FreshTomato Wiki

User Tools

Site Tools

Trace:
wireguard_on_freshtomato

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wireguard_on_freshtomato [2024/09/07 16:17] – [Point-to-Point Connection] -condense hogwildwireguard_on_freshtomato [2024/11/27 21:54] (current) – [Syntax] hogwild
Line 11: Line 11:
 ===== Web interface or command-line configuration ===== ===== Web interface or command-line configuration =====
  
-Since release 2024.1Wireguard is now integrated into FreshTomato's graphical web interface. Configuration is also still available via command line. For now, this wiki page will outline configuration via the command line. +Release 2024.1 and later allow Wireguard configuration in the web interface. Configuration is also still available via command line. Instructions on this wiki page detail how to configure Wireguard via the command-line interface. Instructions for the graphical web interface will follow later. The main principles apply regardless of the interface used.
- +
-Instructions on this wiki page detail how to configure Wireguard via the command-line interface. Instructions for the graphical web interface will follow later. The main principles, of course, apply regardless of which interface is used.+
  
  
 ===== Introduction ===== ===== Introduction =====
  
-Wireguard'exceptional performance is possible because the code is executed within kernel-space. Other technologies, such as OpenVPN, PPTP, or tinc run in the much slower user-space. Wireguard still uses asymmetric-key technology (similar to OpenVPN) that is more basic in functionality. However, there is a lot of ongoing development, and improvements in encryption keys are expected soon.+Wireguard'fast performance is possible because code is executed inside kernel-space. Other technologies like OpenVPN, PPTP, or tincrun in the much slower user-space. Wireguard still uses asymmetric-key technology (like OpenVPN) that is more basic in functionality. However, development is ongoing, and encryption key improvements are expected soon.
  
-Wireguard is not a "talkative" protocol. It tends to send data only when needed (unless there is a peer with a forced keepalive option). One new approach taken with Wireguard was to completely remove handshaking. Now, data is accepted only if the decryption key works. This makes Wireguard less "chatty", simpler and faster. Wireguard communicates by default over UDP port 51820.+Wireguard is not a "talkative" protocol. It tends to send data only when needed (unless there'a peer with a forced keepalive option). new approach with Wireguard was to completely remove handshaking. Now, data is accepted only if the decryption key works. This makes Wireguard less "chatty", simplerand faster. By default, Wireguard communicates over UDP port 51820.
  
-Before configuring Wireguard, you should consult the official documentation's [[https://www.wireguard.com/quickstart/|Quick Start]] guide, and possibly the [[https://github.com/pirate/wireguard-docs|unofficial]] version as well.+Before configuring Wireguard, consult the official documentation's [[https://www.wireguard.com/quickstart/|Quick Start]] guide, and maybe the [[https://github.com/pirate/wireguard-docs|unofficial]] version too.
  
  
 ===== Overview ===== ===== Overview =====
  
-Wireguard has now been integrated into FreshTomato'graphical web interface since release 2024.1. It is also still available via command line.+Wireguard is now available in FreshTomato's web interface since release 2024.1. It is also still available via command line.
  
-Once you understand some basic principles, it is fairly simple to configure WireguardOne caveat is that currently, only ARM-based devices include the code needed to run Wireguard. If you're unsure, try loading the kernel module as follows:+Once you understand some basic principles, it is fairly simple to configure. Currently, only ARM-based devices include the code needed to run Wireguard.
  
  \\  \\
 +
 +=== Checking if Modules are Available/Running ===
 +
 + \\ If you're unsure, try loading the kernel module as follows:
  
 <code -> <code ->
Line 50: Line 52:
  \\  \\
  
-If Wireguard is not supported on your system, you will see the following error:+If Wireguard isn'supported on your system, you'll see the following error:
  
 <code -> <code ->
Line 60: Line 62:
 ===== Syntax ===== ===== Syntax =====
  
-The first step is familiarize yourself with the ''wg'' command. For this, typing: ''wg help'' is a great place to start.+The first step is to familiarize yourself with the ''wg'' command. For this, typing: ''wg help'' is a great place to start.
  
  \\  \\
Line 88: Line 90:
  
 For example: For example:
- 
- \\ 
  
 <code -> <code ->
Line 110: Line 110:
 Let's assume there are two devices with these prerequisites: Let's assume there are two devices with these prerequisites:
  
-  * An ARM-based device with Wireguard in in the firmware build.+  * An ARM-based device with Wireguard in the firmware build.
   * At least one device with a public IP address.   * At least one device with a public IP address.
-  * DDNS configured for the device's public IP address (unless you have static addresses). +  * DDNS configured for the device's public IP address \\ (Unless you have static addresses). 
-  * SSH access available on to both devices. +  * SSH access available on both devices. 
-  * An alternate method of accessing the router, or a host on the LAN accessible via \\ remote access software that doesn't need VPN functionality. The latter is optional \\ but strongly recommended.+  * An alternate method of accessing the router, or a host on the LAN \\ accessible via remote access software that doesn't need VPN access\\ The latter is optional but strongly recommended.
  
  \\  \\
Line 129: Line 129:
  \\  \\
  
-If that storage becomes unavailable, the VPN won't function. For this example, and the final setup, we will use JFFS. Thus, it is assumed you have a JFFS partition mounted in the filesystem of at: "/jffs".+If the storage becomes unavailable, the VPN won't function. 
 + 
 +For this example, and the final setup, we'll use JFFS. It'assumed you have a JFFS partition mounted at: "/jffs".
  
  \\  \\
Line 146: Line 148:
  \\  \\
  
-The above two key generation programs should have created two files:+The above two key generation programs should create two files:
  
 <code -> <code ->
Line 158: Line 160:
 The content of these files must be added to the configuration file. In this case, we will call that file: "wg0.conf". The content of these files must be added to the configuration file. In this case, we will call that file: "wg0.conf".
  
-**Do not** use the keys from this example. They are fake/hypothetical and only serve as an example.+**Do not** use the keys from this example. They are hypothetical and only an example.
  
- \\ The contents of the wg0.conf file on routerA are as follows:+ \\  \\ The contents of the wg0.conf file on routerA are as follows:
  
 <code -> <code ->
Line 204: Line 206:
  \\  \\
  
-On a network with private addressing (behind NAT) that is unreachable from the Internet, the connection will be initiated from the NATed device. However, you'll need to force keepalive activity towards the unNATed device to maintain the connection. Remember that, by default, Wireguard doesn't use keepalive packets.+On a network with private addressing (behind NAT)unreachable from the Internet, the connection is initiated from the NAT'device. However, you must force keepalive activity towards the unNAT'device to maintain the connection. By default, Wireguard doesn't use keepalive packets. 
 + 
 + \\
  
-Let's assume routerB is behind an unmanaged NAT device (so your WAN has a private IP) your routerA [peer] definition within wg0.conf will need to have the ''PersistentKeepalive'' defined. Doing this allows the main router mapping table to stay updated, and make the defined Wireguard port reachable.+Let's assume routerB is behind an unmanaged NAT device (your WAN has a private IP). Your routerA [peer] definition in wg0.conf will need to have ''PersistentKeepalive'' defined. Doing this keeps the main router mapping table updated, making the defined Wireguard port reachable.
  
- \\ \\ The necessary changes to the wg0.conf file for this are: \\+ \\ \\ The necessary changes to wg0.conf for this are: \\
  
 <code -> <code ->
Line 220: Line 224:
  \\  \\
  
-A //PersistentKeepalive// value of 25 seconds is best practice, since a typical NAT mapping can expire in even 30 seconds of inactivity. However, you can try adjusting this, as needed. Just make sure to to monitor the connection stability when making adjustments.+A //PersistentKeepalive// value of 25 seconds is best practice, since a typical NAT mapping can expire in just 30 seconds of inactivity. However, you can adjust this, as needed. Just make sure to to monitor the connection stability when making adjustments.
  
  \\  \\
Line 232: Line 236:
 {{:pasted:20230213-144712.png}}\\  \\ {{:pasted:20230213-144712.png}}\\  \\
  
-On a point-to-point connection, we need at least one public IP address or mapped port. However, it's possible to have two endpoints behind a NAT, as long as they also terminate towards a non-NATed endpoint. The PersistentKeepalive guidance given above will still apply to every NATed endpoint.+On a point-to-point connection, you need at least one public IP address or mapped port. However, it's possible to have two endpoints behind a NAT, if they also terminate towards a non-NAT'endpoint. The PersistentKeepalive guidance above still applies to every NAT'endpoint.
  
  
wireguard_on_freshtomato.1725722255.txt.gz · Last modified: 2024/09/07 16:17 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki