Jump to content
TorGuard

ūüĒ• HowTo - OpenWRT with any TorGuard's Wireguard IP

Rate this topic


19807409

Recommended Posts

Support
8 hours ago, 19807409 said:

@Support unless there is already some concept, here is one suggestion, maybe you could add to the api response one additional var which should have expiration time in epoch, by that script can always run it few seconds before expiration, as well as the new API delivers new expiration time, meaning that if you do change anything on your backend regarding expiration time, no client would get disconnected.

 

Thanks,  sorry for the delay guys - we plan on making it public as soon as its completed and will confirm more details once we are nearly there - we are busy on getting Android and iOS wireguard out for the time being.

Link to post
Share on other sites
  • Replies 78
  • Created
  • Last Reply

Top Posters In This Topic

  • 19807409

    50

  • simschu

    7

  • Keymaster4225

    6

  • Redback813

    5

Top Posters In This Topic

Popular Posts

I decided to write a simple guide and share it with most before preparing this guide properly and uploading everything to github. This guide will be updated and scripts uploaded to github, after that

glad it worked, you are welcome Actually yes, simply rerunning tginstall, as your credentials and so on are saved in /etc/config/torguard, just change before that server ip which is saved in /

Excellent. I was able to change it. Previously, I was just deleting the files in /usr/bin but it didn't ask for the new IP, so your solution was very welcome! thank you!   Here are the resul

Posted Images

19807409
4 hours ago, Support said:

Thanks,  sorry for the delay guys - we plan on making it public as soon as its completed and will confirm more details once we are nearly there - we are busy on getting Android and iOS wireguard out for the time being.

Thanks for reply. Current scripts work now well but I had to make changes as API changed, which maybe caused confusion for some users using it. Everything works again, hope no big changes will happen. You announced once that expiration time was raised to one hour and now it is back to 15 min or similar, which does make me happier than 1 hour, it is just confusing to write scripts resolving something where its constants change.

Nice to see that finally android/iOS is becoming ready.

Link to post
Share on other sites
simschu

Had some difficulty tonight. It won't clear the old public key, nor the old server IP. Is there a way to flush and remove all of the tg files, so I can start afresh? I tried deleting in the tg* files in usr\bin and tginit.sh in \usr. However, something is remaining and I can't find it! Essentially, trying to uninstall so I can reinstall afresh.

Link to post
Share on other sites
19807409

@simschu

How to manually upgrade/download: https://github.com/TorGuard/openwrt-scripts/wiki#how-can-i-manually-upgradedownload-my-scripts

curl -o /usr/bin/tginstall https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tginstall
curl -o /usr/bin/tginit https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tginit
curl -o /usr/bin/tginit-uci-basic https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tginit-uci-basic

or with wget

wget --no-check-certificate -O /usr/bin/tginstall https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tginstall
wget --no-check-certificate -O /usr/bin/tginit https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tginit
wget --no-check-certificate -O /usr/bin/tginit-uci-basic https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tginit-uci-basic

 

How to reset/recreate config: https://github.com/TorGuard/openwrt-scripts/wiki#how-to-resetrecreate-config

  1. rename torguard config file (or delete)
    mv -f /etc/config/torguard /etc/config/torguard.bkp
  2. Run tginstall
    tginstall

 

More info and updates about latest scripts can be found in README.md and wiki (currently has only FAQ) for current scripts.

Edited by 19807409
update links
Link to post
Share on other sites
19807409

Today, non whitelisted work again and any key created by wg genkey works, it is again like it was few days ago and one does not need to use whitelisted one from TG client/TG Wireguard config tool .

I am not sure how many changes and tests will come until adroid/ios apps are released, for stable connection please use whitelisted as TorGuard might disable it again at any time before release happens.

Link to post
Share on other sites
simschu

All worked! Back on today. Didn’t take me too long after you guided me how to enter new Private key more easily.

danke!

Link to post
Share on other sites
19807409
15 hours ago, simschu said:

All worked! Back on today. Didn’t take me too long after you guided me how to enter new Private key more easily.

danke!

Immer gerne ;),

those were just a scratch in testing but work quite stable for now.

I tagged v0.0.0.2 which is the last one before changes applied today. You do not have to update/upgrade as long as scripts in your existing version work.

v0.0.0.3 and latest master include now tguninstall as well as tgupgrade which should shorten some lines too. I moved also most functions to tgfunctions file, there is still many hardcoded values which require a cleanup as well as some function need to be shorten as there are still few vars etc.. which is not required. New v0.0.0.3 includes also speedperf fixes.

Wiki is also update, there is more info centralized which one would need to find by pieces in current thread.

I maybe did not explain very well or in details what speedperf is. I added all publicly available servers in config file /etc/config/speedperf and one is set as default server which is used when one runs speedperf.

  • Here is more info about speedperf, no need to rewrite it all, here would be list of default feature.
  • Speedperf will include also your geolocation check and you could see if you leak or if vpn broke etc..
  • One could run speedtest too from another device, but if you want to test your router, then speetest would require min python to run python speedtest-cli version and python is to big for most routers without additional storage where iperf3 is very tiny and delivers more accurate results. One negative side is that there is much less publicly known servers, if you know any which are not already in /etc/config/speedperf then please let me know or best is if you make pull request for those who can.
  • you can find resulting tar.gz archive in folder
    /var/log/speedperf/iperf3/speedperf_default_client_*-*_speedtest.wtnet.de.tar.gz

 

Link to post
Share on other sites
Redback813

I follow the instruction on wiki page and stumble across a an error "tgfunctions"

[email protected]:~# wget -O /usr/bin/tginstall https://raw.githubusercontent.com/TorGuard/openwrt
-scripts/master/usr/bin/tginstall
--2020-10-28 18:21:41--  https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tginstall
Resolving raw.githubusercontent.com... 151.101.128.133, 151.101.64.133, 151.101.192.133, ...
Connecting to raw.githubusercontent.com|151.101.128.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2063 (2.0K) [text/plain]
Saving to: '/usr/bin/tginstall'

/usr/bin/tginstall               100%[========================================================>]   2.01K  --.-KB/s    in 0s      

2020-10-28 18:21:43 (50.3 MB/s) - '/usr/bin/tginstall' saved [2063/2063]

[email protected]:~# chmod +x /usr/bin/tginstall && tginstall
/usr/bin/tginstall: source: line 11: tgfunctions: not found
[email protected]:~#

Link to post
Share on other sites
19807409
1 hour ago, Redback813 said:

I follow the instruction on wiki page and stumble across a an error "tgfunctions"

[email protected]:~# wget -O /usr/bin/tginstall https://raw.githubusercontent.com/TorGuard/openwrt
-scripts/master/usr/bin/tginstall
--2020-10-28 18:21:41--  https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tginstall
Resolving raw.githubusercontent.com... 151.101.128.133, 151.101.64.133, 151.101.192.133, ...
Connecting to raw.githubusercontent.com|151.101.128.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2063 (2.0K) [text/plain]
Saving to: '/usr/bin/tginstall'

/usr/bin/tginstall               100%[========================================================>]   2.01K  --.-KB/s    in 0s      

2020-10-28 18:21:43 (50.3 MB/s) - '/usr/bin/tginstall' saved [2063/2063]

[email protected]:~# chmod +x /usr/bin/tginstall && tginstall
/usr/bin/tginstall: source: line 11: tgfunctions: not found
[email protected]:~#

 

Thanks for letting me know, should be fixed now. Instead tginstall, please do this:

wget -O /usr/bin/tgsetup https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tgsetup && chmod +x /usr/bin/tgsetup && /usr/bin/tgsetup

tgsetup will also delete old scripts, download new and rename your configs to *.old in letting you run fresh setup. If /etc/torguad/config exists, you will not see the questionnary, it will be unattentded.

If you download tginstall and run in, you must ensure to download tgfunctions too. For that reason I've added a setup file which moves /etc/config/torguard to torguard.old and speedperf.old.

When you set it up for the first time, then do not use anymore tgsetup but tginstall.

Link to post
Share on other sites
Redback813

I follow the instruction from above as one line command and stumble across an error, "line 621: wg: not found"

Do you want to set custom IP (y/n)? y
Set your server ip address: xxx.xxx.xxx.xxx
Set your wireguard private key: xxxxxxxxxxx
/usr/bin/tginstall: line 621: wg: not found
Do you want upgrade dependencies on every run (y/n)? y
Do you want to install/reinstall required dependencies (y/n)?

 

 

Link to post
Share on other sites
19807409
31 minutes ago, Redback813 said:

, "line 621: wg: not found"

It means you did not install dependencies. If you did run tgsetup, then it did ask you if you want to install recommended dependencies, you should say only no if they are already installed. Seems you have choosen no on it. Please rename simply /etc/config/torguard to /etc/config/torguard.bkp.

image.png

Then it will install all packages required for the script (curl not if you have wget) if you have choose y/Y on:

Do you wanto to install/reinstall required dependencies (y/n)? .

image.png

As if you did choose it and it was not there, then ensure please that your internet works, you could do so by simply running opkg update

- Run again tgsetup and finish questionarrie where you should say yes to download dependencies.

- Not recommended, but you can install dependencies manually too and later choose always no to dependencies:

# install wireguard and optional ipset
opkg update && opkg install kmod-wireguard wireguard-tool ipset

# for speedperf
opkg install iperf3

# recommended is if you use curl instead of wget
opkg install curl

# if you use Luci Web Interface, you probably want to have wireguard app too
# luci-app-wireguard is not installed by the script as it is not required
opkg install luci-app-wireguard

# as if you use wireguard app and want to run own server, you will probably want to be able to show your configs as QRCodes on Wireguard Status pags, for that install qrencode
opkg install qrencode

 

Link to post
Share on other sites
19807409

@Redback813 once you have configured it where you are guided by those questions, you will not need to enter again any reply to any question after it by running tginstall which would use simply all your settings from torguard conf file (/etc/config/torguard). When /etc/config/torguard exists then tginstall does not ask you any questions and just runs, but to ensure it runs your config must be correct (like username/password/server ip/...), then with each rerun of tginstall it would delete old wg0, remove it from assigned firwall zone, then create new wg0 interface and add to firewall zone etc...

If you use terminal, you can show yourself this config by running:

uci show torguard

which would show you your full config.

As example if you want to display only your credentials:

uci show [email protected]_tg0[0]

 

Link to post
Share on other sites
19807409

Streaming IP, dedicated and shared, tested and all worked and work. One testeserver on M247 is still since weeks connected, not affected by 15 min timeout. @Support do all servers support wireguard in the meantime?

Link to post
Share on other sites
Support
9 minutes ago, 19807409 said:

Streaming IP, dedicated and shared, tested and all worked and work. One testeserver on M247 is still since weeks connected, not affected by 15 min timeout. @Support do all servers support wireguard in the meantime?

 

All servers now support WG yes, none should be affected by the 15 min timeout, I will make sure all are now using the new API but they should be.

Regards

  • Like 1
Link to post
Share on other sites
19807409
4 minutes ago, Support said:

All servers now support WG yes, none should be affected by the 15 min timeout, I will make sure all are now using the new API but they should be.

Is it already known if and which timeouts will be used? I ask it because I've added apifix options in my scripts and if it will not be anymore required, then it probably can be removed too. Since ~ around two days also not whitelabeled keys work too. If this is correct, then current scripts would still work if someone does not specify the key, then wg gen is used and new key saved. This was simple method where keys were changed on each reboot (at least for me). Both, old and new was worked properly with features like port forwarding.

- 15 min timeout - I think it was never properly explained. As long users reported it, I assumed connection breaks after 15min which did not, it was still connected but connection within your network was invalid. This was/is resolved in simply running api call frequently enough.

- Whitelabeled (or whatever it was) - this had nothing to do with 15 min timeout, but on which keys are allowed to use the api, where those not whitelabeled received error and no connection data.

Can you specify whice of those two will not be used anymore?

By the new API, do you mean current one which is used by TG client (api/v1)? Or you meant latest changes on api/v1 as new?

Link to post
Share on other sites
Keymaster4225
32 minutes ago, Support said:

 

All servers now support WG yes, none should be affected by the 15 min timeout, I will make sure all are now using the new API but they should be.

Regards

 

I have a dedicated Spectrum IP that still isn't working with Wireguard. Have submitted support tickets and they just say it should be "soon"

Link to post
Share on other sites
Support
11 hours ago, Keymaster4225 said:

 

I have a dedicated Spectrum IP that still isn't working with Wireguard. Have submitted support tickets and they just say it should be "soon"

 

It should be good to go - please send me a ticket number and I will have a look.

Regards

Link to post
Share on other sites
Keymaster4225
13 hours ago, Support said:

 

It should be good to go - please send me a ticket number and I will have a look.

Regards

Can't figure out how to send direct messages on here. 

 

Ticket# 591224

Link to post
Share on other sites
19807409

With current changes and removal of 15 minutes restriction, there is still one which those running wireguard should know:

  • If you are connected not over TG Client, you can not use same Server with wireguard client, you can with TG Client. As soon as you activate/use api on same IP, then only latest will be valid, resulting the other to be invalid (has no internet connection but is connected)
  • If your connection has become invalid, run api once again to activate it and deactivate the second one (as Example, this could happen if one test wireguard app on a phone with the same server IP as does the router, your router would lose internet in the moment you run the api to activate your phone's connection, where I can open in my phone's browser api link and reactivate the router after recognizing the mistake

Conclusion:

  1. Do not use same Server IP on different devices if you use wireguard original client
  2. TorGuard Client can be used with same IP address without to invalidate currently active connection/s

This is just current state of IP's which I tested, this might not apply on every IP, please confirm/deny if you experience something different than stated above, especially as invalidation may be disabled at all invalidating point one, where TorGuard client does work using same connections (tested on shared and premium servers only for now)

 

1 hour ago, Keymaster4225 said:

Can't figure out how to send direct messages on here. 

I guess from forums point of view as official TG forum direct messages would be email to support, I wouldn't know that one can send PM's on forum, but your number can be tracked by support which probably means your issue is resolved before I post this reply,

Link to post
Share on other sites
Redback813

Found this else on the web , an issue that might affect some users

I also had issues with allowedIPs = [ "0.0.0.0/0" ], but was able to solve it with an ip route.

The Problem: including 0.0.0.0/0 as an allowed IP routes all traffic through the Wireguard interface (good!), including the wireguard traffic itself (not good!). As far as I can tell, all network traffic ends up in a loop and never actually leaves the machine.

The Solution: Add a more specific ip route allowing traffic to the VPN via the default gateway.

Link to post
Share on other sites
19807409
4 hours ago, Redback813 said:

Found this else on the web , an issue that might affect some users

I also had issues with allowedIPs = [ "0.0.0.0/0" ], but was able to solve it with an ip route.

The Problem: including 0.0.0.0/0 as an allowed IP routes all traffic through the Wireguard interface (good!), including the wireguard traffic itself (not good!). As far as I can tell, all network traffic ends up in a loop and never actually leaves the machine.

The Solution: Add a more specific ip route allowing traffic to the VPN via the default gateway.

I am not sure to what exactly you ref with the problem, I guess you would need to specify it, especially of why and how do you end in a loop, especially with current scripts, I am kinda confused if you ask me to change something because there is something to change?

Issues known to me with most people who used guides for wireguard setup as server at their openwrt routers was due to all guides actually using 10.x.x.x addresses where most users in their routers (enduser) still have 192.x.x.x type. Not going into specifics, on openwrt, if routes are automatically set and overwritten on wg connect (which they are), then due to simply different networks/types your routes might be wrong and one would require to fix them which most of guides do not really properly explain.

The easiest solution for those who experience what I above explained is to simply use higher address than your networks, like if your gateway IP is 192.168.0.1, then use 192.168.(0+x).1 as your wireguard server ip, then wg interface would properly known its gateway as well as the way it all is configured in openwrt, routes would be routes.

Another point of 0.0.0.0/0 is that it means everything, I am confused by your stgatement that includes wireguard traffic, what does that mean? You can add single IP's, or just some ranges like DHCP ranges or even simply a guest wireless network which you do not want to go over your ISP, whatever it is, user should set it up.

For TorGuard, 0.0.0.0/0 is not wrong, as one probably wants all traffic to go through it, however, it is always better to specify only allowed IP's which is normally your network.

If you run a server, then not using 0.0.0.0/0 requires from you to specify domain names (ddns) of your clients which then are resolved and that IP is allowed, meaning that you would need to know outer ip of your clients. By that, one needs to differentiate, as if I would have own wireguard interface for home connecting, I would probably still want it to use torguards wg0 as gateway and if I set everything like stated above, then I have no need at all to care about routes, they are set automatically correctly.

Link to post
Share on other sites
19807409

I was asked recently about if I can write app for current scripts. The answer is sure, but there is no need, as scripts are simply created to simply install wireguard vpn from torguard. When one has it set up, then interface can be configured. If one has luci installed (Web Interface), then installing luci-app-wireguard will provide you a gui (like one from second post of this thread).

opkg update && opkg install luci-app-wireguard qrencode

qrencode - this is optional and everything will work also without it except status page's QR codes. However, qrencode is more useful when you create your wireguard server client configs as with qrencode you can create also tiny qrcodes in ansi, which you can show also in a terminal. QRencode is by that actually useful also for those who do not have luci-web-if and simply print their client config in terminal and scan it lets say with a phone.

I doubt that there is requirement to actually fork current luci-app-wireguard just to add WebIf page for TorGuard configs, I personally do not use GUI, but if more users ask for it, sure, it can be added where it all could be packed into something like luci-app-wireguard-tg which would have as dependency luci-app-wireguard, qrencode, my (or anybody else's refactored) scripts and as it is done, one luci-app-torguard could be also created which would install all protocols offered by torguard, however, normally one does not want to have all protocols installed on a device with restricted free space where only one or max 2 would be used.

What I might add is a question if one wants to install tor, i2p and privoxy with corresponding configurations. For privoxy there is webif available with luci-app-privoxy, but for tor and i2p there are no. 

Link to post
Share on other sites
  • 2 weeks later...

@19807409

I've been at this for a day and I haven't been able to get it to work properly. It throws me a bunch of errors at the end of the install, and my WireGuard configuration doesn't look complete after the install. I have to go into the web interface and 'ungarble' a lot of it. Also, 'wg show' is reporting a different public key than the wireguard config generator gave me. I'm really at a loss of what to do here. What am I missing here?

  * Running script '/etc/firewall.user'
uci: Entry not found
uci: Entry not found
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ipset v7.3: The set with the given name does not exist
iptables: No chain/target/match by that name.
 * Running script '/var/etc/gls2s.include'
   ! Skipping due to path error: No such file or directory
 * Running script '/usr/bin/glfw.sh'
Command failed: Not found
 * Running script '/usr/sbin/glqos.sh'
 * Running script '/var/etc/mwan3.include'
'radio2' is disabled
TGINIT - RESULTS


commit network ...
Add created wireguard interface to lan zone (this will overwrite any other [email protected][0].network setting, please recheck if using non default settings)
Warning: Section @zone[1] (wan) cannot resolve device of network 'wg0'


Show Network inteface: wg0
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
network.wg0.listen_port='51820'
network.wg0.addresses=''
network.wg0.mtu='1420'
network.wg0.fwmark='0xfe'
network.wg0.delegate='0'
network.wg0.nohostroute='0'
network.cfg0a96fc=wireguard_wg0
network.cfg0a96fc.description='wg0 (TorGuard)'
network.cfg0a96fc.allowed_ips=''
network.cfg0a96fc.persistent_keepalive='25'
network.cfg0a96fc.route_allowed_ips='1'


I tried adding the Address from the config file I got from the generator, but it didn't help. I added 0.0.0.0/0 to allowed_ips manually after the install. Then it's just throwing up this a lot:

2020 daemon.notice netifd: Interface 'wg0' is setting up now
2020 daemon.notice netifd: Network device 'wg0' link is down
2020 daemon.notice netifd: Network device 'wg0' link is up
2020 daemon.notice netifd: Interface 'wg0' has lost the connection
2020 daemon.notice netifd: Network device 'wg0' link is down
2020 daemon.notice netifd: Interface 'wg0' is now down
2020 daemon.notice netifd: Interface 'wg0' is setting up now
2020 daemon.notice netifd: Interface 'wg0' is now up
2020 daemon.notice netifd: Network device 'wg0' link is up
2020 user.notice firewall: Reloading firewall due to ifup of wg0 (wg0)

Link to post
Share on other sites
19807409
3 hours ago, James8078 said:

@19807409

possible to use your setup about ''How to get around 15 Min. timeout'' with dd wrt?

Yes. You actually can create endless script running curl/wget or simply open it in any browser

If you use mobile phone or some mobile device where no shell/bash is available, you may find different workarounds but the easiest is to save your api url as bookmark on your phone/device and if it expired, then you open it first non connected to TG then reconnect.

When does my Wireguard expire: it did use to expire after 15 minutes, torguard disabled expiration, however, not fully. If you use TorGuard client and connect to same wireguard ip, then it expires. If you use TorGuard client, then make sure not to connect over it to same IP as your wireguard is using, if it happens (like by mistake) then you can open your API Url on any device which has internet connection.

I found one bug which I already resolved (update branch) and will merge it to master later today (in few hours), currently wg config is created incorrectly as public key needs conversion to html format. This is already a part of update branch and has been tested but before I merge, I want to make few more tests.

 

If you want to convert your public key manually, you can use this online converter.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...