Jump to content

Fixed IPs with a Wiregaurd Client on GLI Shadow GL-AR300M

Rate this topic

Recommended Posts

56 minutes ago, VPP said:

The problem I have is that I cannot generate a Torguard Configuration Script for fixed IPs.

What do you mean by that at all? If server to which your IP is assigned has wireguard enabled (in some countries they are not), then you can use that one install command on openwrt, you will be then asked for your username, password and you can enter the ip address of your fixed ip.

Link to post
Share on other sites

According to Torguard the GL-AR300M (Shadow) is already running OpenWRT see here:


For FIXED IPs: The problem is Step 2.) Find the WireGuard VPN server location you wish to connect to and select "Enable WireGuard". Then click "Download Config" and save the WireGuard config file.

For a FIXED IP you cannot generate a Config to insert at Step 7.



Link to post
Share on other sites

Didnt know which they preflash, it means you can run it without any issues and it should mean that you actually can install it straight away by running, however, if you read more carefully, it says, if you use openwrt, then follow this guide, where the link is simply: https://torguard.net/#

If you look up the guide or github's readme, you will notice that you can use api manually too. So, I would not be sure if it is openwrt which is preflashed.

The guide for luci is simply the guide which I wrote, where you install luci's wireguard app and configure your interface. Running the script does it all for you, where if there is no existing config, it will ask you for your credentials and server so that it can create proper interface, very easy.

Run this:

wget -O /usr/bin/tginstall https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall && chmod +x /usr/bin/tginstall && tginstall

and you will even not need to reboot, you should be then connected.

Link to post
Share on other sites
3 hours ago, VPP said:

19807409 thanks for your help. I decided to use Wireguard using a PC, so I am sorted for now.

you are welcome

Link to post
Share on other sites

For my GL-AR300M, I had to install openwrt firmware from openwrt.org and not use the GL-inet firmware.  It was a little tricky to install because I had to go to the real local admin site inside of the stock GL firmware (which i thought was the admin site) to successfully upload my firmware.  If you didn't have to login twice to upload your firmware, you're at the wrong firmware page.

Once installed, I could use the Luci interface at to install luci-app-wireguard (or 'opkg update && opkg install luci-app-wireguard' on CLI ) and use the wireguard wizard from the Network tab -> Interfaces -> Add new interface and select Wireguard.  I found the config information needed for the wireguard setup wizard here in my account under servers and wireguard network.  The only thing I wasn't able to add was the DNS entry which I had to add manually to my WAN interface on the same network interface page you were just on.

Link to post
Share on other sites

You normally can flash factory image if you you put another image, if you run same one and want just sysupgrage then you flash sysupgrade. When you say you had to login twice, then it actually reminds me on the issue that you did not reset/hard reset your router and some things and settings might be left over. If you used snapshot and not release, which I assume you did because you did not have web interface and assume you called it wrong page because of that. Once installed with luci means you installed stable version. For DNS entry you do not need to enter it, you can handle it on other interfaces. If your router acts as DNS server then you can configure it in your LAN, if it is DHCP server make sure to pass the gateway and DNS to your clients, in adding 3, (ip of your gateway) and 6,, for DNS (if you use cloudflare or any other).

On snapshots users have issues using terminal, there is no Luci installed by default and actually nobody wants webui if you know how to setup with uci. Snapshots are easily upgraded, preserving all installed apps and settings, you need first to run: opkg_backup and it will create a file in /etc/backup listing all installed packages in rom and non rom, so that after sysupgrade all of them are installed. That way you can keep daily your image up to date without a need to reinstall or reconfigure, here is example script of how you could do it (just change image file), something like that:

wget -O /tmp/sha256sums $URLSNAPSHOT/sha256sums
cd /tmp
sha256sum -c sha256sums 2>/dev/null|grep OK
sysupgrade -o -k /tmp/openwrt-ath79-generic-tplink_archer-c5-v1-squashfs-sysupgrade.bin


Just change SNAPSYSUPGR var to your router firmware. Check sysupgrade for more info about variety of way how it could be used.

If you want port forwarding to work, you need to open listen port of your WG interface and allow forwarding of those ports to the device. Same then goes for other services like i2p, onion etc.., their ports must be open on a router if you configured your tg interface to be in WAN, then you need to allow that port communication for WAN zone to LAN zone, if your TG interface is in your LAN zone, then you might get into security issues, where WG interface can access your whole local network, if anybody at anytime is not isolated in TG network, then this setup would be ideal one for attack. By that, make sure that WG interface of TorGuard is in WAN zone and if you create own to run your own network over your real ip, that one you could add to local lan as it will be only you connecting and you want to have access to your LAN.


Link to post
Share on other sites

Good info

I meant that the first login is for GL-inet to upgrade your gl firmware.  It will reject openwrt firmware. You need to navigate to the admin site section which will allow you to login to the Openwrt part that is running behind the scenes and upload the firmware from there.  I forget exactly since i erased it but i think was for gl-inet firmware and was openwrt portion.

I ran a full release on mine under ar71xx (dont do ath79 yet they say) so i don't have to use the snapshots like i do for my GL-AR750s nand.

Port forwarding works mostly like you say but i run WG through my VPN interface and not WAN because my ISP dislikes WG and bans it unless I initially boot TorWG with an openvpn client running until TorWG connects successfully.  I hope i can resolve that one day so im not having to use openvpn and WG but it works for now and like you, im hoping for luci-app-torguard.

Link to post
Share on other sites
2 hours ago, quimby said:

I meant that the first login is for GL-inet to upgrade your gl firmware.  It will reject openwrt firmware. You need to navigate to the admin site section which will allow you to login to the Openwrt part that is running behind the scenes and upload the firmware from there.  I forget exactly since i erased it but i think was for gl-inet firmware and was openwrt portion.

thanks for the info, I did not know what defaults for for torguards openwrt customization are, but if it is openwrt, then I am quite sure you can ssh to your router and upgrade it with sysupgrade, here is the info about how to use it:

	Usage: /sbin/sysupgrade [<upgrade-option>...] <image file or URL>
       /sbin/sysupgrade [-q] [-i] [-c] [-u] [-o] [-k] <backup-command> <file>
    -f <config>  restore configuration from .tar.gz (file or url)
    -i           interactive mode
    -c           attempt to preserve all changed files in /etc/
    -o           attempt to preserve all changed files in /, except those
                 from packages but including changed confs.
    -u           skip from backup files that are equal to those in /rom
    -n           do not save configuration over reflash
    -p           do not attempt to restore the partition table after flash.
    -k           include in backup a list of current installed packages at
    -T | --test
                 Verify image and config .tar.gz but do not actually flash.
    -F | --force
                 Flash image even if image checks fail, this is dangerous!
    -q           less verbose
    -v           more verbose
    -h | --help  display this help
    -b | --create-backup <file>
                 create .tar.gz of files specified in sysupgrade.conf
                 then exit. Does not flash an image. If file is '-',
                 i.e. stdout, verbosity is set to 0 (i.e. quiet).
    -r | --restore-backup <file>
                 restore a .tar.gz created with sysupgrade -b
                 then exit. Does not flash an image. If file is '-',
                 the archive is read from stdin.
    -l | --list-backup
                 list the files that would be backed up when calling
                 sysupgrade -b. Does not create a backup file.

Luci's upgrade runs sysupgrade -n when you choose not to save configs, -c would save the configs etc... (see info above).


2 hours ago, quimby said:

so i don't have to use the snapshots like i do for my GL-AR750s nand

but using snapshots is much better, even if you want web interface, you can install it,  I actually dislike factory images as they do include httpd and you can't uninstall it from rom, where if you update those packages, they will use double space as in rom they will stay in the same version. Beside that, upgrades are not that frequent on stable, snapshots are daily. Current snapshot kernel is 5.4.6x, where from latest stable it is some kernel 4.4 I think. Wireguard, as well as every other application is actually up to date on snapshot, as we speak about wireguard app, on stable, there is no generate key button, where on snapshot there is one button to generate new keypair. Snapshots, you can upgrade daily by script, and yes, even if you use webif. To install basic webif (uhttpd):

	opkg install luci

webif with ssl support (basic):

	opkg install luci luci-ssl

or webif using openssl

	opkg install luci-openssl


but if you have enough space, consider installing nginx instead:

	opkg install luci-nginx


or nginx with ssl support (openssl)

	opkg install luci-ssl-nginx


when you have installed everything and configured, every time you run sysupgrade (with -k switch), run before that


which will create file: /etc/backup/installed_packages.txt


	ath10k-firmware-qca988x-ct    rom
base-files    rom
busybox    rom
ca-bundle    rom
dropbear    rom
firewall    rom
fstools    rom
fwtool    rom
getrandom    rom
hostapd-common    rom
ip6tables    rom
iptables    rom
iw    rom
iwinfo    rom
jshn    rom
jsonfilter    rom
kernel    rom
kmod-ath    rom
kmod-ath10k-ct    rom
kmod-cfg80211    rom
kmod-gpio-button-hotplug    rom
kmod-hwmon-core    rom
kmod-ip6tables    rom
kmod-ipt-conntrack    rom
kmod-ipt-core    rom
kmod-ipt-nat    rom
kmod-ipt-offload    rom
kmod-mac80211    rom
kmod-nf-conntrack    rom
kmod-nf-conntrack6    rom
kmod-nf-flow    rom
kmod-nf-ipt    rom
kmod-nf-ipt6    rom
kmod-nf-nat    rom
kmod-nf-reject    rom
kmod-nf-reject6    rom
kmod-nls-base    rom
kmod-phy-ath79-usb    rom
kmod-usb-core    rom
kmod-usb-ehci    rom
kmod-usb-ledtrig-usbport    rom
kmod-usb2    rom
libblobmsg-json    rom
libc    rom
libgcc1    rom
libip4tc2    rom
libip6tc2    rom
libiwinfo20200105    rom
libjson-c5    rom
libjson-script    rom
libnl-tiny    rom
libpthread    rom
libubox20191228    rom
libubus20191227    rom
libuci20130104    rom
libuclient20160123    rom
libustream-wolfssl20200215    rom
libwolfssl24    rom
libxtables12    rom
logd    rom
mtd    rom
netifd    rom
openwrt-keyring    rom
opkg    rom
procd    rom
swconfig    rom
uboot-envtools    rom
ubox    rom
ubus    rom
ubusd    rom
uci    rom
uclient-fetch    rom
urandom-seed    rom
urngd    rom
usign    rom
wireless-regdb    rom
nano    overlay
libmnl0    overlay
ip-tiny    overlay
zlib    overlay
terminfo    overlay
libncurses6    overlay
librt    overlay
wireguard-tools    overlay
libopenssl1.1    overlay
openssh-sftp-server    overlay

in that file, all rom/non rom applications which you installed are listed, if you upgrade with -k switch, then all those will be installed on upgrade, meaning, you can preserve your settings and your applications (considered you do not use custom paths, if so, ensure that all packages are available).

Most people dont know how to use sysupgrade properly as tthe ynever read the guides, but once you try it out, there is actually almost no reason to switch to stable except if some functionality is not given anymore (like broken wireless drivers) or something. However, snapshots are daily compliations which lets you daily upgrade your router if you want to do so.

Here is example of a few weeks old snapshot image on archer c5:

	wg --version
wireguard-tools v1.0.20200827 - https://git.zx2c4.com/wireguard-tools/

Now check which version is your wireguard´, this would be the kernel:

	Linux archer-c5v1-bec 5.4.67 #0 Fri Sep 25 02:31:36 2020 mips GNU/Linux

	BusyBox v1.31.1 () built-in shell (ash)
	  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 OpenWrt SNAPSHOT, r14553-7dc78d1d28


As about luci-app-torguard, I built it once which included openvpn and l2tp, but it is obsolete and actually nobody requires constant switching of IP's on their router. For wireguard, probably also none has to be created as original one from torguard can be used, you only need to initialize it and for that I wrote already scripts, you can try out: https://github.com/TorGuard/openwrt-scripts#torguard-wireguard-installation


You could actually also check what config you have, like when your jttpd starts, which page is default and not redirected to luci, then you got already a link to torguards lets call it webif main file, from there on follow links and include those in your /etc/sysupgrade.conf and they will be also preserved in backup. However, before doing so, check if you really got all files which are torghuards webif. If you run opkg_backup, you will see anyway which apps are included in rom, by that you could easily compile same image as torguard including same bins.

Hope that helps some here (if not you)

Link to post
Share on other sites

@quimby can you reset your router to defaults with torguard firmware, then make full firmware backup (you can do so on luci, on same page where you can backup settings)? As actually, we could build that app from those files as I gues it does not involve any binaries, then create simply ipk package. Probably best is if torguard pushes the source and it gets integrated into openwrt official feeds, that way everybody can install simply torguard app on their openwrt routers as well as they might add button for registration so that users might be able to register directly from the app (as example if paying with crypto), etc, I guess one could have many ideas what the app additionaly could do, however, having already available one would make life easier.

Link to post
Share on other sites

@19807409 I wish i could help there but i only have the GL firmware and the openwrt firmware handy.

I didn't know about opkg_backup and instead use 'opkg list-installed > /tmp/some.txt' to manually make my install scripts. I'll try it out next time.

Nothing wrong with snapshots if i have the time to debug problems like wifi drivers or kernel versions as needed but sometimes i don't or im far away. I've a few routers running stable i don't have physical access to right now running since 2018. they dont get updates everyday but usually about once a week and hopefully will keep going until i get access to them next.  I run 'opkg update && opkg list-upgradable' to find them and opkg configure --autoremove after install to free up disk space otherwise they run out of disk space.

let me know if i can help,

Link to post
Share on other sites
4 hours ago, quimby said:

@19807409 I wish i could help there but i only have the GL firmware and the openwrt firmware handy.

yes, the GL firmware, where can I download it? If I cant, can you backup your GL one so that I can take a look?


4 hours ago, quimby said:

e 'opkg list-installed > /tmp/some.txt' to manually make my install scripts.

look up at opkg script, opkg_backup script does it, list-installed does not list you actually where they are installed as well as some other things are missing for which you need not only to take additional steps, but as you say, you run out of space. Now this could easily be also that you install actually upgrades of packages installed in rom. I do not remember when I last time did run out of space, even with a tiny 4mb on 1043nd v1.

list-upgradable and the --autoremove, you uninstall those upgrade-able and remove their unused dependencies by that, but that command however cant work properly, as your rom installed packages will show also in the list of upgrade-able and when you do upgrade those, then you waste double space for those, which explains why you run out of space, --autoremove cant free up space in your ROM and on some packages you will run into the problem that dependencies cant be uninstalled, simply meaning, your method is faulty, do not use. You would need only to list packages which you have installed, and for that something like this would work instead:


This will then show you packages which you installed (which then installed other deps), meaning that those are also not in your flash. That is what you should use instead opkg list-upgradeable && --autoremove part, that combination will leave you with broken packages and most certainly out of space.

As I said, opkg scripts are to be used, people did not write them for nothing ;).

At the end of the day, you control with sysupgrade if you keep configs, if you install packages which you have installed as well with sysupgrade config where you define any other additional file which would not be listed, my list is empty btw, as sysupgrade gets everything needed.

As everything is written, I actually dont need to explain a lot, I strongly advice you to read: https://openwrt.org/docs/guide-user/installation/generic.sysupgrade

and use opkg scripts like opkg_backup for upgrade/downgrade purposes.



Link to post
Share on other sites

Maybe way off topic, but is there a way to access dedicated IP with wireguard over DD-WRT?  I have a WRT3200ACM that I would like to use.

Link to post
Share on other sites
3 hours ago, BluePoet said:

Maybe way off topic, but is there a way to access dedicated IP with wireguard over DD-WRT?  I have a WRT3200ACM that I would like to use.

If you can install wireguard on your ddwrt (which I am quite sure you can), then you will have to create a config, for that you will have to use torguards api, you can open the address simply in a browser, here is description, and copy your data, if you use it manually, then, before you can use it, you will have to generate new key.

However, if there if it gets to hard with ddwrt, simply install openwrt and run:

wget -O /usr/bin/tginstall https://github.com/TorGuard/openwrt-scripts/raw/master/usr/bin/tginstall && chmod +x /usr/bin/tginstall && tginstall

If you use port forwarding, make sure those are open on your router. That should be it.

Link to post
Share on other sites

Where do I get the keys for my IP?  Do I change my port to WireGuard?  I assume yes.  I do run DD-WRT, but obviously am learning for the first time.  I would prefer not to go to openwrt unless I have to, as did-wrt gives me more flexibility for what I need.

Link to post
Share on other sites
2 minutes ago, BluePoet said:

Where do I get the keys for my IP?

You generate them, like I did show in the link. Example where you save private and public key is also there:

wg genkey | tee privatekey | wg pubkey > publickey

3 minutes ago, BluePoet said:

Do I change my port to WireGuard?

What do you mean by that? The setting on your torguard account? If yes, then I would assume you need to change it to WireGuard port, as otherwise wireguard might not be activated on that ip, point is, if you can switch, then you can use wireguard, there are some streaming ip's in some countries which do not have wireguard enabled for now. As you can switch, it only means your server has wireguard available.

5 minutes ago, BluePoet said:

I would prefer not to go to openwrt unless I have to, as did-wrt gives me more flexibility for what I need.

Oh no, I did not want to force you switching to openwrt. But as you mention flexibility, it is a feature of openwrt, not of dd-wrt, you are actually in no way able to actually have only packages which you do need as well as it is much more complicated if you want to compile own images as well as many other things. My personal opinion would be that it does not matter for you if you use ddwrt or openwrt as long as you achieve your goals and your hardware is giving 100%. As soon as you start with openwrt, you will probably only switch back in cases where you bought some hardware which requires licensed wifi drivers as example, openwrt is only open source. By that, my advice is actually for everybody to use openwrt unless it does not offer full support, then you might find dd-wrt image, however, openwrt compatibility is a must for me before buying any router. You might want to read this: https://openwrt.org/reasons_to_use_openwrt

Like I said, you already have ddwrt and if you can find wireguard for it and install it, then use ddwrt, if not, then better use latest snapshop from openwrt, here is the info page of your router: https://openwrt.org/toh/linksys/linksys_wrt3200acm

Current stable release (includes web interface, kernel 4): http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/openwrt-19.07.4-mvebu-cortexa9-linksys_wrt3200acm-squashfs-factory.img

Snapshot (without web interface, kernel 5): https://downloads.openwrt.org/snapshots/targets/mvebu/cortexa9/openwrt-mvebu-cortexa9-linksys_wrt3200acm-squashfs-factory.img

Meaning, that it actually takes you now just few minutes to flash openwrt and install torguard on it in case that you get troubles with ddwrt

Link to post
Share on other sites
36 minutes ago, Support said:

Guys you can now generate wireguard configs using the generator https://torguard.net/tgconf.php?action=vpn-openvpnconfig

For the time being we increased the handshake to 15 minutes, keep in mind until we fully implement a solution if there is no handshake after 15 minutes you will need to regenerate a new config.


that is a good news. I hope api access will not be disabled, as it is easier than logging in to torguard (captcha etc..).

Is there any news about when and if all servers will have wireguard enabled, do you have any info about it? I am not sure what it was previously, but I could connect hours after not using it, did it few weeks ago, since then none got offline, will have to test it.

Link to post
Share on other sites
2 hours ago, BluePoet said:

Any word on when or whether it will work for dedicated IPs?

Have you tried it at all? They work with dedicated ip's, I guess you simply do not want to believe it. Nevermind, nobody forces you to try anyway, but asking same question again and again will not change the fact that they work with dedicated ip's and that is the reply to your question which was repeated now for several times. Even if you ask how to do it, it was shown here, there are scripts doing it all for you and now even a tool from torguard is available. Probably you should send your question to the support as it seems you expect only the answer from torguard support.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...