This post covers how to configure your DD-WRT router Wireguard VPN.
There are a number of options for connecting remotely to a router and the DD-WRT OS is no different. I’ve covered connecting using OpenVPN in another blog post and while they also support PPTP it’s considered insecure these days so the only real options are OpenVPN and Wireguard.
Wireguard is simpler to set up because exchanging the certificates is done automatically, and creating them is simply a matter of clicking a button. That said, let’s get down to business.
Preparing the router
1: Login to the web page for the router and browse to Setup>Tunnels and click the Add Tunnel button.
2: Select the radio button to enable the tunnel, then choose Wireguard from the drop-down, click the button to generate the key, choose an IP address and then click the button to add a peer.
3: Add the peer tunnel details and then click on the QR-Code button. The router will generate a QR-code and a Peer Public Key. The QR-Code also contains information about the client private key. Leaving the Allowed IPs at 0.0.0.0/0 will mean the client will use the tunnel as a default route, you might choose to restrict the allowed IPs here to just the host endpoint address and any private addresses that reside on your LAN. If you want to send all traffic via the tunnel though, you can leave it as it is. The endpoint can remain disabled since the tunnel peers will negotiate the endpoint during setup, as long as the client knows the IP address of the server, the tunnel should come up.
Configuring a client by scanning the QR-Code
4: At this point, if you have a Wireguard app on the client that’s capable of scanning the QR-Code you can simply scan the code and give the connection a name. If your client doesn’t support reading the code, you can still do a manual setup but you’ll need the private key, you can extract the private key by scanning the QR with an Android or iOS device as below.
Click on the blue + circle at the lower right of the Wireguard screen, then choose SCAN FROM QR CODE, perform the scan, type a name for the tunnel and click CREATE TUNNEL.
5: You can test the tunnel from the phone by clicking on the switch icon (2) near the top-right if the tunnel is working you should see traffic in both the rx and tx directions near the bottom left where it says “Transfer”. If you don’t see traffic then try and generate some by pinging from one end of the tunnel to the other, from both the router and from the client end.
By clicking on the pencil icon, you can edit the connection properties and it’s in the edit dialogue that we can select and copy the Public key, the Peer Public Key, and the Private key. To copy the Private key, you’ll need to be able to unlock the phone, it’ll prompt for the unlock code when you long-press the Private key.
Install Wireguard and setup the Ubuntu client end
6: We’re going to use the information from the above to create the Wireguard interface configuration on an Ubuntu client, the particular version of Ubuntu, in this case, is 18.04. From the Wireguard site, the instructions to install for Ubuntu versions up to and including 19.04 are
sudo add-apt-get-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard
and also install resolvconf
sudo apt-get install resolvconf
There are a few other bits you can do such as to configure the Wireguard interface as a Systemctl service so it starts on boot, as well as creating the private and public keys from the command line. The set up is explained by Thomas Niedermeier on the Thomas Krenn Wiki here.
Configure the Wireguard Interface
7: Once Wireguard is installed you should have a directory named /etc/wireguard, go ahead and create a text file in this directory with your favorite editor, vi, nano, gedit etc, named wg0.conf, (wg0 will be the Wireguard interface seen with the ifconfig command in the terminal).
8: Apply the settings the taken from the phone, you’ll need to transfer the details securely because they’ll contain the private key. I used Bluetooth to send my file across and ended up with a file containing the below after copying and pasting in the keys
Address = 192.168.251.2/24
DNS = 188.8.131.52
ListenPort = 51820
PrivateKey = KO+F8kQCp8N+KaFjEt2Kw+3pNe0KgXr0RGpgaPTWm34=
PublicKey = wXpQxcoYp0bngNkBlgb/AgkvKbbQz6J7KDhdTtDAWSo=
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.43.179:51820
9: Finally bring up the tunnel with the command sudo wg-quick up wg0
Testing the Wireguard tunnel
10: Check the tunnel with sudo wg, you should see traffic in the transfer line near the bottom of the output.
public key: tKooT8o3Ee++yhrYVnhdmK5SZHx8AB+JprscLeit9kI=
private key: (hidden)
listening port: 51820
allowed ips: 0.0.0.0/0
transfer:1.01 MiB received, 19.51 KiB sent
Testing proved we could ping the tunnel endpoint address, and also an Internet address and the route to the Internet used the tunnel as a first-hop
user@6570b:~$ ping 192.168.251.1
PING 192.168.251.1 (192.168.251.1) 56(84) bytes of data.
64 bytes from 192.168.251.1: icmp_seq=1 ttl=64 time=19.1 ms
64 bytes from 192.168.251.1: icmp_seq=2 ttl=64 time=18.3 ms
64 bytes from 192.168.251.1: icmp_seq=3 ttl=64 time=16.7 ms
— 192.168.251.1 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 16.740/18.072/19.106/1.000 ms
user@6570b:~$ ping 184.108.40.206
PING 220.127.116.11 (18.104.22.168) 56(84) bytes of data.
64 bytes from 22.214.171.124: icmp_seq=1 ttl=53 time=78.9 ms
64 bytes from 126.96.36.199: icmp_seq=2 ttl=53 time=77.8 ms
64 bytes from 188.8.131.52: icmp_seq=3 ttl=53 time=76.4 ms
64 bytes from 184.108.40.206: icmp_seq=4 ttl=53 time=75.1 ms
— 220.127.116.11 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 75.103/77.076/78.978/1.498 ms
user@6570b:~$ traceroute 18.104.22.168
traceroute to 22.214.171.124 (126.96.36.199), 64 hops max
1 192.168.251.1 18.072ms 8.625ms 14.950ms
2 * * *
3 * * *
4 172.23.192.205 74.271ms 56.080ms 51.487ms
5 172.23.226.5 56.954ms 50.970ms 48.441ms
6 172.23.239.3 51.068ms 59.654ms 51.991ms
7 * * *
8 188.8.131.52 88.061ms 54.669ms 53.514ms
9 184.108.40.206 43.347ms 55.987ms 59.979ms
10 220.127.116.11 55.995ms 56.253ms 49.201ms
11 18.104.22.168 62.320ms 67.947ms 56.032ms
12 22.214.171.124 63.969ms 55.933ms 62.327ms
13 126.96.36.199 57.809ms 60.182ms 113.132ms
I’ve covered troubleshooting for an OpenVPN tunnel to the DD-WRT router here and the principles and steps are the same for the Wireguard tunnels.
If you have trouble accessing the Internet check that masquerading is enabled for the tunnel in the GUI. Browse to Setup>Networking and select the Masquerade/NAT radio button for the oet1 Network Configuration.
I did have problems connecting to the local LAN because in the raw PREROUTING iptable there were drop rules from any interface (other than the target tunnel) to the tunnel IP addresseses and adding in the ACCEPT rules below for the LAN interface fixed the problem.
The WAN side didn’t have the same problem because the traffic out was a Masqueraded to the router WAN interface address, which meant the return traffic didn’t match the DROP rules because NAT in that direction didn’t occur until after the PREROUTING policy.
Another option would be to MASQUERADE for the LAN interface which would be fine unless you wanted to initiate traffic from the LAN side also.
Chain PREROUTING (policy ACCEPT 383K packets, 140M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 192.168.251.0/24 0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 192.168.250.0/24 0 0 DROP 0 -- !tun2 * 0.0.0.0/0 192.168.250.0/24 0 0 DROP 0 -- !oet1 * 0.0.0.0/0 192.168.251.0/24 ADDRTYPE match src-type !LOCAL
Use iptables -t raw -I PREROUTING -i br0 -s 0.0.0.0/0 -d 192.168.250.0/24 -j ACCEPT and iptables -t raw -I PREROUTING -i br0 -s 0.0.0.0/0 -d 192.168.251.0/24 -j ACCEPT to add the two rules at the top of the policy, the lines can be added either in the CLI or to the Administration>Command window in the GUI (and click the Run Commands button).
To cut a long story short, a summary.
This blog post covered the configuration of a Wireguard on a DD-WRT router.
It started by going over the steps to prepare the router, then covered configuring an Android Wireguard client using the generated QR-Code from the router.
It then described the steps required to install Wireguard on Ubuntu versions earlier than 19.10 and how to use the private and public keys from the Android phone to configure the Wireguard (wg0) interface on the Ubuntu client and then bring the tunnel up using the included wg-quick utility.
The article continued by showing some results of testing with some troubleshooting hints.
While connecting with a VPN client allowed us to reach Network Attached Storage on the router, and other connected VPN clients we needed to make changes to the iptables filters to get two-way communications between the VPN client and the LAN, and the article covered that briefly too.
If you’re a network engineer and you could use an IPv4 subnet calculator (or if you just want the calculator) check out the free Techiedoodah IPv4 excel subnet calculator spreadsheet and if you get a lot of time hands-on rack side and need a tray to put your laptop on, let us know what you think of the Portable Rack Mount Laptop Tray and sign up if you want one. Type with two hands instead of one, be more comfortable, improve your productivity and get out of the server room sooner, (or wherever the rack happens to be).
Techiedoodah blogs are created in the hope that they can help others by giving real-life examples. If this has been useful to you please feel free to leave a comment. If you’re reading this post on the home page, you won’t be able to post comments here, so follow this link to the blog, and then scroll to the comments section at the bottom of the page.