Search the Community

I decided to write a simple guide and share it with most before preparing this guide properly and uploading everything to github. This guide will be updated and scripts uploaded to github, after that you will have just to download and run the latest available. Current one is just a scratch and var names as maybe some formatting is not optimal, but this is how I install and use TorGuard Shared, dedicated etc.. (all torguards ips where wireguard is available). I described already in this post how it is done. Enjoy Repository/Project homepage: https://torguard.github.io/openwrt-scripts/ Wiki/FAQ: https://github.com/TorGuard/openwrt-scripts/wiki openwrt-scrtipts on GitHub. 📝 please keep in mind that latest updates and information about the script and its usage is always on github 📝 currently preinstalled wget on release images has some issues, I will update when those are resolved, until then please install curl ⚒️ Guide Requirements: OS: OpenWRT with or without Luci web interface (stable/snapshot) Requirements: wget or curl with SSL support, works with wget without SSL support If neither wget or curl are installed, script will automaticaly attempt to install curl how to install curl: opkg update && opkg install curl Additionally installed and updating packages by tginstall script: kmod-wireguard wireguard-tools ipset Short description all commands can be copy pasted from codeboxes This script will create default interface wg0 which is configured with /etc/config/torguard After first run, script runs unattended Optional: If you want to configure/edit interface created by script in Web Interface, install luci-app-wireguard with: opkg update && opkg install luci-app-wireguard Method 1: 🧾 recommended ssh to your router: ssh [email protected] Download tginstall script and run it you can copy and paste full codebox below in one command with wget: wget -O /usr/bin/tgsetup https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tgsetup chmod +x /usr/bin/tgsetup && /usr/bin/tgsetup or with curl: curl -o /usr/bin/tgsetup https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tgsetup chmod +x /usr/bin/tgsetup && /usr/bin/tgsetup Finished, you should be connected now Optional: Configure timeoutfix If you use configs/server which has expiration of 15 minutes, you can enable other solutions like crontab, default tginstall is using /etc/init.d/tgapi as service. By default, timeoutfix is enabled, here is how you can enable/disable timeoutfix: FAQ How to config timeoutfix ℹ️ - If timeoutfix is enabled by /etc/config/torguard, then tgapi will be enable on boot and will be started automatically. - valid values - for enabled: 1/y/Y - for disabled: 0/n/N how to disable apifix uci set [email protected]_tg0[0].apifix='0' uci commit torguard how to enable apifix uci set [email protected]_tg0[0].apifix='1' uci commit torguard how to change apitimeout uci set [email protected]_tg0[0].apifixtimeout='60' uci commit torguard How can I upgrade my scripts? Script by default has logging disabled and does not remove/rename config files, it upgrades only bins tgupgrade How can I change my torguard server ip? After script finishes and you entered your credentials you should be connected. If you want to change server IP to some other (like dedicated), run: # set your torguard server IP in this example to 173.244.200.119 uci set [email protected]_tg0[0].endpoint_host='173.244.200.119' # commit and save changes uci commit torguard Rerunning tginstall will connect to changed IP as well as on each run it will use new fresh created keypairs as well as it would update wireguard to latest version if available: tginstall Wireguard will stay connected as long as your ISP connection is not dropped or torguard makes some mistake. tginstall can be used with crontab as is configurabe, for more info please check github page. How to configure existing torguard configuration # How to show your configs - Show full torguard config: uci show torguard - Show only default server: uci show [email protected]_tg0[0] # How to set your configs - Set/edit/change server: uci set [email protected]_tg0[0].endpoint_host='173.244.200.119' - Set/edit/change description: uci set [email protected]_tg0[0].description='wg0 (TorGuard)' - Set/edit/change allowed ips: uci set [email protected]_tg0[0].allowed_ips='0.0.0.0/0' - Set/edit/change endpoint port: uci set [email protected]_tg0[0].endpoint_port='1443' - Set/edit/change keepalive: uci set [email protected]_tg0[0].persistent_keepalive='25' - Set/edit/change route allowed ip's: uci set [email protected]_tg0[0].route_allowed_ips='1' - Remove allowed ips list entry: uci del_list [email protected]_tg0[0].allowed_ips='0.0.0.0/0' - Add additional allowed ips: uci add_list [email protected]_tg0[0].allowed_ips='0.0.0.0/0' # After changing value with uci, you have to commit changes - Commit changes: uci commit torguard How to reset/recreate config by removing or renaming /etc/config/torguard to anything else will cause tginstall to run initial setup and ask for credentials and torguards's whitlabeld private key # rename torguard config file mv -f /etc/config/torguard /etc/config/torguard.bkp # then rerun tginstall tginstall How to get around 15 Min. timeout Method A: keep it valid manually - script will run in an endless loop waiting by default for 300 seconds (5 minutes) which will keep your connection valid. - If it expired due to your ISP being offline (you know it if your handshake is present but internet does not work), then you can run same script from any pc or any device as well as you can open the URL in that script in a browser which would immediately activate expired connection without any wg or network restart. - you can use any PC/Device to activate it, regardless in which in network, it only has to be able to have access to the internet. tgapitest ℹ️ - you do not have to run tgapitest from device on which you connect, this can be any device which is connected to the internet Method B: activate a service, run automatically on a router /etc/init.d/tgapi is created by tginit script and is very simple script just starting tgapitest as a service. Please extend service file to your needs, it has only start part which is enough at current point. /etc/init.d/tgapi enable /etc/init.d/tgapi start Method C: use some other apps on openwrt like luci-app-ddns Other tools used on any other device or your current router could be used to run command from tgapi. If you decide to use as example luci-app-ddns which you can configure how when and over which interface it runs, then you simply have set url for dynamic check of the IP to your API call url from script. How to run a service on boot which will keep my config valid Enable and start service with: /etc/init.d/tgapi enable /etc/init.d/tgapi start How to test my api which was created by tginstall: tgapitest You could add tginstall to run every 15 minutes too, but to get around 15 min timeout it is sufficient to edit current interface before api expired and apply new settings by network restart. This is for now just workaround until torguard clarifies usage/expiration, it does not make a lot sense to code on this if torguard changes it suddenly without announcements. Sources Clone latest development version # get sources git clone https://github.com/TorGuard/openwrt-scripts.git Update already existing sources # cd into directory of your sources cd openwrt-scripts # fetch and download latest release, use git -f to enforce overwrite git fetch git pull Download zip/tar.gz (tags/releases) with your browser

Guide Requirements TorGuard credentials and Enabled Wireguard on your account (at least until you have to enable it manually, at the time of this guide's writing you had to enable it manually) rock pi 4 (or similar device) Debian9/Ubuntu 18.04 or higher Wireguard is compatible from kernel 3-5 and by that it should make no difference for those running manually compiled kernel 5 Description Hardware used for test RADXA Rock Pi 4A v1.3, v1.4 RADXA Rock Pi 4B v1.3, v1.4 OS and kernel used during creation of this guide Ubuntu 18.04 aarch64 architecture Linux rock1 4.4.154-109-rockchip-gb04eccb4588e #1 SMP Mon May 18 09:22:02 UTC 2020 aarch64 aarch64 aarch64 GNU/Linux In the attachment you can find example script which can be used for the installation on rock pi 4 devices, make sure to replace your variables in script before usage This guide is mainly intended for RADXA's 🐼 Rock Pi 4 users. ℹ️¹ - Currently latest available linux kernel for rock pi's is kernel 4.4.154, there is no official kernel 5, but there are guides how to compile kernel 5. ℹ️² - For Ubuntu 18.04 and lower, recommended way of installing wireguard would be adding PPA and then installing from repository. For Ubuntu higher than 18.04, wireguard is available over ubuntu's default repo and adding PPA is not required. sudo add-apt-repository ppa:wireguard/wireguard # you skip this step on Ubuntu 20.04 sudo apt-get update # you can skip this on Ubuntu 18.04 sudo apt-get install -y wireguard In case of RADXA's Rock Pi 4, we run into issue that wireguard can't be installed from repository due to some raspberry related dependencies like linux-*-raspi2 which can not be installed on RADXA's Rock Pi 4. If you do not use Rock Pi 4, try first installing from PPA and if your device boots properly after installation, proceed to step 4. of this guide skipping all previous steps. What will we have at the end of this setup On every boot we will be connected automatically to TorGuard's wireguard server Reconnecting on connection drops happens automatically Installation and compilation instructions Install required packages # wireguard build dependencies sudo apt-get install -y libelf-dev linux-headers-$(uname -r) build-essential pkg-config # wg-quick dependencies, requires network service restart sudo apt-get install -y resolvconf sudo service networking restart Fix missing scripts this step is required, otherwise build will fail with following error: /bin/sh: 1: ./scripts/recordmcount: Exec format error cd /usr/src/linux-headers-$(uname -r) sudo make scripts Build wireguard from source and install # Set folder where you want to save and compile your sources WIREGUARDSOURCEDIR="/opt/wireguard" # here all sources will be saved and compiled sudo mkdir -p $WIREGUARDSOURCEDIR cd $WIREGUARDSOURCEDIR # Get wireguard sources sudo git clone https://git.zx2c4.com/wireguard-linux-compat sudo git clone https://git.zx2c4.com/wireguard-tools echo "Wireguard: Compile the module" sudo make -C wireguard-linux-compat/src -j$(nproc) echo "Wireguard: Install the module" sudo make -C wireguard-linux-compat/src install echo "Wireguard: Compile the wg(8) tool" sudo make -C wireguard-tools/src -j$(nproc) echo "Wireguard: Install the wg(8) tool" sudo make -C wireguard-tools/src install Create wireguard config Option A (preffered option as typos are excluded) You can get your configs from your torguard account. Login and go to "Servers", "Wireguard Network". Every enabled server has a config download button. Save your downloaded file as /etc/wireguard/wg0.conf # Example with Canada-Toronto1 server, assumed you downloaded it as ~/Downloads/Canada-Toronto1.conf sudo cp ~/Downloads/Canada-Toronto1.conf /etc/wireguard/wg0.conf # Wireguard: restrict permissions to make sure the config file is safe" sudo chmod 600 /etc/wireguard/wg0.conf Option B (if you know your credentials and servers, you can create your own config) # Please change variables below before usage COMMENT="TorGuard WireGuard Config - Canada-Toronto1" PRIVATEKEY="YOURPRIVATEKEY" PUBLICKEY="YOURPUBLICKEY" ADDRESS="10.99.0.2/24" # Example : 10.99.0.2/24, login to torguard to get your wireguard address ENDPOINTHOST="123.145.167.189" # Example: 123.145.167.189, login to torguard to get your wireguard server address ENDPOINTPORT="443" # Example: 443, currently 443 is used for torguards wireguard connections DNS="1.1.1.1" # login to torguard to get your wireguard DNS address LISTENPORT="51820" # login to torguard to get your wireguard listen port KEEPALIVE="25" # login to torguard to get keepalive value ALLOWEDIPS="0.0.0.0/0" # login to torguard to get your wireguard allowed ip's default setting # Please do not change anything from here ENDPOINT="$ENDPOINTHOST:$ENDPOINTPORT" cat <<EOF | sudo tee /etc/wireguard/wg0.conf # $COMMENT [Interface] Address = $ADDRESS PrivateKey = $PRIVATEKEY SaveConfig = true ListenPort = $LISTENPORT DNS = $DNS [Peer] PublicKey = $PUBLICKEY Endpoint = $ENDPOINT PersistentKeepalive = $KEEPALIVE AllowedIPs = $ALLOWEDIPS EOF Quick test of wireguard config sudo wg-quick up wg0 You should see something like this as a result [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.29.0.120/24 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 [#] iptables-restore -n If you need to make any changes to your /etc/wireguard/wg0.conf, you have to stop wireguard: (otherwise all changes you made will be overwritten) sudo wg-quick down wg0 as result you should see something like this: [#] wg showconf wg0 [#] ip -4 rule delete table 51820 [#] ip -4 rule delete table main suppress_prefixlength 0 [#] ip link delete dev wg0 [#] iptables-restore -n Enable wireguard to start automatically on boot sudo systemctl enable [email protected] Activate kernel module WireGuard works as a kernel module that is installed using DKMS every time we upgrade our kernel the WireGuard kernel module is automatically compiled and ready to use for our new kernel as well. In order to use the kernel module right after the installation we have to either reboot or run modprobe to activate it: sudo modprobe wireguard You can check whether the kernel module is loaded using: sudo lsmod | grep wireguard As a result you should see something like this: wireguard 135168 0 ip6_udp_tunnel 16384 1 wireguard udp_tunnel 16384 1 wireguard Optional firewall configuration If you have a firewall installed (ufw) or any other firewall, allow wireguard's listen port: ufw allow ${LISTENPORT}/udp Finished. You can test your speed/performance with various tools, maybe most known is speedtest-cli despite having some issues (especially on upload statistics), if you see correct IP and have a connection, then you are safe to reboot.

Requirements openwrt (or any openwrt based firmware like LEDE openwrt) tor libevent2-openssl libevent2 libminiupnpc libnatpmp tor-geoip (optional) tor-fw-helper (optional) Description In this guide I will install and create tor on my openwrt router. My Wireless is isolated. You can change these setting as you wish, take only care that nobody from outside can reach your LAN's. At the end of this post is a script doing everything for you. You need only to adapt the script for your settings. For this guide, my router's lan ip is 192.168.1.3 This setup works for those who do use only proxy/socks product, vpn products or mix of them. It is very high grade of anonimity if all this works in some VPN, like TorGuard's which does work perfectly! What will we have at the end of this setup tor socks5 server on router's lan IP:9050 (in this example 192.168.1.3:9050) (you can set your system, browser or anything else to use socks5 which goes always over tor) Simple usage by joining WLAN (no need to setup anything on any device) set specific LAN port to go always through Tor, (especially usefull for those who use C-Lines for Card Sharing) Isolated Wireless Network (which is secured and can't communicate with LAN devices) Traffic is sent through TorGuard's proxy/socks5 (all tor's traffic sent through socks ot https proxy, Torguard Proxy port: 6060, TorGuard socks5 ports: 1080/1085/1090) (in this guide, we set only .onion and .exit urls to go over tor, all other pages will go over TorGuard's socks/proxy used by tor) (We also restrict usage on port 80 and 443 for the case that you need to hide from your ISP/VPN provder, TorGuard does not block) (if you are not using VPN, then you do hide the traffic from your ISP in using socks and from your socks provider by using only ports 80/443) (even if this setup is higly secure, consider using as addition obfsproxy which I will not cover in this guide) (socks5/proxy acts also as a fallback if your VPN stops working) This setup works if you are connected to a VPN (like TorGuard and openvpn, my router is currently in TorGuard's VPN) Installation of required packages: opkg update opkg install libevent2-openssl libevent2 libminiupnpc libnatpmp tor tor-fw-helper tor-geoip Create Tor interface with static IP 172.x.x.x Create DHCP server for tor interface Create 5Ghz and 2,4Ghz isolated wireless interfaces Add firewall zone and configure firewall for tor Configure tor with TorGuard services Download geoip and geoipv6 Reboot your router Script installing tor requirements, creating interface, configuring firewall If you are connected with TorGuards VPN and everything runs over VPN, then your tor might be inactive if it starts before openvpn during the boot because openvpn changes routes and tor needs to be restarted. In this case you can edit openvpn's start scripts, or tor's startscripts or simply adding this command under System->Startup section "Local Startup" # Put your custom commands here that should be executed once # the system init finished. By default this file does nothing. sleep 10 /etc/init.d/tor reload /etc/init.d/tor restart exit 0 How to get geoip and geoipv6 files TorGuard works blazing fast with Tor Network (!!!TORGUARD TEAM IS AMAZING, THANKS FOR GREAT SERVICES!!!) Thats it, enjoy tor network.

I have posted already how to prevent hijacking of your DNS by your IP. There are some ISP's like Verizon, T-Mobile, ... which do send all traffic over port 53 (yes, they hijack your DNS), regardless of which DNS servers you use. Here is how to get rid of that and redirect it to some another address with help of iptables instead editing dnsmasq in WebIF (which is still my preferable solution for most tasks), in this example I'll redirect all dns requests to my custom dns server, to lan1 in this case, which is my local DNS Server Openwrt (I think ddwrt should work too, but I did not test it on ddwrt but basicly it should be the same, just check the names of devices) iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.1.1 On openwrt and other releases, switch on masquerading, it is required. Now a question to TorGuard, do you/can you offer alternative ports for those who maybe can't use first method described, neither this second solution. To find out what is going on through your DNS port, read here.