======= Wireguard VPN ======= ===== Introduction ===== Wireguard can be configured/run via the web interface, or at the command line. Either way lets you configure Wireguard settings and generate configurations. This page describes how to configure Wireguard through the web interface. \\ To configure Wireguard via the command line, and for some theoretical background see this HOWTO: [[wireguard_on_freshtomato|Set up Wireguard]] Regardless of the interface used, you are advised to "nominate" a main router where configurations will be produced. Clients, such as other FreshTomato routers, and other client devices must import the configuration generated by this main router. Relevant configuration changes may require you to delete and reimport the configuration on those client devices. ===== Current development status ===== The Wireguard web interface menu is a work in progress. It is working/functional since release 2024.1. However some elements have not yet been implemented. This includes: \\ * External VPN provider connectivity * Kill switch * Routing policy * Split tunneling \\ For now, only site-to-site configurations (as opposed to VPN service providers) are //officially// supported. However, many people have successfully used the following (unofficial) tutorial to connect to their VPN Provider: [[https://www.linksysinfo.org/index.php?threads/wireguard-on-freshtomato.76295/page-23#post-348056|How to Connect to a VPN Provider's Wireguard Tunnel on FreshTomato]] \\ ===== Type of VPN ===== {{:pasted:20240214-132008.png?484}}\\ \\ This setting affects the creation of peer configurations. \\ * Hub and Spoke: Any peers can only communicate via the Hub. * Full Mesh (defined Endpoint only): FreshTomato will try to create \\ a full mesh among peers with EndPoint defined. * Full Mesh: FreshTomato will try to establish a full mesh \\ between all peers. * External VPN Provider - This option is greyed out, as it is still \\ a work in progress. ===== Wireguard Notes and Troubleshooting ===== Please remember these troubleshooting tips when trying to configure your VPN: \\ * **wg show** (via the command line) output will help you \\ understand the relationship between peers. * **route** (via the command line) can help you to verify \\ routing decisions when the VPN is connected. * **traceroute** is a must when verifying end-to-end connectivity. \\ A good approach is to test the following in order: * Local LAN IP * Local VPN IP * Remote VPN IP * Remote LAN IP \\ The point of failure will provide critical insight into whatever issue you are facing. \\ \\