wireguard /router/expiration

[James8078]

hi,

 

I have wireguard on dd wrt and open wrt and I have 4 routers and work a lot on those to change setup and configuration about firmwares etc

but with torguard wireguard, everytime I shutdown my router, and or restart my gateway etc, I always  need to open torguard website, config generator, open new wireguard config and change all my setup...

is it possible to keep my config even if I restart my router and disconnect it ?

thanks

[bdiggs]

I saw you found and posted on this thread.  That seems to be the longest running information on interacting with the TG api to keep credentials active.  I did speak with support about a month ago and they said they were working on something where maybe we could get permanent or semi-permanent credentials assigned - actually that is not what was said - but more that they wanted there to be a solution instead of the current situation where they expire every 10 or 15 minutes if not in active use (and then you have to regenerate new ones like you've experienced).

I'm very interested in the idea of interacting with the api via an always on VPS or something like that where I could just keep the credentials active once requested, but I haven't looked closely enough at that other thread to extract/figure out the part of the script that does that (I'm so glad someone wrote a script - incredible work - but me personally I'd often just rather generate and put in credentials manually on openwrt, and possibly have a third party server hitting that api to keep the credentials active though it seems the script does it all).

So I guess maybe we need to figure that part from the post above out (the part of the script from the post above that activates the credentials, and run it on something always on and figure out the cron timing so it keeps things active or re-activates if needed) or wait on support for some sort of a "fix" which I'm guessing may be some sort of semi-permanent assignment.

I think it might be a good idea to let people know upfront about the expiration with WG credential generation - I struggled with that a bit until I realized they couldn't just be giving out permanent IP addresses like hotcakes, and then it occured to me to go back and regenerate, maybe it is only a temporary activation if done with the web generator.  (Apparently the TG native app interacts and generates/activates/reactivates WG credentials via the TG api, and if we could figure out that script we could do the same - support actually recommended this to me in the meantime until they can make a way for things to stay up longer for us).

[bdiggs]

Here (https://github.com/TorGuard/openwrt-scripts) underneath torguard's wireguard api v1 appears to be where maybe we can figure out the request that keeps the keys active once we have them generated from the web portal.

[bdiggs]

1.  Is it simple enough that we just need to curl or wget this every 5 minutes with a cron job to keep things going? 

https://[USER]:[PASS]@[SERVER]:[PORT]/api/v1/setup?public-key=[YOURPUBLICKEY]`

 

2.  And if so, I'm curious, would this reactivate expired credentials once they were expired, or would it require another trip to the config generator for new WG credentials if there were more than 15 minutes of inactivity and things expired?

Couldn't do it from a connected router, because if it ever lost activation it wouldn't be able to get it back since the WG interface would be the default gateway, and that would in theory prevent it from reaching out via the native (non VPN) wan/internet to reactivate things.

I haven't read through a ton of the scripts yet but just kind of a quick read over that section and glancing at some of the available scripts on github.  That quotation mark at the end of the line looks suspect to me at the moment....like maybe it is missing one before the start of the [YOURPUBLICKEY]' and also it is a single instead of a double and I usually use doubles (not sure if it matters).

EDIT:  It needs to be single quotes for this use case (a generated key):  https://www.geeksforgeeks.org/difference-between-single-and-double-quotes-in-shell-script-and-linux/

[19807409]

On 1/2/2021 at 8:36 AM, bdiggs said:

1.  Is it simple enough that we just need to curl or wget this every 5 minutes with a cron job to keep things going? 

https://[USER]:[PASS]@[SERVER]:[PORT]/api/v1/setup?public-key=[YOURPUBLICKEY]`

 

2.  And if so, I'm curious, would this reactivate expired credentials once they were expired, or would it require another trip to the config generator for new WG credentials if there were more than 15 minutes of inactivity and things expired?

Couldn't do it from a connected router, because if it ever lost activation it wouldn't be able to get it back since the WG interface would be the default gateway, and that would in theory prevent it from reaching out via the native (non VPN) wan/internet to reactivate things.

I haven't read through a ton of the scripts yet but just kind of a quick read over that section and glancing at some of the available scripts on github.  That quotation mark at the end of the line looks suspect to me at the moment....like maybe it is missing one before the start of the [YOURPUBLICKEY]' and also it is a single instead of a double and I usually use doubles (not sure if it matters).

EDIT:  It needs to be single quotes for this use case (a generated key):  https://www.geeksforgeeks.org/difference-between-single-and-double-quotes-in-shell-script-and-linux/

 

time expiration is disabled so far I was told, my router still runs on my scripts from git and no issues at all. There are few notes which you need to consider. You can use any public key with the api, it is your credentials that do not change, by that, you can recreate a config at any time from any pc, it does not need to be that device (as example, you can run cronjob on a server outside of your network to ensure it stays valid or to reply to your question, yes, invalidated key/settings would be valid again).

So, for what is keeping it valid still required? Well, I experienced following: I use shared IP of one country as dedicated one, when I connect then from some other device to that country (meaning it picks up some of them), then it never picks up the one which is active and connected, but if I have in a client set manually that IP and connect by accident to it, then my router would be actually without internet connection where wg connection to wg server would not break, immediately after you reactivate API for the router, your router would be back online where the other client would lose connectivity to internet (not torguard server). I've tested it on several points and to ensure that server is always active I still use my workaround for keeping it active, case above happening indeed to me and update script runs every minute.

The quotation mark is of course a typo, I will change it of course, there are no quotes at all, quoting opens and closes codebox on github, appears I had a typo in it.

However, there is something else as you already mention quotation and it is that public keys need to be converted to the url format first (however, tg api accepted them also raw). I built url formatting in a very dirty way in those scripts, you can use any online tool like this for converting your public key to url format.

 

 

[James8078]

i tried your wireguard script on open wrt, but each time, if I keep the default server (new york) there is no valid public key, too short and/or does not end with ''=''

missing informations. no?

thanks

[bdiggs]

8 hours ago, 19807409 said:

(as example, you can run cronjob on a server outside of your network to ensure it stays valid or to reply to your question, yes, invalidated key/settings would be valid again)

This is what I'm most interested in personally.  That is awesome.  I can't quite get my head around how they recover internal IP addresses for future use if expired ones can be reactivated at the drop of a hat (without actually generating new ones, just renewing the old ones).  Any thoughts on that?  (Just curious because it really doesn't matter)

Thanks for your help and tips!!!

8 hours ago, 19807409 said:

The quotation mark is of course a typo

I finally figured that out when looking at the example.  Thanks!

8 hours ago, 19807409 said:

time expiration is disabled so far I was told

Before I saw your response, I asked the same questions to support (yesterday), and was told that it is now 12 hour periods.  Whether that is being enforced or not I have no idea, although I may do some testing now that I have the format down for this cron job. 

8 hours ago, 19807409 said:

However, there is something else as you already mention quotation and it is that public keys need to be converted to the url format first (however, tg api accepted them also raw). I built url formatting in a very dirty way in those scripts, you can use any online tool like this for converting your public key to url format.

That makes sense but I likely would have forgotten this.  Thanks for the reminder!!

[James8078]

1 hour ago, bdiggs said:

 

do you use the wireguard script for open wrt?

[19807409]

2 hours ago, bdiggs said:

This is what I'm most interested in personally.  That is awesome.  I can't quite get my head around how they recover internal IP addresses for future use if expired ones can be reactivated at the drop of a hat (without actually generating new ones, just renewing the old ones).  Any thoughts on that?  (Just curious because it really doesn't matter)

Thanks for your help and tips!!!

I finally figured that out when looking at the example.  Thanks!

Before I saw your response, I asked the same questions to support (yesterday), and was told that it is now 12 hour periods.  Whether that is being enforced or not I have no idea, although I may do some testing now that I have the format down for this cron job. 

That makes sense but I likely would have forgotten this.  Thanks for the reminder!!

You are welcome.

There are several ways of how they can/do achieve that, probably better if TorGuard explains it not me

I really lacked on time in past weeks to write more, but I think I put most of it to github and wiki, would be good if those who use it commit to the git with your template scripts, guides, use cases etc...

The same which amazed you amazed me too as it gives me ability to control connections in slightly different way, where, with wireguard we already get easy over the max allowed devices restriction, however, auto switching server based on some algorithm is quite a nice thing too.

 

[19807409]

5 hours ago, James8078 said:

i tried your wireguard script on open wrt, but each time, if I keep the default server (new york) there is no valid public key, too short and/or does not end with ''=''

missing informations. no?

thanks

Maybe, I can gladly go through it with you if you want. I guess main point for you is to simply undestand what those configs mean and how it works, then you do not need script, script is just to save you time and typos. Few weeks ago in according thread I said I will test it, I did but all my devices work.

Whatever configs it creates, you can edit/change them to any other. I wrote also how you can do that on openwrt without gui.

All together, I run it on 7 openwrt devices (all routers, archer c7 and 1043nd) and all of them run since when I created the guide. I restarted few, some were upgraded to new firmware, however, all of it is stable and works without any issues for me.

[James8078]

7 minutes ago, 19807409 said:

Maybe, I can gladly go through it with you if you want. I guess main point for you is to simply undestand what those configs mean and how it works, then you do not need script, script is just to save you time and typos. Few weeks ago in according thread I said I will test it, I did but all my devices work.

Whatever configs it creates, you can edit/change them to any other. I wrote also how you can do that on openwrt without gui.

All together, I run it on 7 openwrt devices (all routers, archer c7 and 1043nd) and all of them run since when I created the guide. I restarted few, some were upgraded to new firmware, however, all of it is stable and works without any issues for me.

ok, cause when I tried it, 3 times, I had to complete de config via Gui or scp

[19807409]

7 minutes ago, James8078 said:

ok, cause when I tried it, 3 times, I had to complete de config via Gui or scp

But it means they worked then after you completed them? I am a little confused of what is not working.

The scripts ask you for server and credentials and you end up with new york server only if you either do not set any or if you use very old scripts (not the latest git versions which I did not update now for over a month or so).

All keys etc... are not stored in the script but in the config from which script reads.

[bdiggs]

On 1/6/2021 at 5:26 AM, 19807409 said:

as example, you can run cronjob on a server outside of your network to ensure it stays valid or to reply to your question, yes, invalidated key/settings would be valid again

Okay!  Been working on the cronjob thing.  I'm using this format in an Ubuntu server (just testing from the command line right now) using the values from generating a WG .conf file from the web config generator:

curl --user '[USER]:[PASS]' https://[SERVERIP]:[PORT]/api/v1/setup?public-key=[YOURPUBLICKEY] -k

The -k is because (and I am guessing) the server certificate is self-signed so the only way it will work.

I received this bit of info from support when asking them about the above:

Quote

 

Using webapi call over json using the format you gave should work ok, but expect to see new local IP address to use everytime so config will have some changes.

 

I don't know enough, and am wondering if maybe there is a better way to send the key and/or the user:pass part.  Here was kind of my reading for that:  https://www.baeldung.com/curl-rest

Either way I'm not sure it matters at the moment, because I tested and sure enough, every time I sent that command curl output (what came back) was information in JSON format, and sure enough the client_ipv4 changed every time, and was different than the web config generator.  It appeared to get a new IP address every single time (with a /32 mask instead of a /24 mask that the web config generator puts out interestingly enough).

I've asked if there is a way to renew the same IP address every time instead of pulling a new one each time.  I'll try and keep you posted if I get something back on it.

[bdiggs]

On 1/6/2021 at 4:13 PM, James8078 said:

do you use the wireguard script for open wrt?

So far I've just setup manually with the TG config generator in the customer portal, and then putting that information from the generated .conf file into LuCI (the GUI), but of course have had the problems with things expiring that the script takes care of.

Here's a walkthrough for the "GUI only" way:

Go to Network>Interfaces and add new interface (select WireGuard protocol and name it something like wg0)

Start transferring the information from the .conf file downloaded from the Config Generator tool:

General Settings: Private Key, Listen Port (appears to really be optional), IP addresses (that's the "Address" line, don't forget to click the +)

Peers:  Description (anything, maybe name of remote server), Public Key, Allowed IPs (0.0.0.0/0), and if you want it to be your default route (everything runs through this for your internet) select "Route Allowed IPs", Endpoint Host (Endpoint/server IP address), Endpoint Port (1443), Persistent Keep Alive (25)

Firewall: Create/assign new firewall zone, name it anything you'd like

Save & Apply everything

Then go to Network>Firewall and basically copy the same settings to the new zone you added that are already in place for your WAN.  So:

Input: Reject, Output: Accept, Forward: Reject

Masquerading: On

MSS Clamping: On

Allow forward from source zones:  LAN

Reboot and that should get it

[19807409]

24 minutes ago, bdiggs said:

Okay!  Been working on the cronjob thing.  I'm using this format in an Ubuntu server (just testing from the command line right now) using the values from generating a WG .conf file from the web config generator:

curl --user '[USER]:[PASS]' https://[SERVERIP]:[PORT]/api/v1/setup?public-key=[YOURPUBLICKEY] -k

The -k is because (and I am guessing) the server certificate is self-signed so the only way it will work.

I received this bit of info from support when asking them about the above:

I don't know enough, and am wondering if maybe there is a better way to send the key and/or the user:pass part.  Here was kind of my reading for that:  https://www.baeldung.com/curl-rest

Either way I'm not sure it matters at the moment, because I tested and sure enough, every time I sent that command curl output (what came back) was information in JSON format, and sure enough the client_ipv4 changed every time, and was different than the web config generator.  It appeared to get a new IP address every single time (with a /32 mask instead of a /24 mask that the web config generator puts out interestingly enough).

I've asked if there is a way to renew the same IP address every time instead of pulling a new one each time.  I'll try and keep you posted if I get something back on it.

 

Curl secure/unsecure was raised already: https://github.com/TorGuard/openwrt-scripts/issues/4

Pull request: https://github.com/TorGuard/openwrt-scripts/pull/6

Certificate is here: https://github.com/TorGuard/openwrt-scripts/blob/master/etc/torguard/cert/ca.crt

 

You could replace username/pass with the according hash, ask TorGuard for more info.

About your observations, some need corrections. I assume you did not fully read wireguard documentation as well that you actually did not look up what the script does, where I think I described it well, I waited for more specifications from Torguard for further updates on how to use etc..., beside that, I was not sure that this API stays public, good it stayed.

32 mask means that only IP, 24 would mean whole range. Using the API will deliver you ALWAYS the same ip address for that public key, this happens on torguard side. Ask please TorGuard for more info about it or check the script.

By that, your question about renewing IP address instead a new one each time is replied, as with the script (API) you get always the same.

For TorGuard online config, I did not check it, but would assume if you use same private key and server ip that your ip's in a config would be the same.

Hope it helps, if I understood you wrongly or something like that, please reask.

 

 

[19807409]

8 minutes ago, bdiggs said:

So far I've just setup manually with the TG config generator in the customer portal, and then putting that information from the generated .conf file into LuCI (the GUI), but of course have had the problems with things expiring that the script takes care of.

Here's a walkthrough for the "GUI only" way:

Go to Network>Interfaces and add new interface (select WireGuard protocol and name it something like wg0)

Start transferring the information from the .conf file downloaded from the Config Generator tool:

General Settings: Private Key, Listen Port (appears to really be optional), IP addresses (that's the "Address" line, don't forget to click the +)

Peers:  Description (anything, maybe name of remote server), Public Key, Allowed IPs (0.0.0.0/0), and if you want it to be your default route (everything runs through this for your internet) select "Route Allowed IPs", Endpoint Host (Endpoint/server IP address), Endpoint Port (1443), Persistent Keep Alive (25)

Firewall: Create/assign new firewall zone, name it anything you'd like

Save & Apply everything

Then go to Network>Firewall and basically copy the same settings to the new zone you added that are already in place for your WAN.  So:

Input: Reject, Output: Accept, Forward: Reject

Masquerading: On

MSS Clamping: On

Allow forward from source zones:  LAN

Reboot and that should get it

 You forgot: Install luci app, opkg install luci-app-wireguard

And then I would start with:

1. create my private key

2. create wireguard config

3. configure wg interface

4. configure firewall

reboot

 

Point about masquerading also needs to be explained, not everybody wants it. But all in all, yes the way you described is easy, simply create a config and paste those settings to the interface.

There is also confusion for many users about 0.0.0.0/0, in many cases it is better to set it exactly to which are allowed (should be routed), especially if one connects many devices, in my case only the gateway has 0.0.0.0/0.

[19807409]

If anybody has additions or can report bugs, typos etc.., best is if done directly on github. Here is also wiki explaining most of it: https://github.com/TorGuard/openwrt-scripts/wiki

[bdiggs]

Thanks for the corrections/additions to my GUI process.  For sure. 

4 hours ago, 19807409 said:

There is also confusion for many users about 0.0.0.0/0, in many cases it is better to set it exactly to which are allowed (should be routed), especially if one connects many devices, in my case only the gateway has 0.0.0.0/0

 

Agree with this and the questions.  I use vpn-policy-routing and luci-app-vpn-policy-routing with each gateway set to 0.0.0.0/0 (but I just don't select "Route allowed IPs" in the WG interface setup which keeps each WG from being my default route).  Is there a better way to do this?  Am I confused or would this not be the IP address of each resource you are trying to access on the internet?  (since it's not a private VPN setup here, but rather to use TG as a gateway to the internet) - maybe I'm looking at this incorrecly.

4 hours ago, 19807409 said:

About your observations, some need corrections.

 

Thank you.  I'm trying to read more.  I'm more of a network guy but suffer quite a bit in the programming department - thank you for all of your help.  Your links have already helped me make more sense of a lot of things.  Those certificate links are gold, along with the idea of the hash.  I've noticed depending on the hour and the rep sometimes I get really technical answers from support, and sometimes the generic ones.  Usually though if I keep asking, someone will take it and give a deep answer.  I'm doing that now.

 

4 hours ago, 19807409 said:

32 mask means that only IP, 24 would mean whole range. Using the API will deliver you ALWAYS the same ip address for that public key, this happens on torguard side. Ask please TorGuard for more info about it or check the script.

 

Thank you.  I'm asking TG now and also will be trying to dig into the script some more until I understand how what it is calling is different than what I did.  Thanks again, your work is incredible.  Much appreciated.    I'll give a shout back if I get too incredibly stumped.

[bdiggs]

So...I tried again hoping that I was pulling a /24 range with different /32 (single) IP addresses represented within it.  But they appear to be different ranges every time when using the API and the public key from the WG config generator (these were in the json response, back to back runs of things with that curl command):

"server_ipv4":"10.13.0.1/16","client_ipv4":"10.13.8.185/32

"server_ipv4":"10.13.0.1/16","client_ipv4":"10.13.42.209/32"

,"server_ipv4":"10.13.0.1/16","client_ipv4":"10.13.20.125/32"

"server_ipv4":"10.13.0.1/16","client_ipv4":"10.13.75.9/32"

"server_ipv4":"10.13.0.1/16","client_ipv4":"10.13.48.97/32"

The original IP from the generator here is 10.13.20.137/24 and the server IP address used was/is 107.181.189.34.

Maybe I'm tripping over some variables and defined functions...but would it be possible to share a curl or wget example?  I did clone the git to a test server but couldn't ever figure out the exact format you are using to renew with something like your tgapi or tgapitest

[19807409]

4 hours ago, bdiggs said:

So...I tried again hoping that I was pulling a /24 range with different /32 (single) IP addresses represented within it.  But they appear to be different ranges every time when using the API and the public key from the WG config generator (these were in the json response, back to back runs of things with that curl command):

"server_ipv4":"10.13.0.1/16","client_ipv4":"10.13.8.185/32

"server_ipv4":"10.13.0.1/16","client_ipv4":"10.13.42.209/32"

,"server_ipv4":"10.13.0.1/16","client_ipv4":"10.13.20.125/32"

"server_ipv4":"10.13.0.1/16","client_ipv4":"10.13.75.9/32"

"server_ipv4":"10.13.0.1/16","client_ipv4":"10.13.48.97/32"

The original IP from the generator here is 10.13.20.137/24 and the server IP address used was/is 107.181.189.34.

Maybe I'm tripping over some variables and defined functions...but would it be possible to share a curl or wget example?  I did clone the git to a test server but couldn't ever figure out the exact format you are using to renew with something like your tgapi or tgapitest

  

 

I am not sure where and how you get those result, you maybe get it by config tool, but not with the api, as with api, every request with specific public key gets same ip address, here is example (I will use fake public keys and XXXX for private key so that I can post real config), taking Singapore url:

1. get ip

nslookup sg2.secureconnect.me

result:

...

Address: 185.200.117.142

...

3. create new private key if you did not do it before (remember, you need just one)
 

wg genkey
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
echo 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=' | wg pubkey

gives you your public key,lets say this:

UFZ5FySfvbitw66T3ygUFSj1xUfEzr/nTFzUFN+Cywk=

url encoded:

UFZ5FySfvbitw66T3ygUFSj1xUfEzr%2fnTFzUFN%2bCywk%3d

4. open url in your browser:

https://Username:[email protected]:1443/api/v1/setup?public-key=UFZ5FySfvbitw66T3ygUFSj1xUfEzr%2fnTFzUFN%2bCywk%3d

with my credentials (for another key which I did not post here above, replace the url with ), result for that specific key was following:

{"server_public_key":"UGCJacsCQxzERxJN6nqchoNHuAMU37gdA3GHapZb5w0=","server_ipv4":"10.13.0.1/16","client_ipv4":"10.13.83.101/32","routes":"0.0.0.0/0","dns":["10.9.0.1","10.8.0.1"],"vpn_server_address":"185.200.117.142","vpn_server_port":1443}

That is it, from now on you have to open that url (or curl) and you should get always the same addresses, json reply is quite clear, Allowed IP is 10.13.83.101/32 (which is the ip to set in your clients wg config), dns servers are 10.9.0.1 and 10.8.0.1, server public key is torguards public key.

Otherwise updating it would not work as it would deliver you each time another config. In case that as example you disabled your connection by some mistake or so, your device would be offline and by that could not update tgapi, for such cases it is not bad to have url saved somewhere (phone/pc etc..) so that you can reactivate it remotly. If you imagine that 20 devices as example use 8 connections, some must be disabled/offline, some not, however, that goes now probably deeper than you asked.

As for what happens weeks later if device was not connected, during my tests, TorGuard did not mention how often and if at all they clear (as amount of available internal IP's is quite big).

Another question would be, why would you hope to get 24 range? You would like to setup that whole range then as what, your home vpn? And here comes major problem in understanding wireguard as most are used to non  peer based vpns. So, you want to have your own range for your own vpn, fine, simply adding it to your interface is enough:

Address = 10.13.83.101/32,178.1.2.3/24

instead of just

Address = 10.13.83.101/32

 

So, what does change then for your torguard peer? Nothing:

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
ListenPort = 51820
DNS = 1.1.1.1
Address = 10.13.83.101/32,178.1.2.3/24
SaveConfig = false
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

# torguard connection
[Peer]
PublicKey = UGCJacsCQxzERxJN6nqchoNHuAMU37gdA3GHapZb5w0=
AllowedIPs = 0.0.0.0/0
Endpoint = 185.200.117.142:1443
PersistentKeepalive = 25

 

For your local devices etc, you can add something like this (or ranges, whatever):

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
ListenPort = 51820
DNS = 1.1.1.1
Address = 10.13.83.101/32,178.1.2.3/24
SaveConfig = false
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

# torguard connection
[Peer]
PublicKey = UGCJacsCQxzERxJN6nqchoNHuAMU37gdA3GHapZb5w0=
AllowedIPs = 0.0.0.0/0

# another pc on local network using wireguard (can be also second wireguard interface on same device)
[Peer]
PublicKey = J5LVuNZUZBNxEv18p7wnzlONq69bxiajCFFwEbaBsQw=
PresharedKey = 1NmRN8nvvYCXYtA7FTftAQW3dYbZleHJL6DrUz15xMQ=
AllowedIPs = 178.1.2.100/32
Endpoint = 192.168.0.123:12345
PersistentKeepalive = 25

 

Your lan device on 0.123 has then something like this:

[Interface]
...
Address = 178.1.2.100/32

# assuming, 192.168.0.222 is local ip of device which is connected to torguard
# torguard
[Peer]
PublicKey = UFZ5FySfvbitw66T3ygUFSj1xUfEzr/nTFzUFN+Cywk=
PresharedKey = 1NmRN8nvvYCXYtA7FTftAQW3dYbZleHJL6DrUz15xMQ=
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.0.222:1443
PersistentKeepalive = 25

 

where 0.0.0.0/0 for that device would mean that it uses torguard's peer (torguards vpn).

I explained it properly here, seems not many are interested in it or did not actually understand what it is about (for sure, my strange english skills might be also a reason ).

Same way you could also use ipv6 if you really run out of internal addresses which I doubt, however, your internal (local) wireguard can of course use ipv6 but I will neither dip into it nor will explain how to use ipv6.

About tgapi and scripts, I wrote all descriptions on github and wiki about it, those are autocreated from the torguard config. I create service instead which is also better if one use Luci, as then, you can enable/disable service in gui too, for crontab users still need to change the code.

tgapi service runs in a loop (never ending) where you can specify in config (or directly editing service file) how long it should wait before running next.

Hope it helped.

[James8078]

interesting, here on forum, is it possible to send private message? I see your username but it seems that we can't send message? @19807409

thanks

[19807409]

2 minutes ago, James8078 said:

interesting, here on forum, is it possible to send private message? I see your username but it seems that we can't send message? @19807409

thanks

well, of course you can :), even publicly, but @Support might get mad about it, even just by my suggestion, hehe :), encrypt your reply for my gpg public key as it is then only me who can decrypt it ;), so far, no need for private messages. Otherwise, discussions and questions are always welcome on github, I really lack of free time thats why I periodicaly check the repo (but not daily), you can find my public key on any keyserver. Where of course, if I created github for this community nothing could stop me creating something like discord, slack etc.., however, I guess it is better if torguard officially opens such channels.

[bdiggs]

2 hours ago, 19807409 said:

That is it, from now on you have to open that url (or curl) and you should get always the same addresses, json reply is quite clear, Allowed IP is 10.13.83.101/32 (which is the ip to set in your clients wg config), dns servers are 10.9.0.1 and 10.8.0.1, server public key is torguards public key.

Otherwise updating it would not work as it would deliver you each time another config.

So strange - I'm doing exactly the same thing but getting different results.  A new IP range every time I click refresh, or I send the curl command again.  The only thing I'm doing differently is I copied my public key from the TorGuard web config generator tool - one of the .conf files that it output.

2 hours ago, 19807409 said:

such cases it is not bad to have url saved somewhere (phone/pc etc..) so that you can reactivate it remotely. If you imagine that 20 devices as example use 8 connections, some must be disabled/offline, some not, however, that goes now probably deeper than you asked.

Yes, but wonderful!  I remember reading a little about this on your first posts and that had me really intrigued. 

2 hours ago, 19807409 said:

Another question would be, why would you hope to get 24 range? You would like to setup that whole range then as what, your home vpn? And here comes major problem in understanding wireguard as most are used to non  peer based vpns. So, you want to have your own range for your own vpn, fine, simply adding it to your interface is enough:

This is REALLY interesting and something I hadn't thought of yet.

2 hours ago, 19807409 said:

Hope it helped.

It sure did.  Thank you.  I'm working with TG support now on why I'm getting a new IP address every time...I'll update here if we can reach any conclusions.

Also I don't meet many people who have the networking skills AND programming skills you do.  That is amazing!!!  I have no idea how you have the time to do that and volunteer here, but thank you so much for your service and help.

[19807409]

@James8078 I guess you created issues on github which are now resolved, indeed, there is a bug in urlencode function, I simply disabled urlencode. I just tested the script on 1043nd v2 with latest snapshot: https://downloads.openwrt.org/snapshots/targets/ath79/generic/

Simply running and following instructinos (you need to create private key before/when you run it with wg genkey):

wget -O /usr/bin/tgsetup https://raw.githubusercontent.com/TorGuard/openwrt-scripts/master/usr/bin/tgsetup && chmod +x /usr/bin/tgsetup && /usr/bin/tgsetup

got it installed, I used tg server: 37.120.155.34

result:

curl ifconfig.me
37.120.155.34

 

and you see the handshake:

interface: wg0
  public key: OOVP/9DhcvFnngamXDTMCWvS8vZG9Izh3SELktiUfGY=
  private key: (hidden)
  listening port: 51820
  fwmark: 0xfe

peer: nLTA5+IwlmDCDk1/MOrcJQGhD/sOE2fUleXphLhZUQY=
  endpoint: 37.120.155.34:1443
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 2 seconds ago
  transfer: 1.05 MiB received, 70.03 KiB sent
  persistent keepalive: every 25 seconds

 

fixed in this PR: https://github.com/TorGuard/openwrt-scripts/pull/9

[19807409]

25 minutes ago, bdiggs said:

So strange - I'm doing exactly the same thing but getting different results.  A new IP range every time I click refresh, or I send the curl command again.  The only thing I'm doing differently is I copied my public key from the TorGuard web config generator tool - one of the .conf files that it output.

why dont you just create new fresh key with wg genkey and then run curl (or open in your browser)? That's exactly how I do it, I am not using torguards config tool, but my scripts and when I used torguard tool, then I used private key and result was the same.

What happens if you run tginstall (fresh now, with disabled urlencode)?

27 minutes ago, bdiggs said:

This is REALLY interesting and something I hadn't thought of yet.

Yes, especially as you easily connect and have encrypted connection, remember, you could also create wg1 which has all your peers where they would always be connected to your local peers (or remote), that way you could have independently gateway and own vpn like many try to do, but that is hassle for nothing, as most are not aware that they can use one interface for quite fancy and sophisticated setups and all of that without extremly complicated firewall configurations, as said previously, peer based vpn :), of course for some it might have disadvantages, but in general, when one explores it more, then one understands why everybody says that this is the easiest vpn to setup, especially if you think on more devices than those you can count on fingers. Like I said, I connected all my networks with wireguard, each device has its own interface and wireguard connect and all communication is always encrypted (regardless if I am at home network, in vpn, lte, ...). And all of that works stable. Best of it, you can use cheap SoC's boards making easily 500Mbits with wireguard (rpi4, rock pi4, ....), by that, expensive router is not required if one can set it up, my rock pi's run all over PoE and very stable.

 

35 minutes ago, bdiggs said:

Also I don't meet many people who have the networking skills AND programming skills you do.  That is amazing!!!  I have no idea how you have the time to do that and volunteer here, but thank you so much for your service and help.

I am dev in my real job, mostly c++, however, my job is very cryptic :). I jumped in to help as many people got torguard subscription due to my recommendation to be used with our products and they asked me about wireguard setup etc... and some started crying about some bad soft, bad support etc..., which is nonsense of course, torguard services are outstanding and support even better ;), where it was easier and quicker for me to write those scripts and share with them than to explain each and every one how to set it up (same reasons for rock pi guide instead of as example rpi4, as it was a recommendation). You might ask why at all was it required, because torguard vpn was recommendation by me for using services of products which I developed/worked on, by that, I somehow had anyway to waste some time by updating guides, so, why bothering if I can update it here and share it with community and torguard staff if it can be helpful.

Thanks for kind words.

[James8078]

14 minutes ago, 19807409 said:

@James8078 I guess you created issues on github which are now resolved, indeed, there is a bug in urlencode function, I simply disabled urlencode. I just tested the script on 1043nd v2 with latest snapshot: https://downloads.openwrt.org/snapshots/targets/ath79/generic/

 

it was not me but thank you. btw on github, I saw a script about torgaurd and open wrt, from years ago, about LuCi app for torguard on open wrt, dont if it still working or if it was from you?