FreshTomato Wiki

User Tools

Site Tools

Trace:
wireguard_on_freshtomato

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wireguard_on_freshtomato [2024/10/10 17:13] – [Introduction] -Condense hogwildwireguard_on_freshtomato [2024/11/27 21:54] (current) – [Syntax] hogwild
Line 11: Line 11:
 ===== Web interface or command-line configuration ===== ===== Web interface or command-line configuration =====
  
-Release 2024.1 and later include Wireguard in the web interface. Configuration is also still available via command line. Instructions on this wiki page detail how to configure Wireguard via the command-line interface. Instructions for the graphical web interface will follow later. The main principles apply regardless of the interface used.+Release 2024.1 and later allow Wireguard configuration in the web interface. Configuration is also still available via command line. Instructions on this wiki page detail how to configure Wireguard via the command-line interface. Instructions for the graphical web interface will follow later. The main principles apply regardless of the interface used.
  
  
Line 20: Line 20:
 Wireguard is not a "talkative" protocol. It tends to send data only when needed (unless there's a peer with a forced keepalive option). A new approach with Wireguard was to completely remove handshaking. Now, data is accepted only if the decryption key works. This makes Wireguard less "chatty", simpler, and faster. By default, Wireguard communicates over UDP port 51820. Wireguard is not a "talkative" protocol. It tends to send data only when needed (unless there's a peer with a forced keepalive option). A new approach with Wireguard was to completely remove handshaking. Now, data is accepted only if the decryption key works. This makes Wireguard less "chatty", simpler, and faster. By default, Wireguard communicates over UDP port 51820.
  
-Before configuring Wireguard, consult the official documentation's [[https://www.wireguard.com/quickstart/|Quick Start]] guide, and possibly the [[https://github.com/pirate/wireguard-docs|unofficial]] version as well.+Before configuring Wireguard, consult the official documentation's [[https://www.wireguard.com/quickstart/|Quick Start]] guide, and maybe the [[https://github.com/pirate/wireguard-docs|unofficial]] version too.
  
  
Line 27: Line 27:
 Wireguard is now available in FreshTomato's web interface since release 2024.1. It is also still available via command line. Wireguard is now available in FreshTomato's web interface since release 2024.1. It is also still available via command line.
  
-Once you understand some basic principles, it is fairly simple to configure. Currently, only ARM-based devices include the code needed to run Wireguard. If you're unsure, try loading the kernel module as follows:+Once you understand some basic principles, it is fairly simple to configure. Currently, only ARM-based devices include the code needed to run Wireguard.
  
  \\  \\
 +
 +=== Checking if Modules are Available/Running ===
 +
 + \\ If you're unsure, try loading the kernel module as follows:
  
 <code -> <code ->
Line 48: Line 52:
  \\  \\
  
-If Wireguard is not supported on your system, you will see the following error:+If Wireguard isn'supported on your system, you'll see the following error:
  
 <code -> <code ->
Line 58: Line 62:
 ===== Syntax ===== ===== Syntax =====
  
-The first step is familiarize yourself with the ''wg'' command. For this, typing: ''wg help'' is a great place to start.+The first step is to familiarize yourself with the ''wg'' command. For this, typing: ''wg help'' is a great place to start.
  
  \\  \\
Line 86: Line 90:
  
 For example: For example:
- 
- \\ 
  
 <code -> <code ->
Line 127: Line 129:
  \\  \\
  
-If that storage becomes unavailable, the VPN won't function. For this example, and the final setup, we will use JFFS. Thus, it is assumed you have a JFFS partition mounted in the filesystem of at: "/jffs".+If the storage becomes unavailable, the VPN won't function. 
 + 
 +For this example, and the final setup, we'll use JFFS. It'assumed you have a JFFS partition mounted at: "/jffs".
  
  \\  \\
Line 144: Line 148:
  \\  \\
  
-The above two key generation programs should have created two files:+The above two key generation programs should create two files:
  
 <code -> <code ->
Line 156: Line 160:
 The content of these files must be added to the configuration file. In this case, we will call that file: "wg0.conf". The content of these files must be added to the configuration file. In this case, we will call that file: "wg0.conf".
  
-**Do not** use the keys from this example. They are fake/hypothetical and only serve as an example.+**Do not** use the keys from this example. They are hypothetical and only an example.
  
- \\ The contents of the wg0.conf file on routerA are as follows:+ \\  \\ The contents of the wg0.conf file on routerA are as follows:
  
 <code -> <code ->
Line 202: Line 206:
  \\  \\
  
-On a network with private addressing (behind NAT) that is unreachable from the Internet, the connection will be initiated from the NATed device. However, you'll need to force keepalive activity towards the unNATed device to maintain the connection. Remember that, by default, Wireguard doesn't use keepalive packets.+On a network with private addressing (behind NAT)unreachable from the Internet, the connection is initiated from the NAT'device. However, you must force keepalive activity towards the unNAT'device to maintain the connection. By default, Wireguard doesn't use keepalive packets. 
 + 
 + \\
  
-Let's assume routerB is behind an unmanaged NAT device (so your WAN has a private IP) your routerA [peer] definition within wg0.conf will need to have the ''PersistentKeepalive'' defined. Doing this allows the main router mapping table to stay updated, and make the defined Wireguard port reachable.+Let's assume routerB is behind an unmanaged NAT device (your WAN has a private IP). Your routerA [peer] definition in wg0.conf will need to have ''PersistentKeepalive'' defined. Doing this keeps the main router mapping table updated, making the defined Wireguard port reachable.
  
- \\ \\ The necessary changes to the wg0.conf file for this are: \\+ \\ \\ The necessary changes to wg0.conf for this are: \\
  
 <code -> <code ->
Line 218: Line 224:
  \\  \\
  
-A //PersistentKeepalive// value of 25 seconds is best practice, since a typical NAT mapping can expire in even 30 seconds of inactivity. However, you can try adjusting this, as needed. Just make sure to to monitor the connection stability when making adjustments.+A //PersistentKeepalive// value of 25 seconds is best practice, since a typical NAT mapping can expire in just 30 seconds of inactivity. However, you can adjust this, as needed. Just make sure to to monitor the connection stability when making adjustments.
  
  \\  \\
Line 230: Line 236:
 {{:pasted:20230213-144712.png}}\\  \\ {{:pasted:20230213-144712.png}}\\  \\
  
-On a point-to-point connection, we need at least one public IP address or mapped port. However, it's possible to have two endpoints behind a NAT, as long as they also terminate towards a non-NATed endpoint. The PersistentKeepalive guidance given above will still apply to every NATed endpoint.+On a point-to-point connection, you need at least one public IP address or mapped port. However, it's possible to have two endpoints behind a NAT, if they also terminate towards a non-NAT'endpoint. The PersistentKeepalive guidance above still applies to every NAT'endpoint.
  
  
wireguard_on_freshtomato.1728576837.txt.gz · Last modified: 2024/10/10 17:13 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki