Jump to content
TorGuard

All Activity

This stream auto-updates     

  1. Yesterday
  2. Last week
  3. Honeybadger85

    trouble with openvpn on raspberry pi

    I'm having the exact same issue, I feel I'm doing something wrong. Any chance you could share your solution, please?
  4. [SOLVED] I e-mailed support and after doing this + restarting my PC/internet afterwards it works again: 1) Uninstall all TAP drivers, go to >> Control Panel >> System and Security >> System >> Device Manager. 2) Scroll down to Network Adapters, right click the TAP drivers and uninstall them, deleting the driver too when asked, then uninstall TorGuard app from program and features section 3) (Important step) Delete the following folders >> C:\Users\user\AppData\Local\VPNetworkLLC renaming "user" to your OS account name and C:/program files (x86)/VPNetworkLLC 4) Download any registry cleaner like ccleaner and run multiple registry cleans deleting all found till no more issues is reported (backup registry when it offers to do so). 5) Restart windows, and then Re-download and install the latest build http://updates.torguard.biz/Software/Windows/torguard-setup-latest.exe
  5. Since today I cannot connect on OpenVPN or OpenConnect to any server. When I connect on OpenVPN it keeps refreshing and trying to reconnect. When I connect on OpenConnect it gives me the error message "Failed to open HTTPS connection to...) Both UDP/TCP and cleaning/refreshing the DNS don't work either. I have tried all of the options on this website: https://torguard.net/knowledgebase.php?action=displayarticle&id=223 I've also tried a fix that was posted on this topic that required a clean install https://forums.torguard.net/index.php?/topic/1353-could-not-connect-to-the-vpn-management-socket/ Nothing seems so fix my issues.
  6. JessiTom

    Torguard is the only "God" Tier VPN?

    Im pretty sure its fine with their USA servers but i don't think so for the rest of their servers. I used to experience slow speed to australian servers and now its vietnam servers. Literally slow to a scrawl cannot even load pictures from HK servers...
  7. Hi, I used to have port forwarding working. It recently stopped working. I redid the port management side of things and received an email saying my port forwarding was ready and that I should select the "Port Forward IP profile" in the VPN client. No such profile appears. I am running version 3.95.0. I then came across this post: https://forums.torguard.net/index.php?/topic/1553-port-forward-doubt/&do=findComment&comment=6980 I followed the instructions, but port forwarding still doesn't work. Cheers
  8. Dear JukeR, Hello and please excuse the long awaited reply - but here is a link to your answer : https://forum.openwrt.org/t/utmost-security-for-those-who-deploy-stubby-getdns/35648 These DNS Privacy Test Servers all support the TLSv1.3 protocol - I have updated the configuration to satisfy those requirements. You can test all of these SERVERS on this web page : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 Peace - directnupe
  9. So I got TorGuard today. I am from Germany so I chose Germany as my server because that is closest to me. These are the settings: -Tunnel Type: OpenVPN -Protocol: UDP -Port / Auth: 1912 (SHA256) -Cipher: AES-128-CBC I am on Windows 10 and I use qBittorrent. In qBittorrent as a port for incoming connection I have put 1912 and I checked on "canyouseeme.org" if that port is open, and it is. When I'm torrenting with TorGuard on, my download speed gets up to 1.5 mb/s at most. When I disconnect from TorGuard, then my download speed reaches the maximum limit (8 mb/s). I downloaded same torrent files when doing this comparison. I don't know that my download speed should suffer this much. Something isn't right. Can anyone help me please?
  10. Earlier
  11. tygadrip

    GL inet open VPN

    I recently started having problems with GL inet open VPN, I downloaded the openVPN file from torguard website and I changed the DNS to 8.8.8.8 8.8.4.4 But it is still showing an orange light, it doesn't seem to be connecting. is anyone having this problem as well??
  12. chrisTechnicus

    Could not connect to the VPN management socket

    I get the same error message on Linux Manjaro. Especially the "stealth mode" is one of the main reasons why I chose Torguard over the others. 😑 Deinstalled (via "sudo pacman -Rs torguard") and installed it again (from the AUR via "trizen -Ss torguard") but still not working. Did I do something wrong? Should I install it from the source you post? Isn't the one maintained by "coco" in the AUR (https://aur.archlinux.org/packages/torguard/) directly from you? Before that I used Linux Mint and it worked without this error. I'd be very happy for support in removing this error.
  13. Support

    does torguard work in china?

    Hello, IP's are blocked regularly - sometimes that can be the case, you can check if IP's are blocked using the following tool: http://ping.pe If the IP pings from inside China it is not blocked, if it 100% fails it is blocked. Sometimes it can just be the protocol, try using Any connect. Regards
  14. Support

    3.95 connected but no ip change

    Hello, The software works no different in this version from last, if the IP check torrent isn't showing any IP it may be to do with the external server it checks the IP with or maybe you need to force a recheck on the tracker. Regards
  15. Support

    Ticket #333536 (Manager help me please)

    Glad to hear
  16. regarding: "the third line add the appropriate iptables rules that will route all traffic through your VPN tunnel" how do i find the appropiate iptables rules? thanks!
  17. scuzzo500

    3.95 connected but no ip change

    Anyone have any ideas?
  18. Will Newcomb

    does torguard work in china?

    Just signed up to try it out here in China. Doesn't work. Won't connect to any server. I've tried several other VPNs over the last 5 years and never have had a failure like this. Waiting for a support request (hope I don't die before the answer is sent)!
  19. From the VPN specifications page (https://torguard.net/tgspec.php) it appears that the setup for all Open VPN port connections is as follows: TLS Handshake : RSA (2048 bit) Session Key : DHE (plain Diffie-Hellman) Are there plans to implement EC (elliptic curve) algorithms for these to steps? ECDHE for session keys ECDSA for the handshake/certificates Also any plans for TLS 1.3 rollout? If these are available from the command line openvpn configs please let me know. If they are will they be added to the desktop clients? Thanks
  20. scuzzo500

    3.95 connected but no ip change

    Checknyip.torrentPrivacy.com is no longer reporting my torrent IP as the IP listed on the 3.95 client. The previous client worked fine and rarely gave any issues. I've tried uninstalling and reinstalling but there was no change. I'm using Windows 10 and a nighthawk 7000 with ddwrt.
  21. How Maintain Online Optimal Security - DNS OVER TLS Servers' SPKI pin(s) Maintenance and UpKeep - The listed configuration file found below at the end of this tutorial is for OpenWRT; however these methods apply to any Distribution where you chose to use STUBBY ( FREEBSD OPNSENSE LINUX DERIVATIVES and so on ) See VERY IMPORTANT UPDATE: at end of this post for best DNS Privacy Test Servers configuration for STUBBY. ForeThought: If you have figured out how to keep your DNS OVER TLS servers' SPKI pin(s) up to date and secure then skip to the last section where there is an excellent website : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 for running an in depth SSL Security Test for all the servers you chose to deploy on your network. My Dear Community, There has been some understandable consternation and occasional grumblings concerning the hassles and difficulties inherent in having to update and authenticate SPKI pin(s) when running DNS OVER TLS ( DNS Privacy Test Servers ). Towards making this process somewhat more manageable and easier, I will share with you here some of the methods I employ towards achieving this goal. First - I have found there are times where listed DNS Privacy Test Servers change their server IP's and / or hostnames from the ones listed found here: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ) on the official page for this project. A few are horribly outdated. In order to avoid falling into this pitfall, I suggest that you do the following periodically. A - Enter this command from SSH - dig +short dot-jp.blahdns.com ( for example ). This will return the current IP address of the server. In this case 108.61.201.119 - For instance I use a DNS OVER TLS server not mentioned on the DNS Privacy Test Server page - doh.defaultroutes.de - by running dig +short doh.defaultroutes.de - I confirmed the server address as 5.45.107.88. By the way the maintainer of this server mistakenly posted the SPKI pin for his server as the main Let's Encrypt Certificate - not the first one in the hierarchy. See below after I ran command - kdig -d @5.45.107.88 +tls-ca +tls-host=doh.defaultroutes.de example.com - the prinout read: ;; DEBUG: #1, CN=doh.defaultroutes.de ;; DEBUG: SHA-256 PIN: zYnx/ptyLlxHp9RQ5cHXbe2HJLXyZUT3A/lbyhd0B/M= ;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 ;; DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is trusted. You see the first certificate is the correct one. While # 2 belongs to Let's Encrypt ( YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= ) and is on all the certificates they issue and is valid for the next 697 days - you do the math. He in error listed the wrong PIN. You may also issue the host command - host dot-jp.blahdns.com - which returns dot-jp.blahdns.com has address 108.61.201.119 and dot-jp.blahdns.com has IPv6 address 2001:19f0:7001:1ded:5400:1ff:fe90:945b You may also use nslookup command which works both ways - nslookup dot-jp.blahdns.com returns both the IPv4 and IPV6 server addresses. nslookup 108.61.201.119 this returned with an answer for the server being jp1.blahdns.com - this error is why you need to run more than method to validate your findings for your settings. I chose BlahDNS because not too long ago they changed both their servers' IP and hostnames. In addition their SPKI pin(s) have been updated ( changed ). Many ( not all ) of these DNS Privacy Test Server providers use Let's Encrypt Certificates and as many of you well know these must be renewed every three months. I will address this as we continue along. Lastly, if needs be for any reason try Googling the server hostname or IP address to see if either has been modified. Secondly - Now let's move on to see if are DNS OVER TLS servers' SPKI pin(s) are verified as being current ( not expired ) and trusted. A - The easiest and most straightforward method of attempting to do this is to issue this command: gnutls-cli --print-cert -p 443 108.61.201.119 - where 443 is the port I chose to connect to the dot-jp.blahdns.com DNS TLS server. If I selected to connect over port 853 the I would have issued - gnutls-cli --print-cert -p 853 108.61.201.119 . BlahDNS permits both ports 443 and 853 for TLS - see here for real time status and configuration of DNS Privacy Test Servers : https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ You must install gnutls-utils in order to run the commands. The problem here is that at times the output will falsely state that the certificate is not trusted. However - if you look along the top the printout will tell you much of this needed information. - subject `CN=dot-jp.blahdns.com', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x04dc4acf35d3bc6a62c79b553835e66351ac, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-10 19:13:11 UTC', expires `2019-07-09 19:13:11 UTC', pin-sha256="B0mMSct7Bbz4E7Lk6BwXuVzdxA1KuYtDs8pw7uaPmB4=" The certificate is B0mMSct7Bbz4E7Lk6BwXuVzdxA1KuYtDs8pw7uaPmB4= and is good from 2019-04-10 19 until 2019-07-09 19. Run kdig below in order to see if the certificate is truly trusted. B - The second method is to install knot-dig ( OpenWrt ) or Knot2 ( FreeBsd ) ( you need to be able to run kdig command ). keeping with our example: kdig -d @108.61.201.119 +tls-ca +tls-host=dot-jp.blahdns.com example.com - this methods prints the CN ( Certificate Name ) and SHA-256 PIN: B0mMSct7Bbz4E7Lk6BwXuVzdxA1KuYtDs8pw7uaPmB4= ( aka SPKI pin ) for this server. Also here we see from the printout: ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is trusted. C - The third method for getting DNS OVER TLS servers' SPKI pin(s) will give you the pin- but virtually nothing else. Issue command as follows: echo | openssl s_client -connect '108.61.201.119:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 - The print out reads - B0mMSct7Bbz4E7Lk6BwXuVzdxA1KuYtDs8pw7uaPmB4= which is the correct certificate. However, you can not tell if it is expired or trusted. For example, Surfnet ( which is getdns ) has several servers. dnsovertls3.sinodun.com ( 145.100.185.18 ) currently has an expired certificate. When I run - echo | openssl s_client -connect '145.100.185.18:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 - The printed out gives me the correct certificate - 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= - However the certificate is expired. Running gnutls-cli --print-cert -p 853 145.100.185.18 - provides verification of expiration below: - Certificate[0] info: - subject `CN=dnsovertls3.sinodun.com', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x030566ee19f2ef98451faa2322093fb000b3, RSA key 4096 bits, signed using RSA-SHA256, activated `2018-11-19 11:15:34 UTC', expires `2019-02-17. The certificate was good from 2018-11-19 until 2019-02-17. You can once again check real time status here: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ Running kdig -d @145.100.185.18 +tls-ca +tls-host=dnsovertls3.sinodun.com example.com - The readout is below which confirms expiration: ;; DEBUG: TLS, The certificate is NOT trusted. The certificate chain uses expired certificate. So you see you must combine methods listed above to be truly secure and encrypted when running DNS Privacy Test Servers which essentially depend and rely on proper DNS OVER TLS servers' SPKI pin(s) being up to date and trusted. Finally the Bonus: As I wandered over the internet in search of security - I came across this website : ImmuniWeb SSL Security Test found here: https://www.immuniweb.com/ssl/?id=Su8SeUQ4 Once on the website, you may test your remote DNS OVER TLS Servers. At the top of the page - simply enter the server hostname and port that you are using to connect to the remote server. For example I would enter - dot-jp.blahdns.com:443 in keeping with the example I have been using throughout this guide. This site will resent you with a rating of the server and its' features. It will also list the certificate - when it was activated - when is the expiration date and encryption protocols and so much more. By the way, dot-jp.blahdns.com earns an A+ ratings. DNS is the backbone of your network - stay safe and secure out there while you and your loved ones peruse the world of cyber connectivity. With dot-jp.blahdns.com:443 I encountered errors getting the correct certificate information. When I entered dot-jp.blahdns.com alone - everything went fine. You may have to play around with the entries. This is why it is best to have multiple tools and methods to cross check your certificates aka DNS OVER TLS Servers' SPKI pin(s) - hostnames and IP addresses. For instance - I know from two of these methods - one being this website the other using gnutls-utils - that the certificate for DNS TLS SERVER doh.defaultroutes.de ( 5.45.107.88 ) will expire in four days on 2019-04-24. VERY IMPORTANT UPDATE: After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol. See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/ I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is: nano /etc/stubby/stubby.yml ## Tested On https://cmdns.dev.dns-oarc.net/ May 20 2019 A Rating - Perfecto Configuration # Note: by default on OpenWRT stubby configuration is handled via # the UCI system and the file /etc/config/stubby. If you want to # use this file to configure stubby, then set "option manual '1'" # in /etc/config/stubby. resolution_type: GETDNS_RESOLUTION_STUB round_robin_upstreams: 1 appdata_dir: "/var/lib/stubby" tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private: 1 idle_timeout: 60000 listen_addresses: - [email protected] - 0::[email protected] ## If you use IPV6 Servers dns_transport_list: - GETDNS_TRANSPORT_TLS tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 upstream_recursive_servers: # IPV4 Servers ### DNS Privacy Test Servers ### ## The Surfnet/Sinodun DNS TLS Server - address_data: 145.100.185.18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= # The securedns.eu DNS TLS Server dot.securedns.eu - address_data: 146.185.167.43 tls_auth_name: "dot.securedns.eu" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g= #The BlahDNS German DNS TLS Server - address_data: 159.69.198.101 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: GsfF6a28usi59J/pUUtqbyfmmyKE7+7OfzdLXzUt/Aw= #The BlahDNS Japan DNS TLS Server - address_data: 108.61.201.119 tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: B0mMSct7Bbz4E7Lk6BwXuVzdxA1KuYtDs8pw7uaPmB4= #The DNS Warden DNS TLS Primary Server - address_data: 116.203.70.156 tls_auth_name: "dot1.dnswarden.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: deCWLScS/hqOKvzPDNr9JZdoBYsrWM7AWQ56biseGxA= #The DNS Warden DNS TLS Secondary Server - address_data: 116.203.35.255 tls_auth_name: "dot2.dnswarden.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: deCWLScS/hqOKvzPDNr9JZdoBYsrWM7AWQ56biseGxA= #The Primary appliedprivacy.net DNS TLS Server - address_data: 37.252.185.232 tls_auth_name: "dot1.appliedprivacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: ScYkwTIhR1AZGwAsy9Fgn+ET70+t8HR8giYq9abl7tA= #The ibksturm DNS TLS Server - address_data: 217.162.206.220 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: v9DZ6wtFZcs26wzq6lwHSlcV6o0Nvw/9pLiBarQJfQE= #The Secure DNS Project by PumpleX DNS TLS Server - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P/Auj1pm8MiUpeIxGcrEuMJOQV+pgPY0MR4awpclvT4= ### Anycast DNS Privacy Public Resolvers ### #Quad9 'secure' DNS TLS Secondary Server - address_data: 149.112.112.112 tls_auth_name: "dns.quad9.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= tls_min_version: GETDNS_TLS1_3 tls_ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" Save and Exit - Then reboot your Router for changes to take effect Peace, directnupe References : https://blahdns.com/ https://dns.seby.io/
  22. wallmama

    does torguard work in china?

    @bassozka Yes TorGuard works in China. But not all servers. Best server choices would be HongKong, Japan, Singapore, Taiwan or West Cost of United States.
  23. wallmama

    Torguard is the only "God" Tier VPN?

    Yes, I am in China. I confirm that it works in mainland here. Using it to watch Youtube, speed is pretty decent.
  24. Dear OpenWrt Community, First - I have a few bars to indulge myself and those in the know of the Old School : Once again, back is the incredible rhyme animal The uncannable D, Public Enemy Number One / Full Lyrics here for those who may wish to sing along : https://genius.com/Public-enemy-bring-the-noise-lyrics and Video here : https://www.youtube.com/watch?v=bsq91cqFhWI Now after that intro - let's get down to business. There has been a lot of interest and buzz around WIREGUARD - the new VPN protocol which is now available across many platforms. I have written this tutorial with the goal of showing you how to set up TORGUARD WIREGUARD Client ( TORGUARD now supports WIREGUARD Servers ). The reasons for my putting this guide together is that I was unable to find a definitive tutorial in one place which simply explained how to set up WIREGUARD on OpenWrt. This setup is guaranteed to work if you follow the steps as detailed in this tutorial. The references I used are listed below in order of most to least useful and informative: 1 - https://doc.turris.cz/doc/en/public/wireguard 2 - https://steemit.com/cn/@curl/openwrt-lede-wireguard-vpn 3 - https://blog.birkhoff.me/Setting-up-a-WireGuard-server-on-OpenWRT/ ( Note : IGNORE THE FIREWALL INSTRUCTIONS ON THIS PAGE - I WILL DETAIL CORRECT SETUP LATER IN THIS TUTORIAL ). 1 - First you need to get your WIREGUARD configuration files from the TORGUARD website. To do so login your TORGUARD account then go to Tools ( along the top of Login Page ) from drop Down Menu click on Enable WIREGUARD Access. You will then be in your TorGuard Account Area. You will see this message along the top : Below is a list of WireGuard VPN Servers, Please click enable in front of the servers you like to connect to, and use the returned keys shown to connect. Currently, TORGUARD offers WIREGUARD Servers in USA - New York, Asia - Singapore and Europe - UK. Click on your preferred Server - Enable WIREGUARD. This will result in a green box below the now grayed out box - which states now Disable WIREGUARD. Download Config file as the box allows you to do now that you have enabled your WIREGUARD Server. You will also see in the adjoining box the following : Location VPN Server Keys Manage USA - New York 1 159.xx.xxx.xx:xxx Server Public key: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= Your Private Key: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= Your Address: 10.xx.x.xxx/24 WARNING: These credentials above are for demonstration purposes only - the keys are actually from DNS Privacy Test Servers and will not work if you attempt to set up WIREGUARD using these credentials. Now on to the actual setup which is in reality quite easy to do. 2 - There are two ways to set up TORGUARD WIREGUARD on OpenWrt - via uci and / or by the proper OpenWRT configuration files. Primarily, I relied on this aforementioned guide : https://doc.turris.cz/doc/en/public/wireguard and it illustrates using both methods. A - Set up Via Uci - command line The only drawback to this method is there is no uci command to set the endpoint host and port - you will need to set these manually via Luci : No matter if you choose to configure via Uci commands or OpenWRT configuration files you first need to install the necessary packages: opkg update && opkg install kmod-wireguard luci-app-wireguard luci-proto-wireguard wireguard wireguard-tools Via uci commands 1) Set the server's network configuration: # wg0 is the name of the wireguard interface, # replace it if you wish. uci set network.wg0="interface" uci set network.wg0.proto="wireguard" uci set network.wg0.private_key="cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=" ## ( From the dummy file I listed above ) # You may change this port to your liking, ports of popular # services get through more firewalls. Just remember it # for when you have to configure the firewall later . uci set network.wg0.listen_port="51820" ## ( This is the standard port for TORGUARD WIREGUARD ) uci add_list network.wg0.addresses='10.xx.x.xxx/24' ## ( Use your real address from downloaded TORGUARD WIREGUARD Config File ) 2) Configure client list: # Change all occurences of "wireguard_wg0" to something else # (like wireguard_wg1, wireguard_wg2 and so on) for # subsequent clients after the 1st uci add network wireguard_wg0 ## ( I suggest you leave this as is ) uci set [email protected]_wg0[-1].public_key="62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=" ## ( From the dummy file I listed above ) # Allow the client to forward traffic to any IP through the tunnel uci set [email protected]_wg0[-1].route_allowed_ips="1" uci add_list [email protected]_wg0[-1].allowed_ips="0.0.0.0/0" # Enable sending of keepalive packets so NAT routers # don't terminate the connection. WG recommends a value of 25. uci set [email protected]_wg0[-1].persistent_keepalive='25' # What you want your client to show up as in the UI uci set [email protected]_wg0[-1].description='WG' 3) Save the changes: uci commit network /etc/init.d/network reload ifdown wg0 ifup wg0 Now - as I stated above this method does not add the endpoint host and port. To this - in Luci go to Network > Interfaces > Then EDIT Interface WG0 > Under Peers > in the Endpoint Host enter 159.xx.xxx.xx:xxx ( the WIREGUARD Server address ) and beneath enter 443 ( the the WIREGUARD Server Port ). Then click on Save & Apply. Also, I have found that using the DNS Server included in the downloaded Config file is very important. In the case of TORGUARD WIREGUARD the server is - 104.223.91.210 ( their main all around DNS Server ) - see how to configure it on the WIREGUARD Interface below in section B : the Via configuration files section of this tutorial. Thanks to the very useful and insightful assistance from my knowledgeable, kind and patient colleagues lleachii and trendy along with the heads up from vgaetera ( all from the OpenWRT Forum ) I was able to finally get the WIREGUARD FireWall rules properly configured. I have removed the UCI command line section ( A ) for setting up the WIREGUARD Firewall rules entirely. If anyone can send to me the proper uci commands to set up the firewall which directly correspond to the rules in section B - Via configuration files ( aka the /etc/config/firewall file ) listed below; I will post them in this tutorial at that time. However, please know that your TORGUARD WIREGUARD will be most secure and function as it designed if you follow the instructions in section B - Via configuration files then Step 3) Configure the OpenWRT firewall: - that is all you need to do. B - Via configuration files Now, I saved the best for last. Quite frankly TORGUARD WIREGUARD is very very easily set up Via configuration files. Here is how to do this in two simple steps: 1) Set the server's network configuration by editing /etc/config/network to include following parts, omitting the preshared_key option if you've opted not to use a PSK: From the dummy files above: Go to the the very bottom of this file and add the following : Open the file: nano /etc/config/network config interface 'wg0' option proto 'wireguard' option private_key 'cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=' option listen_port '51820' list addresses '10.xx.x.xxx/24' option peerdns '0' list dns '104.223.91.210' list dns '104.223.91.194' config wireguard_wg0 option public_key '62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=' option route_allowed_ips '1' list allowed_ips '0.0.0.0/0' option persistent_keepalive '25' option description 'WG' option endpoint_host '159.xx.xxx.xx:xxx' option endpoint_port '443' Save and Exit Then issue from command line Step 2 below: 2) Apply changes /etc/init.d/network reload ifdown wg0 ifup wg0 3) Configure the OpenWRT firewall for your TORGUARD WIREGUARD Client: Special Thanks to trendy ( from the OpenWRT Forum ) for helping me with this elegant solution The most simple, effective and efficient method to set up your firewall for TORGUARD WIREGUARD this is to add the 'wg0' network to the wan zone in the /etc/config/firewall configuration file Edit /etc/config/firewall file and add the 'wg0' network as follows: Open the file: nano /etc/config/firewall config zone option name 'wan' list network 'wan' list network 'wan6' list network 'wg0' ## This is the line you need to add - and you are done option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' Save and Exit Then issue from command line Step 4 below: 4) Apply changes /etc/init.d/firewall restart reboot & exit All you need to do is reboot the router. The correct DNS Server along with the endpoint host and port are already added using this method. By the way, NORDVPN is now offering WIREGUARD in Beta testing. Contact them via their e-mail support and they will send you your credentials. The most important piece of this set up are the firewall rules. Just configure your /etc/config/network file with your NORDVPN WIREGUARD Config Options and this will work just as well. Testing your configuration From your client, attempt a connection to your router. On the server side, run the following to inspect the current state of WireGuard: from the command line run entry : wg show You should see the configured interface and peers in your console. If not, try restarting your router and thoroughly checking your client and server configuration to ensure the right keys are in the correct location. Note that peers that have not connected yet will not be shown in output. Outpoint will vary according to your keys. interface: wg0 public key: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= private key: (hidden) listening port: 1234 peer: 3K9BeVLsj3eXYPbTp53tQ4jypJKUukAjZqSCQykhDTb= endpoint: 190.180.170.160:45345 allowed ips: 10.0.10.0/24 latest handshake: 1 hour, 19 minutes, 23 seconds ago transfer: 43.96 MiB received, 51.89 MiB sent persistent keepalive: every 25 seconds If you installed luci-app-wireguard, you can also visit your router's LuCI interface and click on Status, then click on WireGuard Status to essentially the same information but without needing to SSH in. You can also run ifconfig to check the status of your WireGuard interface. If you've opted for another interface name aside from wg0, replace it in the subsequent command: ifconfig wg0 wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.0.10.1 P-t-P:10.0.10.1 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1 RX packets:55483 errors:30 dropped:0 overruns:0 frame:30 TX packets:68168 errors:4 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:46099332 (43.9 MiB) TX bytes:54420468 (51.8 MiB) FYI : I set this up along with DNS-OVER-TLS on OpenWrt/LEDE FEATURING UNBOUND GETDNS and STUBBY see here : https://forum.openwrt.org/t/from-the-dns-privacy-project-dns-over-tls-on-openwrt-lede-featuring-unbound-getdns-and-stubby/13765 and DNS LEAK TESTS returns the DNS Privacy Test Servers which I chose in my Stubby DNS Privacy Daemon Config file. However, I continued to use the TORRGUARD DNS Server for the WIREGUARD Interface ( WG0 ). Everything works well. If anyone can impart to me exactly how DNS functions within the WIREGUARD Tunnel ; I will be most appreciative. Peace and God's Grace To All, directnupe
  25. Hello, I've been using the torrent proxy for a few years now and love the service. I've started to think about using the VPN but have a few questions. I'm planing on using Torguard on my router (Pfsense). I'm a bit confused about the 5 connections with Simultaneous-use. Is there a limit if all my devices are on my local network and just using private IPs? Streaming IP, I'm guessing this is for streaming out and not stuff like Netflix? Once every things setup do the clients have to re-connect every time they go online or is it automatic ? Thank you.
  26. Thank you for the values under advanced options this brings my download from 15Mbit to 80Mbit even upload says the same at 50Mbit. I started out with AES-256-GCM | SHA 256 and now AES-128-GCM | SHA1 but I see the exact same speeds shouldn't I be able to reach higher on AES-128-GCM | SHA1 than AES-256-GCM | SHA256? I am running PFSense 2.4.4-p2 of a PC Engines apu2c4 = 3 i210AT LAN / AMD GX-412TC CPU / 4 GB DRAM (superseded) Link: https://pcengines.ch/apu2c4.htm If anyone knows a trick to get me 200Mbit down and up I will be happy this AMD quad-core machine should be able to do it.
  1. Load more activity
×