The FreshTomato Wireguard page in the graphical interface is meant to be both a configuration and configuration generation point. Thus, it is suggested you “nominate” a main router where the configuration will be produced. Client, such as other FreshTomato routers, Windows, Linux, Android will need to import the configuration generated by the main FreshTomato router. This also means that any relevant configuration change may also require you to delete and re-import the configuration on the other peers.

The Wireguard GUI menu is currently a work in progress. Some basic functionality should already be working on 2024.1, although some elements, including the following have no yet been implemented:

• External VPN provider connectivity
• Kill-switch
• Routing-policy
• Split-tunneling

Because of this, you should focus on on site-to-site configurations until that changes.

This setting affects the creation of peer configurations.

• Hub and Spoke - Any peers can only communicate via the Hub.
• Full Mesh - Endpoint only - FreshTomato will try to create a full mesh but only among peers which have the EndPoint defined.
• Full Mesh - FreshTomato will try to establish a full mesh amongst all peers.
• External VPN Provider - This option is greyed out, as the function is still a work in progress

While you try to configure your own VPN please keep in mind the following troubleshooting tips:

• wg show (command line) will help you understand the relationship between peers
• route can help you verifying routing decision while the VPN is connected
• traceroute is a must use when verifying end-to-end connectivity, a good approach is to test in order:

1. Local LAN IP
2. Local VPN IP
3. Remote VPN IP
4. Remote LAN IP

The point where this fail provides a crucial insight into the issue you might be facing.