DDWRT WireGuard client setup guide
(to commercial provider)
Introduction
Latest version see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
This guide covers the setup of a WireGuard client to a commercial WireGuard VPN Provider.
Set up of WireGuard as a server(i.e. for connecting to your home from outside) is covered here.
WireGuard is a BETA/WIP open-source VPN solution written in C by Jason Donenfeld and others,
aiming to fix many of the problems that have plagued other modern server-to-server VPN offerings
like IPSec/IKEv2, OpenVPN, or L2TP.
It can be seen as a replacement for OpenVPN although it does not have the versatility, possibilities
and track record of OpenVPN.
However, it has two advantages over OpenVPN, it is much faster especially on lower-spec hardware
such as Soho routers (my own R7800 goes from 90 Mb/s on OpenVPN to 240 Mb/s with Wireguard)
and is easy to setup if you know how, but it is not yet mature and there are sometimes frustrating
hiccups.
To work with this guide you need a DDWRT build of 43045 or higher (see: https://svn.dd-
wrt.com/changeset/43029 ).
WireGuard is usually available on routers with 8 MB and over Flash RAM using at least Kernel 3.10
(so not on K2.6 builds)
I will try to keep the guide updated, but your help, remarks and recommendations are crucial in
getting this done so please notify me of any errors or inconsistencies or other things which are
noteworthy.
General Remarks
The most important parts of Wireguard are the public/private keys and the Allowed IP.
The public key is distributed to the peers.
The Allowed IP serves two roles, the first is that the allowed IP is used to know which of the peers
public keys (if there is more than one peer) should be used to encrypt the packets.
The second one is security, if Wireguard detects a source IP which is not in the Allowed IP's the
packets are discarded.
The keys are 32 bytes long and can be easily represented in Base64 encoding in 44 characters the last
character is always an =.
DDWRT Wireguard client setup guide by egc, last modified: 21-Feb-21 page 1
�Providers
Almost all major VPN providers now offer WireGuard, some only let you use an app and hence do not
support setting up WireGuard on a router.
The VPN providers who do support setting up WireGuard on a router almost always do it by
providing a setup or conf file with keys, and addresses.
How to obtain those setup files depends on your provider so look at their support site or ask the
help desk of your provider.
Some providers let you upload your own local Public Key, an example is Mullvad, for a description
how that works see @Hellakenuts excellent guide.
Take note: you do not need to use a script any more just Enable NAT out via tunnel and as Allowed
IP's use: 0.0.0.0/1,128.0.0.0/1 (do not use 0.0.0.0/0) and Enable Route Allowed IP's
This guide focuses on setting up for VPN providers which hand out a setup file using a local Private
Key.
These include, KeepSolid, VPN Unlimited, Azire and more.
As an example I use KeepSolid which is my own VPN provider and works well
Step 1 Obtaining a setup (conf) file
This is different per provider for my own provider I log into my account (called user office) choose
VPN/Manual Configurations/Create Device/Choose WireGuard/Choose server
Then I click Generate and download my setup file.
Let me know the procedures for obtaining a setup file for other providers so that I can include them
here.
DDWRT Wireguard client setup guide by egc, last modified: 21-Feb-21 page 2
�Step 2 Setup file
When the setup file is opened with notepad or your favourite editor, it looks like this (note there are
differences between providers, e.g. not all use a PresharedKey):
[Interface]
PrivateKey = 2EzUYqrpv/FP6f31h7Zsi2wii3YdiwlGtFSGJmW+a2c=
ListenPort = 51820
Address = 10.100.0.139/32
DNS = 10.100.0.1
[Peer]
PublicKey = gAyw0BluPeJFrKNSuieYdTQXGttf2rNVU1Rg3VrP5Sk=
PresharedKey = Ag+IEIT5CgVwpwDppzfjbxtnyaqVWJn35z7+gjaT6co=
AllowedIPs = 0.0.0.0/0
Endpoint = 77.81.98.70:51820
PersistentKeepalive = 25
Basically this is all we need to setup the DDWRT router
Step 3 setup the WireGuard Tunnel
Open the routers GUI in your favourite web browser and go to Setup>Basic Setup>Tunnels and click
Add Tunnel:
DDWRT Wireguard client setup guide by egc, last modified: 21-Feb-21 page 3
�Click Enable and choose Protocol type: Wireguard:
Step 4 add Tunnel settings
From the setup file fill in the right settings:
1. CVE 2019-14899 Mitigation :Enable (for site-to-site setup Disable)
2. NAT via Tunnel: Enable
3. Local Port = Listen Port from setup file in this case it is the standard port but different
providers will use different ports: 51820
4. MTU leave at default: 1440 (or use 1420 if IPv6 is used).
If you provider also supports IPv6 then you should choose 1420 otherwise you will get MTU
problems (see troubleshooting section of the WireGuard Server setup guide)
5. Local Public key: Leave alone, only important for providers wanting your local Public Key then
this is the one to upload to your provider (after you click the Generate Key button)
6. DNS servers via tunnel: 10.100.0.1 this is optional if you want to use the DNS server from the
from the provider.
7. Enable Advanced Settings to enter the Private key
8. Local Private Key, copy the Private Key from the settings file in the box (it is easier to first
delete the contents if there is already a prior Private Key):
2EzUYqrpv/FP6f31h7Zsi2wii3YdiwlGtFSGJmW+a2c=
(the corresponding local Public key will become visible after Save and Apply Settings, after the key has
been calculated and after changing the page).
9. IP address/Netmask: 10.100.0.139/24 , although /32 is specified DDWRT works best with a
subnet of /24
Older builds have separate boxes for IP address and Sub netmask, for converting your netmask from
CIDR ( /xx) to dotted decimal (xxx.xxx.xxx.xxx), you can use this conversion table or his this calculator
tool.
DDWRT Wireguard client setup guide by egc, last modified: 21-Feb-21 page 4
� So in this case it should be 255.255.255.255. But usually it works best with just using 255.255.255.0. I
think that holds true for all providers but I have not tested them.
The end result:
Save and Apply Settings
Step 5 setting up the Peer
1. Click: Add Peer
2. Give the Peer a name, replace Peer with the name of your choice, I chose KeepSolid because
that is my provider 😊
3. Endpoint: Enable
4. Endpoint Address: 77.81.98.70 51820
5. Allowed IP's: 0.0.0.0/1,128.0.0.0/1 (addresses are in CIDR notation and comma delimited)
Important: do not use 0.0.0.0/0 !
6. Route Allowed IP's via Tunnel: Enable
7. Persistent Keepalive: 25
8. Peer Public Key: gAyw0BluPeJFrKNSuieYdTQXGttf2rNVU1Rg3VrP5Sk=
DDWRT Wireguard client setup guide by egc, last modified: 21-Feb-21 page 5
� 9. Use Pre-share key (not all providers use this): Enable
10. Pre-Shared Key: Ag+IEIT5CgVwpwDppzfjbxtnyaqVWJn35z7+gjaT6co=
11. Save and Apply Settings
It is good custom to do a reboot but it usually also works without.
Step 6 checking connection
To check a connection first look in the WireGuard Status window, press F5 (some browser need
CTRL + F5) to refresh or just change pages/tabs.
Here you can see that a handshake has taken place and traffic is flowing in both directions.
DDWRT Wireguard client setup guide by egc, last modified: 21-Feb-21 page 6
�Next check if routing is OK and your clients are indeed using the tunnel.
Use your web browser and see what your Public IP address is. (Take note: it can take 1-2 minutes
before the connection is established)
Instead of the public IP from your ISP it should show the IP address from the WireGuard server, in
this case it should be in Romania.
I use https://ipleak.net and https://dnsleaktest.com:
More information you can get when you use the Command Line interface (SSH/putty/telnet) to
connect to your router (login name is always : root) and do:
wg
You can see that the handshake took place and under transfer the traffic is flowing in both directions
DDWRT Wireguard client setup guide by egc, last modified: 21-Feb-21 page 7
�DNS settings
Builds starting with 44980 can set the DNS server to use when Wireguard is active.
Place at least one Static DNS server on setup page which is publicly available like 9.9.9.9 or another
one of your liking.
Make sure Query DNS in strict order (Services page) is ticked (enabled).
Place the DNS server from your provider (10.100.0.1 see step 2) in the DNS servers via tunnel
field, and reboot the router.
This adds that DNS server on top of /tmp/resolv.dnsmasq and adds a route via the tunnel for that DNS
server.
If you specify more than one DNS server (delimited with a comma) all will be routed via the tunnel, but the last
one will be used first.
For builds prior to 44980 you can use the DNS server from the provider as DNS server by setting it as
Static DNS 1 on Setup page and make sure Query DNS in strict order (Services page) is ticked
(enabled) BUT that only works if the DNS server is publicly available!
In this case the DNS server from my provider (10.100.0.1 see step 2) is not publicly available and
can only be used with some tricks.
The problem is this DNS server is only available when the tunnel is up and to setup the tunnel the
router needs a functioning DNS server to get the right time and to resolve an endpoint URL for
WireGuard.
Depending on your setup it might work if you specify an IP address as time server and an IP address
for endpoint so that the tunnel will start and DNS is resolved through the tunnel.
DNS servers which are not publicly available have an IP address of 10.x.x.x, 192.168.x.x or
172.16-31.x.x, 192.18-19.x.x and 100.64-127.x.x
For some further reading about DNS leaks see the guide about DNS problems:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Options settings
Policy Based Routing
Policy Based Routing (PBR) will only route the IP addresses in the PBR field via the tunnel.
All other traffic will use the WAN.
The IP addresses are entered as a comma delimited list (no comma at the beginning and none at the
end), CIDR notation is used.
When the list starts with a #, PBR is disabled (so you can preserve the list), entries starting with #
are not added.
If you have set your DHCP client range from .64 - .127 (routers own IP address is the standard
192.168.1.1 ) you can easily set this range to use the VPN by entering: 192.168.1.64/26.
I also want my address 192.168.1.20 and addresses 192.168.1.20 and 192.168.1.40 and 192.168.1.41
the end result will look like this:
Firewall Inbound: Enabled (checked)
DDWRT Wireguard client setup guide by egc, last modified: 21-Feb-21 page 8
�For a commercial VPN provider it is advised to Enable (check) the inbound firewall for extra security,
note that when using WireGuard as a server that will block incoming traffic thus the server will not
work.
Kill Switch: Enabled (checked)
The Kill switch is intelligent, meaning that when PBR is used, only the IP addresses in the PBR field are
blocked from accessing the WAN and if you do not use PBR all LAN clients connected to br0 are
blocked.
Take note: only traffic coming from clients connected via br0 are blocked so if you have made your
own unbridged interfaces you have to block them by hand!
Also always check if the Kill switch is working!
See page 15 of the WireGuard Server setup guide
Advanced routing when using Policy Based Routing (stopping DNS leak)
When using PBR only certain clients are using the tunnel.
You can however use destination based routing where you specify certain destinations to always use
the tunnel. This is useful to stop a DNS leak (DNS server using the WAN instead of the tunnel)
This can be accomplished by adding the destination you want to use the tunnel to the Allowed IP's.
If I want my DNS servers 8.8.8.8 and 9.9.9.9 to use the tunnel I just enter those address to the
Allowed IP's:
8.8.8.8/32,9.9.9.9/32,0.0.0.0/1,128.0.0.0/1
Excluding destinations from using the tunnel (static routing)
If you want to exclude certain destinations from using the tunnel you can do this with static routing.
Use the CLI (telnet/Putty) to add the routing rule.
If it works you can add it to Administration/Commands, Save as Startup.
In this example Googles DNS server (8.8.8.8) is not routed via the tunnel but via the WAN:
ip route add 8.8.8.8/32 via $(nvram get wan_gateway) dev $(get_wanface)
Instead of Googles address use your own destination address or subnet (use CIDR notation).
Troubleshooting
Unfortunately WireGuard is not a chatty protocol (that is because of safety) so it works or does not
and it is not telling you why not ☹
It can take some minutes before the interface comes up so be patient.
If it is not working then just carefully check your settings, you can check if you entered the right
private key also from the command line: wg showconf oet1
For some more troubleshooting tips see the Troubleshooting section in the WireGuard Server setup
guide
Miscellaneous
For builds prior to 43045 you can set the private key manually, you can do this by telnetting/Putty to
your router and do (do not enter the [] ):
nvram set oet1_private=[privatekey]
nvram commit
After this Reboot.
DDWRT Wireguard client setup guide by egc, last modified: 21-Feb-21 page 9
�(This assumes that this is the first Wireguard tunnel (oet1) which is running on your router, when in
doubt see the next steps to see if your interface is indeed oet1).
DDWRT Wireguard client setup guide by egc, last modified: 21-Feb-21 page 10
