Jump to content
TorGuard
  • 0

Torguard + Wireguard + DD-WRT

Rate this question


Redback813

Question

Redback813

I would like torguard operating from the DD-WRT router through wireguard and not openvpn given that the openvpn is both resource and CPU intensive. There are plenty of articles on how to setup a wireguard on a router but without the proper configuration procedure it next to impossible to setup the wireguard so when do does Torguard think they will have the configuration setup method ready for those who wish to run VPN system from their routers as oppose to desktop.

Link to post
Share on other sites

19 answers to this question

Recommended Posts

  • 0

hello, there are indeed already now many guides about wireguard. Most of them have to be split into basic usage which involves simply steps for proper installation. By that, it actually does not matter which device, os or architecture you use as long as wireguard is available for that architecture.

I do see that you specifically ask about DD-WRT as you are probably already have it installed, I do not use dd-wrt, but anoher wrt, openwrt. If you run dd-wrt your device is probably compatible with openwrt. Then you can simply download stable image, install with opkg any package that you need. There is also snapshot (latest/current version, unstable) which in fact gives you ability to customizte it in a way you want.

in openwrt, if you use web interface, then install wireguard app withy:

	opkg update
	opkog install luci-app-wireguard
	

that is it, now create new interface, choose Wireguard then configure the interface. From there on you simply put settings from your torguard config into those fields. When you add torguard peer, you can add 0.0.0.0/0 to allowed addresses and mark checboxs to route all allowed clients. That would snd whole WAN traffic over torguards wireguard.

Next, add another peer (yourself) or additional wireguard interface, I would assume that torguard one is added to wan zone and with your own server you would like to have access to your local network as well as you would like to use even then torguard. Normally, one would do it with simply one interface , but having two does not really impact ressourcesa as well as it makes the setup simple because you do not have to deal with isolating torguard network from access to your local network.

I highly recommend to build your own openwrt image from snapshot, you can build it with kernel 5 (currently 5.4.60), when you are finished with configuring it and when everything works, create backup of your settings in luci and build your image with those settings. That would mean, that each time you do hard/soft reset of your firmware, your initial settings/setup would be those which you already have configured, sparing you a lot of time, especially if you have more than one device

What exactly will be and will not be possible to do with wireguard, we will see, now it is still unclear about few things, but one is for sure, peopel want and will use it in main line to encrypt their outer communication, not many do encrypt internal network communication.

As I speak about number, here are some of old device, test from local network within the network:

iperf3: 220Mbits max

wan over tg: 80Mbits

wg client over wiregiard from internet: 30Mbits

iperf3 from local net to wg interface: 80Mbits

The conclusion is that this specific device can reach 80Mbits max. with wireguard, regardless if you use torgaurd or any other. 30Mbits value fro the client has simply to do with max upload speed of the ISP, which is actually 30Mbits, and your router sending data to you is upload which is maxed at 30Mbits.

I maybe will write some guide for torguard how to build openwrt images, but knowing that if you need to cover bright range of router models, then you will probably pickup openwrt and build with image builder and that gives torguard great ability to create their own version of openwrt, I already did write it years ago but never published, I lacked on time to do it back then which included openvpn app which was capable of updating automatically server lists and could use several connections at the same time.

Currently, if torguard would build own version, they actually would simply require to include luci-app-openvpn and luci-app-wireguard as well maybe other protocols which they offer, then add a config for them all with dummy values or emty, thats it, users then flash their router and put simply their login data.Due to the fact that torguard sells hardware with only dd-wrt, I do not believe they will be interested to make that switch for some time, but you as a user are not restricted and nobody except yourself can prevent you from building your own, just for you, by yourself customized image.

Link to post
Share on other sites
  • 0

Thank you 19807409 for your responses.
 There is plenty to play with here and you have given me some thoughts in evaluating the merit of the O/S after so many years, I will play around with Openwrt in a VM machine to get a handle on the basic of the O/S and then play with the advanced features there after. I did play around with Openwrt some years back and found it not so user friendly and confusing to some extent. However I have invested much time into DD-WRT O/S given that the O/S now come with a builtin Wireguard program that I'll be hard press to convert to Openwrt, I do understand that both O/S do come with there Pros and Cons and I'm aware that DD-WRT has some short comings and stability issues from time to time but these a minor issue that can be solved both through Cons jobs or other means. My issue is still the Torguard configuration setup for the inbuilt Wireguard program.

Link to post
Share on other sites
  • 0

you are welcome.

Openwrt is not really more complicated than dd-wrt, both are wrt based. As I mentioned in begin, I do not know if I can help you out with dd-wrt, as the only thing I could tell you would be the config as that one should be same for any OS and working on any device. I also mentioned that I do believe you will want to stay with DD-WRT as you already have it installed, why should you waste more time to achieve same result.

I do not know how dd-wrt handles routes etc.., but in openwrt this is resolved really user friendly especially if we speak about routing beetwen wireguard clients which is kinda very important when one realizes what it means with wireguard, especially when we come to the point of sharing your VPN access, torguard currently neither can control it nor they can find out if you do it, by that leaving quite a lot free room for enthusiasts to play with. I am also not sure how torguard could restrict it by keeping no log policies, but thats why wireguard (despite officialy now being in stable stage) should not be considered by companies who use it as stable, torguard has same issue, they luckily made it available, lets see how it envelops, for now I can only see huge spike in wirguard users.

I hope you get a reply for dd-wrt, but if you tell me which router model you have, I will gladly share the config/image with you which will build it for you from snapshot with latest kernel and wireguard version, just let me know I might be not that frequent here in next few months.

 

Link to post
Share on other sites
  • 0

well, that looks good then as it is compatible with openwrt like expected.

Stable releases include always web interface (luci with httpd), snapshots do not, if you try snapshot, you will have to install luci first if you want to configure it over browser.

Is there anything else that you actually use so that I include it in image if there is enough space for it, however, you can install it all also afterwards over pkg. I will start a compilation for bcm53xx later tonight and will upload here build config, you should not trust images built by users, build it yourself then ;).

Link to post
Share on other sites
  • 0

Question, thinking it would be best to reinstall the netgear r8000 firmware to clear all for a clean restart for Openwrt. Privoxy,  VPN, both openvpn and wireguard, Dnsmasq and unbound. Best to do everything through the browser, cleaner and easier for user. If I need to go advances then that I could later.

Cheers

Link to post
Share on other sites
  • 0

If you have dd-wrt, you do not need to revert back to original firmware from my thoughs, but please refer to this on information page, I did not have time to look up for your model. You can flash with full image from openwrt stable if you are unsure.

In the attachment is the config with which I build right now, I included you everything that you wanted, where all those applications you can configure in web browser. I included privoxy, wireguard, openvpn and ubound with dnsmasq (not dnsmasq-full).

If anything is missing you should be able to install it over web interface.

I did not include any setting, all is openwrt's default and no password is set.

I started a build of the config in the attachment and will upload the result if successfull

 

.config.zip

Link to post
Share on other sites
  • 0

compilation completed successfully, I can not upload the image here as the size is too big, here it would be if you want to test it: https://anonymousfiles.io/JhwYXMRd/

it was built on debian, Linux dev 5.7.0-0.bpo.2-amd64 #1 SMP Debian 5.7.10-1~bpo10+1 (2020-07-30) x86_64 GNU/Linux

In the attachment are hashes and other build info like config and feets, etcfeeds.buildinfoversion.buildinfo

 

 

config.buildinfo openwrt-bcm53xx-generic.manifest sha256sums

Link to post
Share on other sites
  • 0

just before you flash it make sure that you can follow flashing procedure, however, please better build it by yourself, point of me posting a link to the image is simply that you can compare hashes in sha256sums file, point was to see if this config will compile which it does. Hope it helps you, and might be a path for other users here who were not aware of openwrt.

BTW, I included not only lui but also luci-ssl, you can access it by https. I do not know how much free space you have, you will then combine it by yourself, now you have some example config included everything that you said you require. I still hope you get reply for DD-WRT ;), but I also think that when you once switch to openwrt from dd-wrt, you will probably not come back unless it offers some better hardware support for your model.

Link to post
Share on other sites
  • 0
19 minutes ago, Redback813 said:

Thanks, will let you know the outcome but it will take time since Im backing the DD-WRT backup.

P.S the .config.zip is unavailable.

Cheers

.config is meant for openwrt building, not your dd-wrt, sorry if I confused you.

What I also said is, when you have setup your openwrt to work including wireguard etc.. then backup there your setting just like you can do with dd-wrt, and extract them into folder calles "files" in your openwrt sources folder. Those will be then included in image, meaning that after you have built it, when you restore to factory defaults those are then :) your factory defaults which you have preset with all the tools as you included them in image.

What I did not ask you as Ii do not have your router model is if you use some other access points or mesh etc.., sadly I cant know it for your device as I dont own any, but in general not all routers have all required packages installed for things like 802.11r,w,s and so on, those you normally install manually. You have to check it as well if you need it all, your router should have pretty good wlan if it is not big area that you need to cover.

Link to post
Share on other sites
  • 0
fool1.3hill

Question: Can Wireguard on DD-WRT be set up to be able to route only some traffic through the tunnel, but other traffic outside of the tunnel (e.g. filter by IP address)?

I know that OpenVPN allows this differing routes capability, but I am uncertain about Wireguard's routing capabilities. If anyone else knows that help would be great.

Edited by fool1.3hill
Punctuation error, I originally left out a question mark so I corrected that and clarified that this is a request for info to help.
Link to post
Share on other sites
  • 0
jberry
On 6/11/2021 at 8:56 PM, fool1.3hill said:

Question: Can Wireguard on DD-WRT be set up to be able to route only some traffic through the tunnel, but other traffic outside of the tunnel (e.g. filter by IP address)?

I know that OpenVPN allows this differing routes capability, but I am uncertain about Wireguard's routing capabilities. If anyone else knows that help would be great.

Yes with the latest version of dd-wrt you can go to 'Administration' then go to 'Commands' tab, then type in these commands, edit the web address IP you do not want going through the wireguard tunnel, then click 'Save Startup', so that these commands run while your router is booting up, the sleep 20 is for the router to wait a bit, just to get the IP tables up and running, then does the commands. I had to do nslookup of certain websites to get their IP address and put it here, sometimes you need to do a range of an IP block, thats why there is like /24 there, here is a good IP calculator website: http://jodies.de/ipcalc 

sleep 20
ip route add xxx.xxx.xxx.xxx/32 via $(nvram get wan_gateway) dev $(get_wanface)
ip route add xxx.xxx.xxx.xx/24 via $(nvram get wan_gateway) dev $(get_wanface)

 

Link to post
Share on other sites
  • 0
On 6/14/2021 at 5:55 AM, jberry said:

edit the web address IP you do not want going through the wireguard tunnel, [...] I had to do nslookup of certain websites to get their IP address and put it here,

I'm sorry that my question was not clear on "filter by IP address"--because I was not talking about Web IP addresses, no; instead, I want to filter traffic to and from the pre-NAT private IP addresses on our private network (e.g. your 192.168.X.Xs, or your 10.X.X.Xs, etc). For example, I have a streaming TV box from my ISP, and that box needs to connect to my ISP without any sort of proxy relay beyond the home router--yes I tried with my TG Streaming IP, the box still won't work--so I want to assign the streaming box a static IP, and tell DD-WRT to leave 100% of that box's traffic outside of the Wireguard.

 

Any suggestions for that possible private IP filter for Wireguard?

 

Link to post
Share on other sites
  • 0

The only solution I can think to your problem would be to use DNSMASQ to control the flow of information both on the WAN and LAN regardless of the connection type, since all request would be done on the DD-WRT DNSMASQ which you can control by adding both IP address or Domain name to a *.conf file, intern would affect Openvpn, Wireguard or non VPN but that's my thinking and it works for me except the non vpn which I don't use, as for a non VPN I can't see the issue either but I could be wrong but doubtful.

 

Link to post
Share on other sites
  • 0

I'm having trouble making sense of your suggestion. DNS is not relevant to my objective. Once again for a TorGuard setup on a DD-WRT router, I'm just trying to redirect one private client device on a DD-WRT router (say static IP 192.168.2.5) to conduct all traffic as unencrypted, and outside of the Wireguard that my other devices will use (regardless of the servers on the web to access).

 

Here is a similar example using OpenVPN on DD-WRT. Look under the heading "Optional Policy-Based Routing"

https://torguard.net/article/192/dd-wrt-openvpn-client.html

The difference that I think I see here, is that TorGuard's OpenVPN is created explicitly as a VPN in DD-WRT, whereas Wireguard on Torguard (per instructions) is instead set up as a mere "tunnel."

https://torguard.net/knowledgebase.php?action=displayarticle&id=263

I'm not well versed on this much parlance and routing skills to figure out what can be adapted between the OpenVPN instructions vs. Wireguard to make my application work, so any help would be appreciated.

Edited by fool1.3hill
Add links to clarify my objective and my question.
Link to post
Share on other sites
  • 0
4 hours ago, fool1.3hill said:

I'm having trouble making sense of your suggestion. DNS is not relevant to my objective. Once again for a TorGuard setup on a DD-WRT router, I'm just trying to redirect one private client device on a DD-WRT router (say static IP 192.168.2.5) to conduct all traffic as unencrypted, and outside of the Wireguard that my other devices will use (regardless of the servers on the web to access).

 

Here is a similar example using OpenVPN on DD-WRT. Look under the heading "Optional Policy-Based Routing"

https://torguard.net/article/192/dd-wrt-openvpn-client.html

The difference that I think I see here, is that TorGuard's OpenVPN is created explicitly as a VPN in DD-WRT, whereas Wireguard on Torguard (per instructions) is instead set up as a mere "tunnel."

https://torguard.net/knowledgebase.php?action=displayarticle&id=263

I'm not well versed on this much parlance and routing skills to figure out what can be adapted between the OpenVPN instructions vs. Wireguard to make my application work, so any help would be appreciated.

You can try doing your static Ip in the code below:

sleep 20
ip route add 192.168.2.5/32 via $(nvram get wan_gateway) dev $(get_wanface)

That will bypass the wireguard tunnel, to test, you can just run the code first without the sleep 20. I hope this works, I havnt tried to for local router addresses only web IP addresses.

OR, under "Allowed IPs"  for the tunnel, add every local IP on your local network, except the 192.168.2.5. I hope you get it working.

Link to post
Share on other sites
  • 0

People ignore most simple solutions. Install wireguard and connect all your devices, those will be able to reach each other in your local network as well as in your vpn where one of devices can be gateway for dns, you just need to configure your peers properly with wireguard and you hit two rabbits with one hit. I described how this is done in several threads here on torguard forum.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...