable "Local DNS" and disable "No DNS Rebind" options on DNSMasq section of Services.asp site. Then, on eop-tunnel.asp site for Peer Tunnel DNS field enter your router/local DNS ip (e.g. Repeat it for every peer. Since Wireguard cannot be bridged, the wireguard interface or local IP of the interface needs specified in dnsmasq as additional binding interface / listener (interface=oet1). There is also a nvram var "dnsmasq_addif" which allows you to specify custom additional interfaces (nvram set dnsmasq_addif=oet1). But, the easiest way is to simply add a dhcp interface at networking.asp (bottom of the page). Since the client is not requesting any IP nothing special will happen. DHCP is present and reachable, but unused.

Persistent Keep Alive

This is optional, it's seconds between keep alive messages. Default is 0 (Disabled). Recommended value for NATed devices is 25.

Allowed IPs

This is required. Represent IP addresses that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through tunnel. Outgoing packets will be sent to the peer whose AllowedIPs contain the destination address (If there are multiple matches, the one with the longest matching prefix is chosen). Incoming packets are only accepted if traffic to their source IP would be sent to the same peer. May be specified multiple times.

Preshared Key

A base64 preshared key generated by wg genpsk. Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.


Git Repository
WireGuard Mailing Lists
DD-WRT Source Wireguard changesets
Wireguard DD-WRT setup (Github)
Forum: Wireguard