FreshTomato's Wireguard menu in the graphical interface is meant to be a place for both configuration and generating configurations. Thus, it is suggested you “nominate” a main router where the configuration will be produced. Clients, such as other FreshTomato routers, and Windows, Linux, and Android devices, will need to import the configuration generated by the main FreshTomato router. This means that any relevant configuration change may also require you to delete and reimport the configuration on the other peers.

The Wireguard GUI menu is currently a work in progress. Some basic functionality is working since release 2024.1. However some elements, including the following have no yet been implemented:

• External VPN provider connectivity
• Kill-switch
• Routing-policy
• Split-tunneling

For this reason, you should focus on on site-to-site configurations until that status changes.

This setting affects the creation of peer configurations.

• Hub and Spoke: Any peers can only communicate via the Hub.
• Full Mesh (defined Endpoint only): FreshTomato will try to create a full mesh but only among peers which have the EndPoint defined.
• Full Mesh: FreshTomato will try to establish a full mesh between all peers.
• External VPN Provider - This option is greyed out, as the function is still a work in progress.

When trying to configure your VPN, please remember these troubleshooting tips:

• wg show (via the command line) output will help you understand the relationship between peers.
• route (via the command line) can help you to verify routing decisions while the VPN is connected.
• traceroute is a must when verifying end-to-end connectivity. A good approach is to test the following in order:
  • Local LAN IP
  • Local VPN IP
  • Remote VPN IP
  • Remote LAN IP

The point of failure will provide critical insight into whatever issue you are facing.