FreshTomato Wiki

User Tools

Site Tools

Trace: vpn-wireguard
vpn-wireguard

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
vpn-wireguard [2025/09/15 03:52] – [Peer's Parameters] -Clarify Source IP Filtering explanation hogwildvpn-wireguard [2025/11/11 00:07] (current) – [General Troubleshooting] -Change to "point of failure you find" hogwild
Line 66: Line 66:
 ===== Wireguard Configuration ===== ===== Wireguard Configuration =====
  
-WireGuard uses virtual network adapters (or "network interfaces") on which to operate a VPN tunnel. WireGuard creates a virtual network interface (such as "wg0"on your device that behaves like a standard network adapter. This virtual adapter routes your traffic through the encrypted tunnel between peers.+WireGuard uses virtual network adapters (or "network interfaces") on which to operate a VPN tunnel. The network interface WireGuard creates (such as "wg0") behaves like a standard network adapter. This interface routes your traffic through the encrypted tunnel between peers.
  
-WireGuard allows you to create 3 separate virtual network adapters to allow for 3 separate VPN configurations (or "instances" terminology). In Freshtomato, each virtual adapter is represented by a tab, such as wg0, wg1, or wg2. The current tab selected appears in black. \\   \\   \\  {{::vpn-wireguard-wg0-2025.3.png?95}}  the first Wireguard interface/instance.+WireGuard allows you to create 3 separate network interfaces to allow for 3 separate VPN configurations (or "instances"). In Freshtomato, each network interface is represented by a tab, such as wg0, wg1, or wg2. The current tab selected appears in a different colour than the others. \\   \\   \\  {{::vpn-wireguard-wg0-2025.3.png?95}}  the first Wireguard interface/instance.
  
  \\  \\
Line 89: Line 89:
 ===== Interface ===== ===== Interface =====
  
-Settings here are used to configure the router'virtual WireGuard interface for this instance/tab, (such as "wg0").+Settings here are used to configure the router's WireGuard interface of this instance/tab, (such as "wg0").
  
  \\  \\
Line 99: Line 99:
  \\  \\
  
-**Poll Interval** - WireGuard's PersistentKeepalive setting.+**Poll Interval** - a watchdog timer for the WireGuard connection (in minutes)
  
-This determines how often clients behind NAT send keepalive packets to maintain NAT mappings. +If we can't ping 1.1.1.1 via the WireGuard interface, wg is restarted.\\  \\ FIXME
- +
- \\+
  
   * The recommended setting is 25 seconds. This causes WireGuard \\ to send a small packet to its peer every 25 seconds when no \\ other traffic occurs. This keeps the connection alive through \\ NAT or firewalls that might otherwise close idle UDP sessions. \\ \\    * The recommended setting is 25 seconds. This causes WireGuard \\ to send a small packet to its peer every 25 seconds when no \\ other traffic occurs. This keeps the connection alive through \\ NAT or firewalls that might otherwise close idle UDP sessions. \\ \\ 
Line 226: Line 224:
 ===== Peer Parameters ===== ===== Peer Parameters =====
  
-In this area, you can manually configure Peer settings. Some fields populate automatically if you import a configuration file instead of/in addition to manually entering settings.  \\  \\+Here, you can manually configure Peer settings. Some fields populate automatically if you import a configuration file instead of/in addition to manually entering settings.  \\  \\
  
 **Router behind NAT** - sets whether/how often keepalive packets are sent from the router to defined peers. **Router behind NAT** - sets whether/how often keepalive packets are sent from the router to defined peers.
Line 246: Line 244:
 **Allowed IPs** - here, enter the IP address ranges to be routed through the particular peer. **Allowed IPs** - here, enter the IP address ranges to be routed through the particular peer.
  
-Outgoing packets bound for addresses in the "AllowedIPs" range will be sent through the tunnel to that peer. For example, if a peer has AllowedIPs = 172.16.0.0/24", then traffic to any IP in that subnet will be routed to that peer. Entries must be in CIDR format, separated by commas.+Outgoing packets bound for addresses in the "AllowedIPs" range will be sent through the tunnel to that peer. For example, if a peer has AllowedIPs = "172.16.0.0/24", then traffic to any IP in that subnet will be routed to that peer. Entries must be in CIDR format, separated by commas.
  
  \\  \\
Line 276: Line 274:
 (As set in the Network menu). (As set in the Network menu).
  
- \\  \\ + \\  \\ **Forward all peer traffic** - adding an Allowed IP of "0.0.0.0/0" will tunnel all traffic from the peer through the router's WireGuard interface.
- +
-**Forward all peer traffic** - adding an Allowed IP of "0.0.0.0/0" will tunnel all traffic from the peer through the router's WireGuard interface.+
  
  \\  \\
Line 295: Line 291:
 ===== Import Config from file ===== ===== Import Config from file =====
  
-Available since r2025.3, this lets you quickly and easily import a pre-generated WireGuard configuration file. This file can come from an external VPN provider, or other source, such as another WireGuard endpoint. Files must be compatible with the wg-quick format (usually ending in "*.conf").+Available since r2025.3, this lets you quickly and easily import a pre-generated WireGuard configuration file. This file can come from an external VPN provider, or another WireGuard endpoint. Files must be compatible with the wg-quick format (usually ending in "*.conf").
  
 Typically, with an external VPN provider, you choose appropriate settings on their website for the configuration you want. The VPN provider then generates a corresponding configuration file to import. For most providers, this will be a wg-quick compatible file. Typically, with an external VPN provider, you choose appropriate settings on their website for the configuration you want. The VPN provider then generates a corresponding configuration file to import. For most providers, this will be a wg-quick compatible file.
  
-While FreshTomat's function requires file to be wg-quick compatible format for import, it does not maintain that format, or even save configuration file. Instead, after import, settings are divided up and stored in NVRAM as separate variables. To quickly view all the settings, use the "nvram show" command. For example, typing:+Even though FreshTomato requires the file to be in wg-quick compatible format for import, it doesn'save any configuration file. Instead, after import, settings are divided up and stored in NVRAM as separate variables. To quickly view all the settings, use the "nvram show" command.
  
-''nvram show|grep wg0_''+For example, to display all variables and their settings for the "wg0" interface, type: 
 + 
 +"nvram show|grep wg0_ \\  \\ 
 + 
 + \\
  
-will display all variables and their settings for interface "wg0"The only exception occurs when you copy a configuration file to a folder on the router and enter a path to that file in the //Config File// field. In that case, that file will be saved as a configuration file, in wg-quick format.+The only exception occurs when you copy a configuration file to a folder on the router and enter a path to that file in the //Config File// field. In that case, that file will be saved as a configuration file, in wg-quick format.
  
  \\  \\
Line 432: Line 432:
  
 If a link is up, the handshake done and the tunnel established, you should see the peer's interface ID, and the the time of the latest handshake process. You should also see real-time traffic data such as bytes transmitted (tx) and bytes received (rx). These details confirm the tunnel is established and data is flowing through it. If a link is up, the handshake done and the tunnel established, you should see the peer's interface ID, and the the time of the latest handshake process. You should also see real-time traffic data such as bytes transmitted (tx) and bytes received (rx). These details confirm the tunnel is established and data is flowing through it.
 +
 + \\
  
 For example, for this WireGuard instance: For example, for this WireGuard instance:
- 
- \\ \\ {{::vpn-wireguard-status-2025.3.png?473}} 
- 
-\\ 
  
 The first block of text includes this router's: The first block of text includes this router's:
Line 446: Line 444:
   - UDP listening port   - UDP listening port
  
- \\+ \\ \\ {{::vpn-wireguard-status-2025.3.png?473}} 
 + 
 +\\
  
 The second block of text displays the Peer's: \\ The second block of text displays the Peer's: \\
Line 484: Line 484:
     * Remote LAN IP     * Remote LAN IP
  
- \\  The point of failure found will provide critical insight into the type of issue you are facing.+ \\  The point of failure you find will provide critical insight into the type of issue you are facing.
  
  \\  \\
vpn-wireguard.1757904758.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki