Differences

This shows you the differences between two versions of the page.

--- wireguard_on_freshtomato [2023/07/17 01:52] – [Assumptions:] -resize screenshot "pasted:20230326-205524.png" to 852x406 hogwild
+++ wireguard_on_freshtomato [2024/04/28 16:55] (current) – [Introduction] -remove right bracket hogwild
@@ Line 1: / Line 1: @@
 ====== Wireguard ======
-Wireguard is a revolutionary VPN technology that allows for very fast throughput lowe latency compared to traditional VPN technologies.
+Wireguard is a revolutionary VPN technology that allows for very fast throughput with low latency compared to traditional VPN technologies.
 Here are some rough benchmarks that illustrate the performance differences:
@@ Line 12: / Line 12: @@
 ===== Introduction =====
-Wireguard's exceptional performance is possible because the code is executed within kernel-space. Other technologies, such as OpenVPN, PPTP, or tinc run in user-space which is much slower. Wireguard still uses asymmetric-key technology (similar to OpenVPN) that is more basic in functionality. However, a lot of development is going on right now, and improvements in encryption keys are expected soon.
+Wireguard's exceptional performance is possible because the code is executed within kernel-space. Other technologies, such as OpenVPN, PPTP, or tinc run in user-space which is much slower. Wireguard still uses asymmetric-key technology (similar to OpenVPN) that is more basic in functionality. However, there is a lot of ongoing development, and improvements in encryption keys are expected soon.
-Wireguard is not a "talkative" protocol. It tends to send data only when needed (unless a peer is defined with a forced keepalive option). One new approach taken with Wireguard was to completely remove handshaking. Now, data is accepted only if the decryption key works. This makes Wireguard less "chatty", simpler and faster). Wireguard communicates by default over UDP port 51820.
+Wireguard is not a "talkative" protocol. It tends to send data only when needed (unless a peer is defined with a forced keepalive option). One new approach taken with Wireguard was to completely remove handshaking. Now, data is accepted only if the decryption key works. This makes Wireguard less "chatty", simpler and faster. Wireguard communicates by default over UDP port 51820.
 Before configuring Wireguard, you should consult the official documentation's [[https://www.wireguard.com/quickstart/|Quick Start]] guide, and possibly the [[https://github.com/pirate/wireguard-docs|unofficial]] version as well.
@@ Line 21: / Line 21: @@
 ===== Overview =====
-Until a graphical interface is developed for FreshTomato, Wireguard is available only via command line. Once the basic principles are understood, configuring Wireguard is relatively simple. There are just a few caveats to be aware of. Currently, only ARM-based devices include the code needed to run Wireguard. If you're unsure, you can try loading the kernel module as follows:
+Until Wireguard is integrated into FreshTomato's web interface, it is available only via command line. However, once you understand some basic principles, configuring Wireguard is relatively simple. There are just a few caveats to be aware of. Currently, only ARM-based devices include the code needed to run Wireguard. If you're unsure, you can try loading the kernel module as follows:
  \\
@@ Line 142: / Line 142: @@
 <code ->
 root@routerA:/jffs# ls -l
--rw-r--r--    1 root     root            45 Feb 13 10:51 privateKey_routera
+-rw-r--r--    1 root     root            45 Feb 13 10:51 privateKey_routerA
--rw-r--r--    1 root     root            45 Feb 13 10:51 publicKey_routera
+-rw-r--r--    1 root     root            45 Feb 13 10:51 publicKey_routerA
 </code>
@@ Line 158: / Line 158: @@
 <code ->
 root@routerA:/jffs# cat wg0.conf
-[Interface] # RouterA = local
+[Interface] # routerA = local
-PrivateKey = WOOgLRpUxq3XjGfuP79JHKR/f7dd+/0HkbCR1YMDakU= # This is the generated privateKeyroutera on the local router
+PrivateKey = WOOgLRpUxq3XjGfuP79JHKR/f7dd+/0HkbCR1YMDakU= # This is the generated privateKeyrouterA on the local router
 ListenPort = 51820 # Default port this router listen to, but can be changed if needed
@@ Line 174: / Line 174: @@
 <code ->
 root@routerB:/jffs# cat wg0.conf
-[Interface] # RouterB = local
+[Interface] # routerB = local
-PrivateKey = WOOgLRpUxq3XjGfuP79JHKR/f7dd+/0HkbCR1YMDakU= # This is the generated privateKeyrouterb on the local router
+PrivateKey = WOOgLRpUxq3XjGfuP79JHKR/f7dd+/0HkbCR1YMDakU= # This is the generated privateKeyrouterB on the local router
 ListenPort = 51820 # Default port this router listen to, but can be changed if needed
-[peer] # RouterA = remote
+[peer] # routerA = remote
 Endpoint = rtra.ddns.org:51820 # FDQN:port of Router A
 PublicKey = Pr1EV/OukTXsj0eeEM96mOCW4Jy00iUMIFp24Z93owo= # This is the public key as generated on the remote device.
@@ Line 198: / Line 198: @@
  \\
-On a network with private addressing (behind NAT) that isn't reachable from the Internet, the connection will be initiated from the NATed device. However, you'll need to force keepalive activity towards the unNATed device to maintain the connection. Remember, by default, Wireguard doesn't use keepalive packets. Let's assume RouterB is behind an unmanaged NAT device (so your WAN has a private IP) your router A [peer] definition within wg0.conf will need to have the ''PersistentKeepalive'' defined. Doing this allows the main router mapping table to stay updated, and make the defined Wireguard port reachable.
+On a network with private addressing (behind NAT) that isn't reachable from the Internet, the connection will be initiated from the NATed device. However, you'll need to force keepalive activity towards the unNATed device to maintain the connection. Remember, by default, Wireguard doesn't use keepalive packets. Let's assume routerB is behind an unmanaged NAT device (so your WAN has a private IP) your routerA [peer] definition within wg0.conf will need to have the ''PersistentKeepalive'' defined. Doing this allows the main router mapping table to stay updated, and make the defined Wireguard port reachable.
- \\ \\ The necessary changes to the wf0.conf file for this are seen here: \\  \\
+ \\ \\ The necessary changes to the wg0.conf file for this are seen here: \\  \\
 <code ->
-[peer] # RouterA = remote
+[peer] # routerA = remote
 Endpoint = rtra.ddns.org:51820
 PublicKey = Pr1EV/OukTXsj0eeEM96mOCW4Jy00iUMIFp24Z93owo=
@@ Line 247: / Line 247: @@
   * The wg.sh and "wg0.conf" files are complete and require no modification. The entire configuration is \\ automatically generated and stored in the "wg0.conf" file.
- \\ \\ {{:pasted:20230324-065819.png?580}}\\  \\
+ \\ \\ {{:pasted:20230324-065819.png?580}}\\  \\   \\  The script will display an introduction screen:
-The introduction screen in the script:
+ \\ {{:pasted:20230326-205524.png?852}}\\  \\  \\
- \\ \\ {{:pasted:20230326-205524.png?852}}\\  \\  \\
 Running "wg.sh" with the //makeconf//  parameter will guide you through some questions to fully automate the configuration. The result is placed in the: "/tmp/wireguard" folder. Subfolder(s) will be created there, named after the FQDN(s) of each site that is created. Each of these folders contains two files:
@@ Line 262: / Line 260: @@
 You do not need to make any changes to those files. Simply copy them both to the relevant device (preferably jffs). This means you must run the makeconf on any one (and only one) device.\\
-The wg.sh script has been written such that it can be run multiple times, even consecutively. Router and iptables/router rules that are already present in the configuration it creates will not be added again. The script also supports an optional  ''stop''  parameter to unload the wireguard module and remove any relevant configuration it added to the system. Running the script will add a cron reference to selectively check the reachability of every defined VPN endpoint, and remove it from the routing table is they are not to respond. This allows safe fail-back, for example, onto tinc or another VPN protocol/module.
+The wg.sh script has been written such that it can be run multiple times, even consecutively. Router and iptables/router rules that are already present in the configuration it creates will not be added again. The script also supports an optional  ''stop''  parameter to unload the wireguard module and remove any relevant configuration it added to the system. Running the script will add a cron reference to selectively check the reachability of every defined VPN endpoint, and remove it from the routing table so it will not respond. This allows safe fail-back, for example, onto tinc or another VPN protocol/module.

FreshTomato Wiki

User Tools

Site Tools

Differences

Page Tools