How to configure your DD-WRT Wireguard VPN

This post covers how to configure your DD-WRT router Wireguard VPN.
There are a number of options for connecting remotely to a router and the DD-WRT OS is no different. I’ve covered connecting using OpenVPN in another blog post and while they also support PPTP it’s considered insecure these days so the only real options are OpenVPN and Wireguard.

Wireguard is simpler to set up because exchanging the certificates is done automatically, and creating them is simply a matter of clicking a button. That said, let’s get down to business.

Preparing the router

1: Login to the web page for the router and browse to Setup>Tunnels and click the Add Tunnel button.

How to configure your DD-WRT Wireguard VPN - Adding a tunnel from the GUI
Adding a tunnel from the DD-WRT GUI

2: Select the radio button to enable the tunnel, then choose Wireguard from the drop-down, click the button to generate the key, choose an IP address and then click the button to add a peer.

How to configure your DD-WRT Wireguard VPN - Choosing Wireguard and generating the private key.
Choosing Wireguard VPN and generating the private key in the DD-WRT GUI

3: Add the peer tunnel details and then click on the QR-Code button. The router will generate a QR-code and a Peer Public Key. The QR-Code also contains information about the client private key. Leaving the Allowed IPs at 0.0.0.0/0 will mean the client will use the tunnel as a default route, you might choose to restrict the allowed IPs here to just the host endpoint address and any private addresses that reside on your LAN. If you want to send all traffic via the tunnel though, you can leave it as it is. The endpoint can remain disabled since the tunnel peers will negotiate the endpoint during setup, as long as the client knows the IP address of the server, the tunnel should come up.

Adding a Wireguard VPN peer and generating the client details in the DD-WRT GUI
Adding a Wireguard VPN peer and generating the client details in the DD-WRT GUI

Configuring a client by scanning the QR-Code

4: At this point, if you have a Wireguard app on the client that’s capable of scanning the QR-Code you can simply scan the code and give the connection a name. If your client doesn’t support reading the code, you can still do a manual setup but you’ll need the private key, you can extract the private key by scanning the QR with an Android or iOS device as below.
Click on the blue + circle at the lower right of the Wireguard screen, then choose SCAN FROM QR CODE, perform the scan, type a name for the tunnel and click CREATE TUNNEL.

Setting up a Wireguard client endpoint using the Android GUI Scan from QR Code option.
Setting up a Wireguard client endpoint using the Android GUI, Scan from QR Code option.

5: You can test the tunnel from the phone by clicking on the switch icon (2) near the top-right if the tunnel is working you should see traffic in both the rx and tx directions near the bottom left where it says “Transfer”. If you don’t see traffic then try and generate some by pinging from one end of the tunnel to the other, from both the router and from the client end.
By clicking on the pencil icon, you can edit the connection properties and it’s in the edit dialogue that we can select and copy the Public key, the Peer Public Key, and the Private key. To copy the Private key, you’ll need to be able to unlock the phone, it’ll prompt for the unlock code when you long-press the Private key.

Starting and editing the Wireguard tunnel in the Android GUI, and accessing the private key.
Starting and editing the Wireguard tunnel in the Android GUI, and accessing the private key.

Install Wireguard and setup the Ubuntu client end

6: We’re going to use the information from the above to create the Wireguard interface configuration on an Ubuntu client, the particular version of Ubuntu, in this case, is 18.04. From the Wireguard site, the instructions to install for Ubuntu versions up to and including 19.04 are
sudo add-apt-get-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard

and also install resolvconf
sudo apt-get install resolvconf
There are a few other bits you can do such as to configure the Wireguard interface as a Systemctl service so it starts on boot, as well as creating the private and public keys from the command line. The set up is explained by Thomas Niedermeier on the Thomas Krenn Wiki here.

If you need to install a Windows client, you can check out this setup guide from Vikash Jhagroe

Configure the Wireguard Interface

7: Once Wireguard is installed you should have a directory named /etc/wireguard, go ahead and create a text file in this directory with your favorite editor, vi, nano, gedit etc, named wg0.conf, (wg0 will be the Wireguard interface seen with the ifconfig command in the terminal).

8: Apply the settings the taken from the phone, you’ll need to transfer the details securely because they’ll contain the private key. I used Bluetooth to send my file across and ended up with a file containing the below after copying and pasting in the keys

[Interface]
Address = 192.168.251.2/24
DNS = 1.1.1.1
ListenPort = 51820
PrivateKey = KO+F8kQCp8N+KaFjEt2Kw+3pNe0KgXr0RGpgaPTWm34=

[Peer]
PublicKey = wXpQxcoYp0bngNkBlgb/AgkvKbbQz6J7KDhdTtDAWSo=
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.43.179:51820

9: Finally bring up the tunnel with the command sudo wg-quick up wg0

Testing the Wireguard tunnel

10: Check the tunnel with sudo wg, you should see traffic in the transfer line near the bottom of the output.
interface: wg0
public key: tKooT8o3Ee++yhrYVnhdmK5SZHx8AB+JprscLeit9kI=
private key: (hidden)
listening port: 51820
fwmark: 0xca6cpeer:

peer: wXpQxcoYp0bngNkBlgb/AgkvKbbQz6J7KDhdTtDAWSo=
endpoint: 192.168.43.179:51820
allowed ips: 0.0.0.0/0
transfer:1.01 MiB received, 19.51 KiB sent

Testing proved we could ping the tunnel endpoint address, and also an Internet address and the route to the Internet used the tunnel as a first-hop

user@6570b:~$ ping 192.168.251.1
PING 192.168.251.1 (192.168.251.1) 56(84) bytes of data.
64 bytes from 192.168.251.1: icmp_seq=1 ttl=64 time=19.1 ms
64 bytes from 192.168.251.1: icmp_seq=2 ttl=64 time=18.3 ms
64 bytes from 192.168.251.1: icmp_seq=3 ttl=64 time=16.7 ms
^C
— 192.168.251.1 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 16.740/18.072/19.106/1.000 ms
user@6570b:~$
user@6570b:~$
user@6570b:~$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=53 time=78.9 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=53 time=77.8 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=53 time=76.4 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=53 time=75.1 ms
^C
— 1.1.1.1 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 75.103/77.076/78.978/1.498 ms
user@6570b:~$
user@6570b:~$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max
1 192.168.251.1 18.072ms 8.625ms 14.950ms
2 * * *
3 * * *
4 172.23.192.205 74.271ms 56.080ms 51.487ms
5 172.23.226.5 56.954ms 50.970ms 48.441ms
6 172.23.239.3 51.068ms 59.654ms 51.991ms
7 * * *
8 188.31.255.150 88.061ms 54.669ms 53.514ms
9 188.31.255.165 43.347ms 55.987ms 59.979ms
10 188.31.255.122 55.995ms 56.253ms 49.201ms
11 188.31.255.181 62.320ms 67.947ms 56.032ms
12 195.66.225.179 63.969ms 55.933ms 62.327ms
13 1.1.1.1 57.809ms 60.182ms 113.132ms
user@6570b:~$

Troubleshooting

I’ve covered troubleshooting for an OpenVPN tunnel to the DD-WRT router here and the principles and steps are the same for the Wireguard tunnels.

If you have trouble accessing the Internet check that masquerading is enabled for the tunnel in the GUI. Browse to Setup>Networking and select the Masquerade/NAT radio button for the oet1 Network Configuration.

Selecting Masquerade for the Wireguard tunnel in the DD-WRT GUI
Selecting Masquerade for the Wireguard tunnel in the DD-WRT GUI

I did have problems connecting to the local LAN because in the raw PREROUTING iptable there were drop rules from any interface (other than the target tunnel) to the tunnel IP addresseses and adding in the ACCEPT rules below for the LAN interface fixed the problem.
The WAN side didn’t have the same problem because the traffic out was a Masqueraded to the router WAN interface address, which meant the return traffic didn’t match the DROP rules because NAT in that direction didn’t occur until after the PREROUTING policy.
Another option would be to MASQUERADE for the LAN interface which would be fine unless you wanted to initiate traffic from the LAN side also.

Chain PREROUTING (policy ACCEPT 383K packets, 140M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  br0    *       0.0.0.0/0            192.168.251.0/24    
    0     0 ACCEPT     0    --  br0    *       0.0.0.0/0            192.168.250.0/24    
    0     0 DROP       0    --  !tun2  *       0.0.0.0/0            192.168.250.0/24    
    0     0 DROP       0    --  !oet1  *       0.0.0.0/0            192.168.251.0/24    ADDRTYPE match src-type !LOCAL 

Use iptables -t raw -I PREROUTING -i br0 -s 0.0.0.0/0 -d 192.168.250.0/24 -j ACCEPT and iptables -t raw -I PREROUTING -i br0 -s 0.0.0.0/0 -d 192.168.251.0/24 -j ACCEPT to add the two rules at the top of the policy, the lines can be added either in the CLI or to the Administration>Command window in the GUI (and click the Run Commands button).

To cut a long story short, a summary.

This blog post covered the configuration of a Wireguard on a DD-WRT router.

It started by going over the steps to prepare the router, then covered configuring an Android Wireguard client using the generated QR-Code from the router.

It then described the steps required to install Wireguard on Ubuntu versions earlier than 19.10 and how to use the private and public keys from the Android phone to configure the Wireguard (wg0) interface on the Ubuntu client and then bring the tunnel up using the included wg-quick utility.

The article continued by showing some results of testing with some troubleshooting hints.

While connecting with a VPN client allowed us to reach Network Attached Storage on the router, and other connected VPN clients we needed to make changes to the iptables filters to get two-way communications between the VPN client and the LAN, and the article covered that briefly too.

If you’re a network engineer and you could use an IPv4 subnet calculator (or if you just want the calculator) check out the free Techiedoodah IPv4 excel subnet calculator spreadsheet and if you get a lot of time hands-on rack side and need a tray to put your laptop on, let us know what you think of the Portable Rack Mount Laptop Tray and sign up if you want one. Type with two hands instead of one, be more comfortable, improve your productivity and get out of the server room sooner, (or wherever the rack happens to be).

Techiedoodah blogs are created in the hope that they can help others by giving real-life examples. If this has been useful to you please feel free to leave a comment. If you’re reading this post on the home page, you won’t be able to post comments here, so follow this link to the blog, and then scroll to the comments section at the bottom of the page.

Leave a Reply

Your email address will not be published. Required fields are marked *