Differences

This shows you the differences between two versions of the page.

--- wireguard_on_freshtomato [2024/09/24 17:49] – [Introduction] -condense hogwild
+++ wireguard_on_freshtomato [2025/11/12 21:57] (current) – [Web interface or command-line configuration] -Update intro and add link to main WireGuard page hogwild
@@ Line 11: / Line 11: @@
 ===== Web interface or command-line configuration =====
-Since release 2024.1, Wireguard is now available in FreshTomato's web interface. Configuration is also still available via command line. For now, this wiki page will outline configuration via the command line.
+r2024.1 and later allow Wireguard configuration via the web interface. Configuration is still available via command line as well. The instructions on this page explain how to configure WireGuard via the command-line interface. If you want to use the web interface instead, please see the main [[vpn-wireguard|WireGuard]] page.
-Instructions on this wiki page detail how to configure Wireguard via the command-line interface. Instructions for the graphical web interface will follow later. The main principles apply regardless of which interface is used.
+The main principles will apply, regardless of the interface used.
 ===== Introduction =====
-Wireguard's fast performance is possible because code is executed inside kernel-space. Other technologies, like OpenVPN, PPTP, or tinc, run in the much slower user-space. Wireguard still uses asymmetric-key technology (like OpenVPN) that is more basic in functionality. However, development is ongoing, and encryption key improvements are expected soon.
+Wireguard's fast performance is possible because code is executed inside kernel-space. Other technologies like OpenVPN, PPTP, or tinc, run in the much slower user-space. Wireguard still uses asymmetric-key technology (like OpenVPN) that is more basic in functionality. However, development is ongoing, and encryption key improvements are expected soon.
-Wireguard is not a "talkative" protocol. It tends to send data only when needed (unless there is a peer with a forced keepalive option). A new approach with Wireguard was to completely remove handshaking. Now, data is accepted only if the decryption key works. This makes Wireguard less "chatty", simpler, and faster. By default, Wireguard communicates over UDP port 51820.
+Wireguard is not a "talkative" protocol. It tends to send data only when needed (unless there's a peer with a forced keepalive option). A new approach with Wireguard was to completely remove handshaking. Now, data is accepted only if the decryption key works. This makes Wireguard less "chatty", simpler, and faster. By default, Wireguard communicates over UDP port 51820.
-Before configuring Wireguard, consult the official documentation's [[https://www.wireguard.com/quickstart/|Quick Start]] guide, and possibly the [[https://github.com/pirate/wireguard-docs|unofficial]] version as well.
+Before configuring Wireguard, consult the official documentation's [[https://www.wireguard.com/quickstart/|Quick Start]] guide, and maybe the [[https://github.com/pirate/wireguard-docs|unofficial]] version too.
 ===== Overview =====
-Wireguard is now available in FreshTomato's web interface since release 2024.1. It is also still available via command line.
+Wireguard is now available in FreshTomato's web interface since r2024.1. It is also still available via command line.
-Once you understand some basic principles, it is fairly simple to configure. Currently, only ARM-based devices include the code needed to run Wireguard. If you're unsure, try loading the kernel module as follows:
+Once you understand some basic principles, it is fairly simple to configure. Currently, only ARM-based devices include the code to run Wireguard.
  \\
+=== Checking if Modules are Available/Running ===
+ \\ If you're unsure, try loading the kernel module as follows:
 <code ->
@@ Line 37: / Line 41: @@
 </code>
-If you see no output, it means Wireguard executed.
+If you see no output, then Wireguard executed.
  \\   \\   \\  You should now be able to find it in the list of loaded modules:
@@ Line 50: / Line 54: @@
  \\
-If Wireguard is not supported on your system, you will see the following error:
+If Wireguard isn't supported on your system, you'll see the following error:
 <code ->
@@ Line 60: / Line 64: @@
 ===== Syntax =====
-The first step is familiarize yourself with the ''wg'' command. For this, typing: ''wg help'' is a great place to start.
+The first step is to familiarize yourself with the ''wg'' command. For this, typing: ''wg help'' is a great place to start.
  \\
@@ Line 88: / Line 92: @@
 For example:
- \\
 <code ->
@@ Line 110: / Line 112: @@
 Let's assume there are two devices with these prerequisites:
-  * An ARM-based device with Wireguard in in the firmware build.
+  * An ARM-based device with Wireguard in the firmware build.
   * At least one device with a public IP address.
-  * DDNS configured for the device's public IP address (unless you have static addresses).
+  * DDNS configured for the device's public IP address \\ (Unless you have static addresses).
-  * SSH access available on to both devices.
+  * SSH access available on both devices.
-  * An alternate method of accessing the router, or a host on the LAN accessible via \\ remote access software that doesn't need VPN functionality. The latter is optional \\ but strongly recommended.
+  * An alternate method of accessing the router, or a host on the LAN \\ accessible via remote access software that doesn't need VPN access. \\ The latter is optional but strongly recommended.
  \\
@@ Line 129: / Line 131: @@
  \\
-If that storage becomes unavailable, the VPN won't function. For this example, and the final setup, we will use JFFS. Thus, it is assumed you have a JFFS partition mounted in the filesystem of at: "/jffs".
+If the storage becomes unavailable, the VPN won't function.
+For this example, and the final setup, we'll use JFFS. It's assumed you have a JFFS partition mounted at: "/jffs".
  \\
@@ Line 146: / Line 150: @@
  \\
-The above two key generation programs should have created two files:
+The above two key generation programs should create two files:
 <code ->
@@ Line 158: / Line 162: @@
 The content of these files must be added to the configuration file. In this case, we will call that file: "wg0.conf".
-**Do not** use the keys from this example. They are fake/hypothetical and only serve as an example.
+**Do not** use the keys from this example. They are hypothetical and only an example.
- \\ The contents of the wg0.conf file on routerA are as follows:
+ \\  \\ The contents of the wg0.conf file on routerA are as follows:
 <code ->
@@ Line 204: / Line 208: @@
  \\
-On a network with private addressing (behind NAT) that is unreachable from the Internet, the connection will be initiated from the NATed device. However, you'll need to force keepalive activity towards the unNATed device to maintain the connection. Remember that, by default, Wireguard doesn't use keepalive packets.
+On a network with private addressing (behind NAT), unreachable from the Internet, the connection is initiated from the NAT'd device. However, you must force keepalive activity towards the unNAT'd device to maintain the connection. By default, Wireguard doesn't use keepalive packets.
+ \\
-Let's assume routerB is behind an unmanaged NAT device (so your WAN has a private IP) your routerA [peer] definition within wg0.conf will need to have the ''PersistentKeepalive'' defined. Doing this allows the main router mapping table to stay updated, and make the defined Wireguard port reachable.
+Let's assume routerB is behind an unmanaged NAT device (your WAN has a private IP). Your routerA [peer] definition in wg0.conf will need to have ''PersistentKeepalive'' defined. Doing this keeps the main router mapping table updated, making the defined Wireguard port reachable.
- \\ \\ The necessary changes to the wg0.conf file for this are: \\
+ \\ \\ The necessary changes to wg0.conf for this are: \\
 <code ->
@@ Line 220: / Line 226: @@
  \\
-A //PersistentKeepalive// value of 25 seconds is best practice, since a typical NAT mapping can expire in even 30 seconds of inactivity. However, you can try adjusting this, as needed. Just make sure to to monitor the connection stability when making adjustments.
+A //PersistentKeepalive// value of 25 seconds is best practice, since a typical NAT mapping can expire in just 30 seconds of inactivity. However, you can adjust this, as needed. Just make sure to to monitor the connection stability when making adjustments.
  \\
@@ Line 232: / Line 238: @@
 {{:pasted:20230213-144712.png}}\\  \\
-On a point-to-point connection, we need at least one public IP address or a mapped port. However, it's possible to have two endpoints behind a NAT, as long as they also terminate towards a non-NATed endpoint. The PersistentKeepalive guidance given above will still apply to every NATed endpoint.
+On a point-to-point connection, you need at least one public IP address or mapped port. However, it's possible to have two endpoints behind a NAT, if they also terminate towards a non-NAT'd endpoint. The PersistentKeepalive guidance above still applies to every NAT'd endpoint.
@@ Line 240: / Line 246: @@
 <code ->
-wget https://tinyurl.com/28b5rckn -O- | tr -d "\r" > /jffs/wg.sh ; chmod 777 /jffs/wg.sh
+wget https://gist.githubusercontent.com/pedro0311/548622f1700460b2de8814942e9acbfa/raw/dd5270fac5849b7f9dbbe1ea69289bdf800a7f36/wg.sh -O- | tr -d "\r" > /jffs/wg.sh ; chmod 777 /jffs/wg.sh
 </code>

FreshTomato Wiki

User Tools

Site Tools

Differences

Page Tools