Jump to content
TorGuard

ūüĒ• HowTo - OpenWRT with any TorGuard's Wireguard IP

Rate this topic


19807409

Recommended Posts

19807409

Thank you for posting your iperf tests, I forgot also to ask you which speed your ISP offers, according to htop which clearly shows that your cpu has more than enough power in reserve by reaching ~180Mbits/sec, I would assume that your ISP does not give you more than 200 Mbits/sec:

[SUM]   0.00-10.09  sec   216 MBytes   179 Mbits/sec  759             sender
[SUM]   0.00-10.00  sec   207 MBytes   173 Mbits/sec                  receiver

According to the kernel, you are not using snapshot, however, I dont have the router so I am unaware which one works properly for you, snapshot is without gui/luci, in case you try out snapshot and still want to have webif, you can install one simply by running:

opkg install luci

On a router which I tested, wireguard performed better with kernel 5, meaning that if you do not reach your max. speed (like cpu is on 100%), then you might want to try snapshot, however, if your cpu is really only 17%, then I guess that kernel 5 will show no difference.

17% means also you clearly can have 3-4 wireguard connections, assuming one is your local to which you connect when you need to connect home.

23 minutes ago, simschu said:

Previously, I was just deleting the files in /usr/bin

Actually it is good that you deleted previous file to ensure that new one with wget is downloaded, that was not a mistake.

I also looked now more close to your log from previous try, where it did not work, because your openwrt release includes only wget without SSL support and api requires it, by that script was not able to download from torguard's server api and that is why no api info is visible. You can see if you look up at your screenshot:

wget SSL support not available ...

It would have worked with step 2 also if you would have wget with SSL support or curl.

  • Thanks 1
Link to post
Share on other sites
  • Replies 78
  • Created
  • Last Reply

Top Posters In This Topic

  • 19807409

    50

  • simschu

    7

  • Keymaster4225

    6

  • Redback813

    5

Top Posters In This Topic

Popular Posts

I decided to write a simple guide and share it with most before preparing this guide properly and uploading everything to github. This guide will be updated and scripts uploaded to github, after that

glad it worked, you are welcome Actually yes, simply rerunning tginstall, as your credentials and so on are saved in /etc/config/torguard, just change before that server ip which is saved in /

Excellent. I was able to change it. Previously, I was just deleting the files in /usr/bin but it didn't ask for the new IP, so your solution was very welcome! thank you!   Here are the resul

Posted Images

Redback813

G'day 19807409

I thought I give openwrt try today it very simple to to navigate around and etc , so I followed your instruction on installing wireguard but the ssh which I love, and oh well let say I'm stuck or stump on a questionnaire? Here is my issue.

Issue's

1) tginstall issue is caused by the author for not stating that user first install either curl or wget or both before
proceeding on in a freshly install/reset Openwrt installation, an innocent over site to which the author can help explain to noobs

[email protected]:~# wget -O /usr/bin/tginstall https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall && chmod +x /usr/bin/tginstall && tginstall
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.
[email protected]:~# wget -O /usr/bin/tginstall https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall && chmod +x /usr/bin/tginstall && tginstall
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.
[email protected]:~# wget -O /usr/bin/tginstall https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall &&
chmod +x /usr/bin/tginstall && tginstall
Downloading 'https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall'
Connecting to xxxxxxx:443
Connection error: Invalid SSL certificate
[email protected]:~# wget -O /usr/bin/tginstall https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall &&
chmod +x /usr/bin/tginstall && tginstall
Downloading 'https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall'
Connecting to xxxxxxx:443
Connection error: Invalid SSL certificate
[email protected]:~#
wget --no-check-certificate /usr/bin/tginstall https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tginstall &&
chmod +x /usr/bin/tginstall && tginstall

2) Issue Questionnaire without knowing the answer , so user press enter key for default, "invalid" meaning what the answer?

Please set your torguard credentials which are require for API usage
Set Username: XXXXXXXXXX
Set Password: XXXXXXXXXX
Continue (y/n)?y
Per default New York server is preset, do you want to set your residential/streaming/...?
invalid
[email protected]:~#

 

Cheers

 

  • Thanks 1
Link to post
Share on other sites
19807409
1 hour ago, Redback813 said:

G'day 19807409

I thought I give openwrt try today it very simple to to navigate around and etc , so I followed your instruction on installing wireguard but the ssh which I love, and oh well let say I'm stuck or stump on a questionnaire? Here is my issue.

Issue's

1) tginstall issue is caused by the author for not stating that user first install either curl or wget or both before
proceeding on in a freshly install/reset Openwrt installation, an innocent over site to which the author can help explain to noobs

Hello Redback813,

as first thanks for comments as well as pointing out missing explanation of values for questionary. I will update README on github, will check if I can update first page of this thread.

the author is me and here are all answers, hope it clarifies and helps you resolve your issues.

- the issue is caused as the author can not edit some post due to forum telling the author that it can not be edited
- this is why the author wrote the script on github and shared in in further posts
- full information is availble on project page which is: https://github.com/TorGuard/openwrt-scripts

The author to which I will ref as me, wrote it and used it on snapshot release, it was tested on stable release too and if one looks up if statements then it first looks for curl because if you have stable release, then your image includes wget without ssl support, in that case it takes less space (just a little) to install curl instead of wget with openssl support which requires openssl. After script checked for either curl or wget (no check if it is with SSL support, I could add it, but what for, its enough to add the info to readme which I will do) it uses it to download scripts as well as api info.

Snapshots on other side include wget with ssl support (at least for router models which I tested) and on snapshots no additional curl or ssl support needs to be installed.

1 hour ago, Redback813 said:

[email protected]:~# wget -O /usr/bin/tginstall https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall && chmod +x /usr/bin/tginstall && tginstall
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.
[email protected]:~# wget -O /usr/bin/tginstall https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall && chmod +x /usr/bin/tginstall && tginstall
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.
[email protected]:~# wget -O /usr/bin/tginstall https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall &&
chmod +x /usr/bin/tginstall && tginstall
Downloading 'https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall'
Connecting to xxxxxxx:443
Connection error: Invalid SSL certificate
[email protected]:~# wget -O /usr/bin/tginstall https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall &&
chmod +x /usr/bin/tginstall && tginstall
Downloading 'https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall'
Connecting to xxxxxxx:443
Connection error: Invalid SSL certificate
[email protected]:~#
wget --no-check-certificate /usr/bin/tginstall https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tginstall &&
chmod +x /usr/bin/tginstall && tginstall

as previously stated, it is due to your stable image having included wget without ssl support. As you in next command which you posted saw, wget can be used with --no-check-certificate which would ignore invalid SSL certificate, however, I would suggest to install either curl or ssl support as long as your device does not run out of free space. I dont know which router model you have, but even those with tiny 4mb have still enough space for wireguard and ssl support.

1 hour ago, Redback813 said:

2) Issue Questionnaire without knowing the answer , so user default to press enter key, invalid meaning what the answer?

Please set your torguard credentials which are require for API usage
Set Username: XXXXXXXXXX
Set Password: XXXXXXXXXX
Continue (y/n)?y
Per default New York server is preset, do you want to set your residential/streaming/...?
invalid
[email protected]:~#

The script was first written without asking for username and simply downloading/creating config file which a user then can edit according to the needs, like server and the rest.

Questionnarie is only if no /etc/config/torguard exist, if one valid exists, then those values are used and you are not asked for password.

Questionnarie does not check if your values are correct. Previously I also wrote to another user that I did not add to this script domain resolution (which was done with nslookup, then ping of 5th-10th, choosing the fastest ip according to just ping from those 5, those settings can be also set/edited in /etc/config/torguard

invalid

means that user input was invalid as only y/n are allowed, choosing yes would let you enter your ip, choosing no would use default New York server which you can change with uci set and simply rerun tginstall.

Once again, thanks for your feedback. There is a lot which one easily can adapt on those scripts, I tried to keep it as simple as possible, however, it just was done as a scratch to help people setting up their openwrt with torguard. This guide misses also a step for how to autorun and check if your current ip is the one from config, if not, it probably means you got disconnected for too long and your config is not valid, where tginstall simply reruns in the background creating new keys and getting new config by api, all automaticaly as well as you can control it easily over torguard.

I personally do not need read -p lines asking for those things, I only added it because many deny to try things which they first need to set, so I somehow wanted to shorten for a user reading and doing steps. I will update those scripts and documentation, I think that basic info is available.

Link to post
Share on other sites
simschu
13 hours ago, 19807409 said:

Thank you for posting your iperf tests, I forgot also to ask you which speed your ISP offers, according to htop which clearly shows that your cpu has more than enough power in reserve by reaching ~180Mbits/sec, I would assume that your ISP does not give you more than 200 Mbits/sec:

 

[SUM]   0.00-10.09  sec   216 MBytes   179 Mbits/sec  759             sender
[SUM]   0.00-10.00  sec   207 MBytes   173 Mbits/sec                  receiver

 

According to the kernel, you are not using snapshot, however, I dont have the router so I am unaware which one works properly for you, snapshot is without gui/luci, in case you try out snapshot and still want to have webif, you can install one simply by running:

 

opkg install luci

 

On a router which I tested, wireguard performed better with kernel 5, meaning that if you do not reach your max. speed (like cpu is on 100%), then you might want to try snapshot, however, if your cpu is really only 17%, then I guess that kernel 5 will show no difference.

17% means also you clearly can have 3-4 wireguard connections, assuming one is your local to which you connect when you need to connect home.

Actually it is good that you deleted previous file to ensure that new one with wget is downloaded, that was not a mistake.

I also looked now more close to your log from previous try, where it did not work, because your openwrt release includes only wget without SSL support and api requires it, by that script was not able to download from torguard's server api and that is why no api info is visible. You can see if you look up at your screenshot:

 

wget SSL support not available ...

 

It would have worked with step 2 also if you would have wget with SSL support or curl.

:) Huzzah! Thank you so much for all of your support, and for creating the code for the rest of us.

 

Without the VPN, I have a roughly 400mb/s connection, but it regularly ends up at around 150 to 300 mb/s mark so that isn't outside of the norm for me. I only needed 100mb/s for this so I'm good, especially if CPU < 25%. I have been thinking about setting up a Wireguard and OpenVPN server, for when I'm away in order to connect home, but there hasn't been too much travel to require it!

 

In terms of there 180 mb/s in Wireguard... when using Speedtest.net it hovers around 20 mb/s for a couple of seconds then goes up to around 200 to 300mb/s in the app. Not sure how iperf setup differs from speedtest.net.

Link to post
Share on other sites
19807409
10 hours ago, simschu said:

:) Huzzah! Thank you so much for all of your support, and for creating the code for the rest of us.

glad you tried it ;) , you are welcome, all credits still go to torguard devs as it is them who created the code ;), my scripts are simply one of many ways how it could be used with openwrt and those scripts do nothing more than what TorGuard client does as the logic and api does not come from me, but from torguard ;), I simply retold same story in quick and dirty shell

10 hours ago, simschu said:

In terms of there 180 mb/s in Wireguard... when using Speedtest.net it hovers around 20 mb/s for a couple of seconds then goes up to around 200 to 300mb/s in the app. Not sure how iperf setup differs from speedtest.net.

It depends to which iperf server you connect to (how far from vpn to iperf server) as well as how far your VPN server is from you, the one which you used in located in germany and is 10Gbit one. If you are anywhere in Europe it actually should deliver you quite close to your real results, but if you are on any other continent, then of course, speed can be low, thats why I said to test it with closest of available iperf servers and you can get full list of them if you installed speedperf by running uci show speedperf which are simply collection of:
https://iperf.fr/iperf-servers.php
and
https://iperf.cc/

You should also test what your router reaches on port when using only 1 port, then 2, ... . This is how you can test locally if your LAN ports give you speed advertized.

Iperf gives actually slightly more accurate results, for german server, check out this info page and try wget with big files to see how it performs with larger files/on longer period of test time: https://speedtest.wtnet.de/

10 hours ago, simschu said:

Without the VPN, I have a roughly 400mb/s connection, but it regularly ends up at around 150 to 300 mb/s mark so that isn't outside of the norm for me. I only needed 100mb/s for this so I'm good, especially if CPU < 25%.

It would be good to reach with some server your full speed over wireguard as your router is capable of reaching it, then you will see how much it requires if it gets the max of your ISP which is exactly what you want I would believe.

10 hours ago, simschu said:

I have been thinking about setting up a Wireguard and OpenVPN server

What for? To drain your router then with openvpn after 1 client connects? No, dont do it, better create second interface, simply, adding it to your lan zone and configuring firewall.

As I see that you use luci WebIF, here is how you could setup your wg1 interface as local network, make then sure that you have no confusion in which clients use your local wg if and which should use tg, however, it is simple after you've set it up, so, here are the steps:

1. create new wg interface, lets say it is wg1
grafik.png

# General settings tab
2. Set your private key in field "Private Key":
In stable version, wireguard app comes without Generate Key button, in that case you need to generate with wg genkey
3. Set your listen port, in example I will use port 23456
4. Set the IP address of your WG interface, in many examples it is something with 10.*.*.*/24, as we will add this interface to LAN zone we want it to be in the same family, assuming that your network is 192.168.1.0, then lets use for this example 192.168.3.1/24
grafik.png

# Advanced settings tab
You do not need to add/change here anything. Maybe disabling ipv6 which is by default on or specifying MTU or firewall mark, I will keep those empty here
grafik.png

# Firewall settings tab
Add this interface to your lan zone.
One can create also own separate, to keep it simple, having it in LAN zone means you have full access within your network to all devices which is probably also what you want by connecting to your home from remote location. If you want to connect and deny access to local network, then add it to the wan zone and configure properly port forwards from wan to lan for services which you would still like to be accessable (from your local network)
grafik.png


# Peers tab
Add your peer (means in this case your VPN clients), click on add peer:
grafik.png

5. Type description, like, MyPhone
6. Create again with wg gen key new public and private keys. It is only good if you add preshared key for more security, create one with wg gen if you want to use it, it is optional.
7. Allowed IP's is for some reason wrongly understood by many. As our interface uses 192.168.3.1 we will assing this address to the client in client config. In this example, lets say your phone gets 192.168.3.3/32
8. Endpoint port is optional, if you want to have control over it, set it, in current example I use 51821
9. Assuming you are behind a NAT, recommended value of 25 seconds should be good setting, you might play with it to find perfect number.
10. Do not enter any value in endpoint host unles you want to specify it stricly like with another client running ddns service, here you would enter your ddns domain which would actually resolve the ip. For this guide of current post, just leave it empty
grafik.png

That would be it, saving it and you should be able to see your interface in same color like your lan zone:
grafik.png

Going to Status -> Wireguard in your WebUI, and you see the status, this is how example of current post looks like:
grafik.png

This is how client config would look like:

[Interface]
PrivateKey = WLHzEopHlcmfgeWrmU/8vRS3qPlfnTWHr8j1kDWHJEA=
Address = 192.168.3.3/32
DNS = 1.1.1.1, 1.0.0.1
ListenPort = 51821
MTU = 1420
 
[Peer]
PublicKey = wqhlBTAv+LaEnq03L+qtwDyRxRR6+ZStuDNixb++zUQ=
PresharedKey = mPOWTF2h9CIWVJ5vz+blABOx/YepP3A9caNiyE5t+WM=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = your.domainOrIP.com:23456
PersistentKeepalive = 25

For ability to connect from outside and access your local network (aka connecting to your home), you need to allow 23456 to be accessed from WAN or any zone. Easiest and quickest way is addign firewall rule allowing any source:

config rule
    option src '*'
    option target 'ACCEPT'
    option proto 'udp'
    option dest_port '23456'
    option name 'Allow Wireguard Inbound'


That would be it, now client MyMobile can connect from outside and will get local IP address of 192.168.3.3 which will have access.

Best is if you have different devices having each one wireguard and all of them then act as gateways. However, that same can be resolved in same way on one router if it has enough power to run it.

My example above is really simple, one could also use switch and configure kinda LAN port 1 to be in WG0 network, LAN port 2 in WG1 network and so on. As addition, your wg1 device can use wg0 as its gateway meaning that when you surf over your home connected over VPN, you send the data over your IP, but within VPN it shows and uses your Torguard one.

On this point it is quite hard to write a guide for every users case.

I have scripts which I use which create all those configs, keys etc... on a router when I set my wg interface, it adds then with uci every client etc.. which might help users setting own wg network just as tginstall helps to install wireguard network.

 

Link to post
Share on other sites
19807409

@Redback813 and @simschu

I have updated the script and it is now fully unattended, FAQ is also printed when script finishes for simple reason that you can copy and paste directly from your terminal without a need to look up in a guide.

- Here is full pull request of with overview of commits: https://github.com/TorGuard/openwrt-scripts/pull/1

- I think I've added most of issues which you both had/mentioned/pointed out in this commit: https://github.com/TorGuard/openwrt-scripts/pull/1/commits/974e80da88dd8ea3a4cefd5cc545d4f59a44ac15

- FAQ was created and moved to the end of script here: https://github.com/TorGuard/openwrt-scripts/pull/1/commits/d7438e9c7324657b9376b879891fcba96c8ee997

- If /etc/config/torguard does not exist, then questionnaire is enabled which normally can happen only when you run the script for the first time or if you delete existing config

- On every tginstall run, wireguard and dependencies are updated (it there is update) to the latest version

- no need to reboot after changing server IP address, it creates as well new wg keys on each run.

- If you use port forwarding with dedicated ip or any other ip like shared server, those will continue to work after each run of tginstall and new keys

If you guys have any other suggestions or requests let me know, I will probably add to the questionnaire possibility to also create and configure local wireguard interface for connecting from outside to your home as well as scripts creating clients specified in config where their keys, configs and QR codes will be compressed to /tmp folder in a tar.gz archive. This is also something that one will run only once on first install, similar to tginstall script.

If somebody requires specific cronjob, you can run tginstall on reboot which would ensure that on each reboot new config is created. If I get time this week, I will add a service which one can use with /etc/init.d/torguard enable/disable/status/start/stop/restart  which will check every lets say 60 minutes if your wg connection is alive and if IP differs from one in config, if yes and internet connection is available, then run tginstall, if no internet connection is available, then script will wait 60 seconds before trying again which would be endless loop to ensure that even if your ISP disconnected for several hours and your torguard config expired, in this case you would be immediately connected within 60 seconds after you got back internet access from your ISP.

If you have any other suggestions or see somewhere some error or want to add new feature, either suggest it here or directly on github, of course perfect would be if you can submit your pull request when you already know what to add/change.

Link to post
Share on other sites
19807409
1 hour ago, Redback813 said:

Here a fella that show how to create virtualbox of openwrt with both wan and lan , saving the end user from flashing there router just to see what works for the user in a virtualbox setting.

hello, thanks for a link. I just scrolled in a link but see so far that to watch a video takes longer that to flash and setup the router actually own router, but assume it is informative would need to watch it from begin to the end for ability to comment, did you try out what was show in this video?

I was also never fan of videos which require some time to be watched and then you cant copy&paste commands from it etc...

What I do like much more are emulators/simulators/demos which one can test live and there ale plenty for different purposes. If torguard sells routers with preflashed openwrt then I might assume that the best approach would be not to depend on youtube or any other 3rd party, instead I suggest torguard to simply create emulator page for their purposes. You can find a bunch of emulators etc.., even by official manufacturers, here are some

On those you can not install wireguard or similar but can see how it works and how it can be done. Beside virtualbox one could virtualise it with quite every virtualization, you can find qemu guides and similar which probably would be easier for devs to test it in chosen env.

In fact, it does not matter what or how you use to learn and ensure that you want to do it before flashing, those steps is sadly what many do not do and then waste time or even worse brick their devices and throw them away by not reading how easily one could repair...

1 hour ago, Redback813 said:

with both wan and lan

Every openwrt router has wan,wan6 and lan included, some which are created to operate as switch (better said as no router) do have only lan like re450. Normally  a device which is sold as router will have wan, wan6 and lan per default with ipv6 enabled which are part of your rom.

If one wants to use virtualbox for testing or build own images be it stable or snapshot source, I think all of it is quite well documented in openwrt documentation.

Link to post
Share on other sites
Keymaster4225
On 10/19/2020 at 5:05 AM, 19807409 said:

@Redback813 and @simschu

I have updated the script and it is now fully unattended, FAQ is also printed when script finishes for simple reason that you can copy and paste directly from your terminal without a need to look up in a guide.

- Here is full pull request of with overview of commits: https://github.com/TorGuard/openwrt-scripts/pull/1

- I think I've added most of issues which you both had/mentioned/pointed out in this commit: https://github.com/TorGuard/openwrt-scripts/pull/1/commits/974e80da88dd8ea3a4cefd5cc545d4f59a44ac15

- FAQ was created and moved to the end of script here: https://github.com/TorGuard/openwrt-scripts/pull/1/commits/d7438e9c7324657b9376b879891fcba96c8ee997

- If /etc/config/torguard does not exist, then questionnaire is enabled which normally can happen only when you run the script for the first time or if you delete existing config

- On every tginstall run, wireguard and dependencies are updated (it there is update) to the latest version

- no need to reboot after changing server IP address, it creates as well new wg keys on each run.

- If you use port forwarding with dedicated ip or any other ip like shared server, those will continue to work after each run of tginstall and new keys

If you guys have any other suggestions or requests let me know, I will probably add to the questionnaire possibility to also create and configure local wireguard interface for connecting from outside to your home as well as scripts creating clients specified in config where their keys, configs and QR codes will be compressed to /tmp folder in a tar.gz archive. This is also something that one will run only once on first install, similar to tginstall script.

If somebody requires specific cronjob, you can run tginstall on reboot which would ensure that on each reboot new config is created. If I get time this week, I will add a service which one can use with /etc/init.d/torguard enable/disable/status/start/stop/restart  which will check every lets say 60 minutes if your wg connection is alive and if IP differs from one in config, if yes and internet connection is available, then run tginstall, if no internet connection is available, then script will wait 60 seconds before trying again which would be endless loop to ensure that even if your ISP disconnected for several hours and your torguard config expired, in this case you would be immediately connected within 60 seconds after you got back internet access from your ISP.

If you have any other suggestions or see somewhere some error or want to add new feature, either suggest it here or directly on github, of course perfect would be if you can submit your pull request when you already know what to add/change.

 

Thanks for all your work on this. Will be testing this on my RPi4 build this evening. 

Link to post
Share on other sites
19807409
2 hours ago, Keymaster4225 said:

Thanks for all your work on this. Will be testing this on my RPi4 build this evening. 

hello, you are welcome and I am glad it helps. If you have any suggestions, issues or any question, please report it here on forum or directly on GitHub. As far as I understand, you will test openwrt with rpi4. It will be great if you can post your results. Maybe some would find it nasty that on each run opkg update and update of wireguard packages are installed, the easiest way to stop it is simply to mark it out in script. I will wait for more suggestions before adding further features and maybe non openwrt devices as long as there is somebody who could test it.

Link to post
Share on other sites
Keymaster4225
40 minutes ago, 19807409 said:

hello, you are welcome and I am glad it helps. If you have any suggestions, issues or any question, please report it here on forum or directly on GitHub. As far as I understand, you will test openwrt with rpi4. It will be great if you can post your results. Maybe some would find it nasty that on each run opkg update and update of wireguard packages are installed, the easiest way to stop it is simply to mark it out in script. I will wait for more suggestions before adding further features and maybe non openwrt devices as long as there is somebody who could test it.

I didn't have as much time as I had hoped, but my first run of your script was not successful. It created the interface and appeared to have pulled the necessary data from the API, but did not result in a connection to the server. 

 

Will look into it more tomorrow. 

Link to post
Share on other sites
19807409
11 minutes ago, Keymaster4225 said:

I didn't have as much time as I had hoped, but my first run of your script was not successful.

Are you sure? How did you test? Because if correct data was pulled, then your username/password must be correct too. To verify if you are connected, do you see handshake when you type?:

wg show wg0

 

Link to post
Share on other sites
19807409

@Support seems there were changes on api usage which requires a peer to be whitelisted, this is firefox reply:

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Sat Oct 24 04:12:38 UTC 2020
There was an unexpected error (type=Internal Server Error, status=500).
Can not add peer with public key 'XXXXXXXXXXXXXXXXXXXXXX=' and IP 10.xx.xxx.xx/32. /usr/bin/wg returned with exit value 1
 
I checked the api after user reported not being connected, seems there were changes in that regard and current scripts require some adaption.

Link to post
Share on other sites
19807409

seems torguard was testing something, as suddenly few minutes after that post I do not have the error. However, in the meantime, I do not know if support can confirm, I just tested if whitelisted one works in firefox as well as to connect. Because using dumped keys from torguard worked which are whitelisted. I see that query part changed and will have to change scripts according to that.

Here is wg info by using tginstall few minutes ago

[email protected]:~# wg show wg0
interface: wg0
  public key: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY=
  private key: (hidden)
  listening port: 51820
  fwmark: 0xfe
	peer: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
  endpoint: 3x.xxx.xxx.x:1443
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 56 seconds ago
  transfer: 600.23 KiB received, 2.37 MiB sent

It worked also during firefox was not able to open the api with random public key:

Also, @Support do they expire? I mean those which TorGuard client creates? Because I am confused now if I should adapt it to new settings or keep it the old way as it seems to be reverted. As well, is there more info on query process/whitelisting?

Link to post
Share on other sites
19807409

I added today fix for current API change. With changes torguard has made recently, you need to either create torguard config with torguard config tool or copy any of public/private keys which were used by TG client, they are all whitelabeled.

When you setup for the first time, you have to enter whitelabeled private key, otherwise new key will be created and I did not add for now whitelabeling part, maybe I am not allowed to do it at all with publicly available scripts, hope @Support can give more information about the API, it's usage and which parts maybe should not be public.

Additionally connection breaks after 15 minutes and one needs to ensure by crontab or any other script that this info is created. New scripts create a tg demo script with the line of choosen server for those who want to set it up manually.  When connection breaks, then no internet is available and old interface as well as peer must be removed and network restarted in case that somebody tries it manually. Waiting then for reply from @Support about changes as well as not really announced API change in not using public key anymore but converting it with 3D suffix.

EDIT: current scripts run on my archer since Uptime: 57 min, 31 seconds and no breaks until now, port forwarding works as it did before. Will let it run to see if it disconnects

EDIT2: TG Client created/whitelabeled keys do not expire for now, but would need to let it run for longer time to see how long they stay active.

EDIT3: Updated info on how to get around 15 minutes expiration. Currently only settings expire but not whitelisted keys. After I know more by waiting for test, I will not write any scripts which will restart network interface every 15 minutes.

Link to post
Share on other sites
Keymaster4225
7 hours ago, 19807409 said:

I added today fix for current API change. With changes torguard has made recently, you need to either create torguard config with torguard config tool or copy any of public/private keys which were used by TG client, they are all whitelabeled.

When you setup for the first time, you have to enter whitelabeled private key, otherwise new key will be created and I did not add for now whitelabeling part, maybe I am not allowed to do it at all with publicly available scripts, hope @Support can give more information about the API, it's usage and which parts maybe should not be public.

Additionally connection breaks after 15 minutes and one needs to ensure by crontab or any other script that this info is created. New scripts create a tg demo script with the line of choosen server for those who want to set it up manually.  When connection breaks, then no internet is available and old interface as well as peer must be removed and network restarted in case that somebody tries it manually. Waiting then for reply from @Support about changes as well as not really announced API change in not using public key anymore but converting it with 3D suffix.

EDIT: current scripts run on my archer since Uptime: 57 min, 31 seconds and no breaks until now, port forwarding works as it did before. Will let it run to see if it disconnects

EDIT2: TG Client created/whitelabeled keys do not expire for now, but would need to let it run for longer time to see how long they stay active.

EDIT3: Updated info on how to get around 15 minutes expiration. Currently only settings expire but not whitelisted keys. After I know more by waiting for test, I will not write any scripts which will restart network interface every 15 minutes.

 

Can you clarify the first part a bit? When you say create a config file from the TG config gernator, you mean just copy that info into /etc/config/torguard and then run tginstall?

Link to post
Share on other sites
19807409
1 hour ago, Keymaster4225 said:

Can you clarify the first part a bit? When you say create a config file from the TG config gernator, you mean just copy that info into /etc/config/torguard and then run tginstall?

Sorry for confusion.

What I meant is the private key which is created by wireguard config tool which you can find on your torguard account.

OR

other option to get whitelisted key is to enable debugging with TorGuard client on any PC and there copy any of those which were used.

OR

dump/show keys with wg tool on a PC which runs TG Client, here is  how you can show your full torguard conf with private key

wg showconf torguard-wg

That private key is then saved also in /etc/config/torguard and is used by the script. If no key exists, script will run like it did, by creating new fresh keys and will fail on api request to get connection information because TorGuard enabled only whitelisted Keys to be allowed. I already see how those get whitelisted, but am unsure if I should write any scripts as it does not look to me like if it will stay, for me it looks more like torguard is testing few things since few days.

Simply rename /etc/config/torguard to /etc/config/torguard.bkp and rerun the script, it will ask you now for USERNAME, PASSWORD as well as torguards whitelisted PRIVATEKEY.

Creating random keys like it was before does not work anymore with the API, TorGuard disabled it for some to me for now unknown and not announced reason, forcing you to use whitelabeled keys which stop working after 15 minutes despite that handshake is there, within those 15 minutes one must change other settings. I did not explore now if and which could be fixed as well as I am unsure what exact endgoal torguard has with whitelabeled addresses, expirations etc.. . Hope @Support will reply to those questions as soon as known. In first thread I updated the guide with the info how to get around 15 minutes breaking connection, but this is just workaround and not really good to be used, thats why no efforts to write now script doing something which obviously will change.

You need only to copy the private key, public key is in script automatically calculated as well as API key.

I replied in other thread, whitelisted keys do not expire for now (running now maybe since 24 h, by that, lets see if they expire or not, they could have longer expiration period)

 

Link to post
Share on other sites
simschu

I’m not having any issues right now :) However, my router has been connected for a few days.

 

Should I expect to have to run the new scripts when my connection next drops?

 

I presume it is just a case of redownloading the scripts and running them again (possibly clearing the tginit scripts that are already there, and the tginit type files in /usr/bin) but filling in the new details that you sign post above. Anything else you think might need to be done?

Link to post
Share on other sites
19807409

I did not know if support wants me to write how to keep your config valid, but now I updated first page.

When you install now tginstall, then it uses whitelisted keys which never expire, one needs to ensure to make api call within 15 minutes to extend the validity of the connection for next 15 minutes.

For that reason current tginstall has also implemented creation of /usr/bin/tgapitest script which simply gets API info (not saved to any file), running this script extends validity for 15 minutes and one does not need to restart network.

6 minutes ago, simschu said:

I’m not having any issues right now :) However, my router has been connected for a few days.

Yes, this is good possible, if you use old tginstall script (older than yesterdays commits), then you use user created non whitelisted keys which might not work on reconnect.

Also, the server to which you connect might not have those new things applied.

7 minutes ago, simschu said:

Should I expect to have to run the new scripts when my connection next drops?

As long as those which you used work, there is no need, but I assume that torguard will soon enable it across all servers which would mean that you will need to update scripts to latest.

Also, new scripts, they work in the old way (with some fixes) if one does not use/deletes whitelisted key, then on each run new one would be created, however, if api then tells you that you can not get the info because key is not whitelabeled, then you know that you have to use whitelisted key with that server.

9 minutes ago, simschu said:

I presume it is just a case of redownloading the scripts and running them again (possibly clearing the tginit scripts that are already there, and the tginit type files in /usr/bin) but filling in the new details that you sign post above. Anything else you think might need to be done?

yes, to ensure it, you can delete them in one command:
 

# assuming in /usr/bin folder are no other files with prefix tg
rm -f /usr/bin/tg*

# then rename your old config to bkp
mv -f /etc/config/torguard /etc/config/torguard.bkp

# then download and run tginstall

 

20 minutes ago, Keymaster4225 said:

I gotcha. Next question, it's not clear to me, but are we supposed to run tginit first, then tginstall?

well, one can use both. Tginstall is just a helper script and tginit is the one working with the api and creating interface, both can be dynamically used/changed etc...

You should only run tginstall when you recreate/reset your wireguard interface.

When you run tginstall, it will also create a file  tgapitest with your credentials, key and proper api url, this is what you need to run in cron lets say every 10 minutes, then your connection will never expire, as addition, add cronjob @reboot which runs tginstall to ensure that on each boot new fresh connection is established and tgapitest keeps it valid

tgapitest

 

Link to post
Share on other sites
19807409

I forgot to say one additional point, you do not have to run tgapitest from device on which you connect, this can be any device which is connected to the internet.

Link to post
Share on other sites
19807409

Guides are updated and I commited to github, a new simple service file is created by tginit which you can run to resolve 15 minutes issue. This can be done on any network which has internet, it does not even need to be your. For those who run behind TG server service should consider to run validation script also on some server/device which never gets offline like many devices in Home use, then connection will also not expire.

Please check first post of this thread as well as README on github for more info. For everybody who runs latest scripts, you need to upgrade only tginit file.

Enable service which will extend every 5 minutes my connection for 15 minutes:

/etc/init.d/tgapi enable
/etc/init.d/tgapi start

It runs now since over 24 hours without any issue on one device and tested it in several combinations on some other devices.

EDIT: additional note, I tested current scripts with wget without ssl support and it somehow fails to get the info from the api with wget resulting in no connection. Please install curl to ensure that curl is used and connection will be established. I will not update guides and requirements until I have inspected why wget fails as it should work and is actually preinstalled with stable releases and it would be good if it would work withuot a need for installation of additional packages like curl and its dependencies even if it is small size.
 

 How to install curl on openwrt:

opkg update && opkg install curl

How to uninstall curl and its dependecies (if they are unused by other packages):

opkg remove --autoremove curl

 

Edited by 19807409
add curl and wget info
Link to post
Share on other sites
19807409

updated readme on github as well as first post of this thread is cleaned up and there are 3 methods of how one can keep your connection valid independently from which device and network one runs it.

5 min seems to be to much, as @Support did not share any info and as 5 min validation sometimes fails, it could mean, that connection expires with some secondary check (for IP as example) or the backed lets say does update only if validation is done on X seconds before it expires, meaning that lowering value might make it more stable, however, as topic is so fresh, I need to let it run for couple of days to actually verify it. As long as support does not give more info we are forced to find it out by ourselves. I would dislike to run validation more often than once per 5 min and I do not believe that TorGuard would like to receive API calls lets say every second. To void abuse and bad behaviour, please do not use lower values than 60 seconds, I reduced it in tginit to validate every 60 seconds until @Support can provide more info.

If you need really stable connection on OpenWRT, make sure to run secondary job using your default ISP connection to ensure that validation is not done over same IP for which one activates the API (as that could be secondary check)

Link to post
Share on other sites
19807409

@Support unless there is already some concept, here is one suggestion, maybe you could add to the api response one additional var which should have expiration time in epoch, by that script can always run it few seconds before expiration, as well as the new API delivers new expiration time, meaning that if you do change anything on your backend regarding expiration time, no client would get disconnected.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...