Differences

This shows you the differences between two versions of the page.

--- wireguard_on_freshtomato [2024/10/10 17:17] – [Overview] -Condense, add Head4 "Checking if Modules are Available/Running" hogwild
+++ wireguard_on_freshtomato [2025/11/12 21:57] (current) – [Web interface or command-line configuration] -Update intro and add link to main WireGuard page hogwild
@@ Line 11: / Line 11: @@
 ===== Web interface or command-line configuration =====
-Release 2024.1 and later include Wireguard in the web interface. Configuration is also still available via command line. Instructions on this wiki page detail how to configure Wireguard via the command-line interface. Instructions for the graphical web interface will follow later. The main principles apply regardless of the interface used.
+r2024.1 and later allow Wireguard configuration via the web interface. Configuration is still available via command line as well. The instructions on this page explain how to configure WireGuard via the command-line interface. If you want to use the web interface instead, please see the main [[vpn-wireguard|WireGuard]] page.
+The main principles will apply, regardless of the interface used.
@@ Line 20: / Line 22: @@
 Wireguard is not a "talkative" protocol. It tends to send data only when needed (unless there's a peer with a forced keepalive option). A new approach with Wireguard was to completely remove handshaking. Now, data is accepted only if the decryption key works. This makes Wireguard less "chatty", simpler, and faster. By default, Wireguard communicates over UDP port 51820.
-Before configuring Wireguard, consult the official documentation's [[https://www.wireguard.com/quickstart/|Quick Start]] guide, and possibly the [[https://github.com/pirate/wireguard-docs|unofficial]] version as well.
+Before configuring Wireguard, consult the official documentation's [[https://www.wireguard.com/quickstart/|Quick Start]] guide, and maybe the [[https://github.com/pirate/wireguard-docs|unofficial]] version too.
 ===== Overview =====
-Wireguard is now available in FreshTomato's web interface since release 2024.1. It is also still available via command line.
+Wireguard is now available in FreshTomato's web interface since r2024.1. It is also still available via command line.
-Once you understand some basic principles, it is fairly simple to configure. Currently, only ARM-based devices include the code needed to run Wireguard.
+Once you understand some basic principles, it is fairly simple to configure. Currently, only ARM-based devices include the code to run Wireguard.
-=== Checking if Modules are Available/Running ===
  \\
-If you're unsure, try loading the kernel module as follows:
+=== Checking if Modules are Available/Running ===
+ \\ If you're unsure, try loading the kernel module as follows:
 <code ->
@@ Line 39: / Line 41: @@
 </code>
-If you see no output, it means Wireguard executed.
+If you see no output, then Wireguard executed.
  \\   \\   \\  You should now be able to find it in the list of loaded modules:
@@ Line 62: / Line 64: @@
 ===== Syntax =====
-The first step is familiarize yourself with the ''wg'' command. For this, typing: ''wg help'' is a great place to start.
+The first step is to familiarize yourself with the ''wg'' command. For this, typing: ''wg help'' is a great place to start.
  \\
@@ Line 90: / Line 92: @@
 For example:
- \\
 <code ->
@@ Line 131: / Line 131: @@
  \\
-If that storage becomes unavailable, the VPN won't function. For this example, and the final setup, we will use JFFS. Thus, it is assumed you have a JFFS partition mounted in the filesystem of at: "/jffs".
+If the storage becomes unavailable, the VPN won't function.
+For this example, and the final setup, we'll use JFFS. It's assumed you have a JFFS partition mounted at: "/jffs".
  \\
@@ Line 148: / Line 150: @@
  \\
-The above two key generation programs should have created two files:
+The above two key generation programs should create two files:
 <code ->
@@ Line 160: / Line 162: @@
 The content of these files must be added to the configuration file. In this case, we will call that file: "wg0.conf".
-**Do not** use the keys from this example. They are fake/hypothetical and only serve as an example.
+**Do not** use the keys from this example. They are hypothetical and only an example.
- \\ The contents of the wg0.conf file on routerA are as follows:
+ \\  \\ The contents of the wg0.conf file on routerA are as follows:
 <code ->
@@ Line 206: / Line 208: @@
  \\
-On a network with private addressing (behind NAT) that is unreachable from the Internet, the connection will be initiated from the NATed device. However, you'll need to force keepalive activity towards the unNATed device to maintain the connection. Remember that, by default, Wireguard doesn't use keepalive packets.
+On a network with private addressing (behind NAT), unreachable from the Internet, the connection is initiated from the NAT'd device. However, you must force keepalive activity towards the unNAT'd device to maintain the connection. By default, Wireguard doesn't use keepalive packets.
+ \\
-Let's assume routerB is behind an unmanaged NAT device (so your WAN has a private IP) your routerA [peer] definition within wg0.conf will need to have the ''PersistentKeepalive'' defined. Doing this allows the main router mapping table to stay updated, and make the defined Wireguard port reachable.
+Let's assume routerB is behind an unmanaged NAT device (your WAN has a private IP). Your routerA [peer] definition in wg0.conf will need to have ''PersistentKeepalive'' defined. Doing this keeps the main router mapping table updated, making the defined Wireguard port reachable.
- \\ \\ The necessary changes to the wg0.conf file for this are: \\
+ \\ \\ The necessary changes to wg0.conf for this are: \\
 <code ->
@@ Line 222: / Line 226: @@
  \\
-A //PersistentKeepalive// value of 25 seconds is best practice, since a typical NAT mapping can expire in even 30 seconds of inactivity. However, you can try adjusting this, as needed. Just make sure to to monitor the connection stability when making adjustments.
+A //PersistentKeepalive// value of 25 seconds is best practice, since a typical NAT mapping can expire in just 30 seconds of inactivity. However, you can adjust this, as needed. Just make sure to to monitor the connection stability when making adjustments.
  \\
@@ Line 234: / Line 238: @@
 {{:pasted:20230213-144712.png}}\\  \\
-On a point-to-point connection, we need at least one public IP address or a mapped port. However, it's possible to have two endpoints behind a NAT, as long as they also terminate towards a non-NATed endpoint. The PersistentKeepalive guidance given above will still apply to every NATed endpoint.
+On a point-to-point connection, you need at least one public IP address or mapped port. However, it's possible to have two endpoints behind a NAT, if they also terminate towards a non-NAT'd endpoint. The PersistentKeepalive guidance above still applies to every NAT'd endpoint.
@@ Line 242: / Line 246: @@
 <code ->
-wget https://tinyurl.com/28b5rckn -O- | tr -d "\r" > /jffs/wg.sh ; chmod 777 /jffs/wg.sh
+wget https://gist.githubusercontent.com/pedro0311/548622f1700460b2de8814942e9acbfa/raw/dd5270fac5849b7f9dbbe1ea69289bdf800a7f36/wg.sh -O- | tr -d "\r" > /jffs/wg.sh ; chmod 777 /jffs/wg.sh
 </code>

FreshTomato Wiki

User Tools

Site Tools

Differences

Page Tools