DDWRT Wireguard (server) setup guide

Latest version see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206

Introduction
WireGuard is an open-source VPN solution written in C by Jason Donenfeld and others, aiming to fix many of
the problems that have plagued other modern server-to-server VPN offerings like IPSec/IKEv2, OpenVPN, or
L2TP.
It can be seen as a replacement for OpenVPN although it does not have the versatility, possibilities and track
record of OpenVPN.
However, it has two advantages over OpenVPN, it is much faster especially on lower-spec hardware such as
Soho routers (my own R7800 goes from 85 Mb/s on OpenVPN to 270 Mb/s with WireGuard) and is easy to
setup if you know how, the guides will help you with that.

Some key points about Wireguard:

• Layer 3 only no bridging
• UDP only punches through firewall
• Like SSH authenticated keys
• Executes in Linux Kernel
• Static routing

What makes it so much faster than OpenVPN is not the cryptography, this is more or less the same (use of PKI
to calculate/exchange a key with PFS for symmetric encryption). It is the fact that all is done in Kernel space
while OpenVPN has to constantly switch between User and Kernel space.
Inherently the executing in Kernel space is less secure, if security is broken than you are compromised big
time.
Another disadvantage is that it only supports static routing, so if you use WireGuard to connect to a
commercial VPN provider they keep track of your IP address.
A lot of VPN providers are taking measure to mitigate this by using double NAT or special no log servers (
https://www.azirevpn.com/docs/security ) but be sure to look into it.

WireGuard is usually available on routers with 8 MB Flash RAM or more (there are a few exceptions) and
using at least Kernel 3.10 (so not on K2.6 builds).

This guide is to walk you through the setup of Wireguard on DDWRT and will cover both setup as a Wireguard
server and setup Android and Windows clients and DDWRT as a client.
Other useful guides: WireGuard client setup guide and WireGuard Advanced setup guide

This guide is not free from errors and inconsistencies, so please report your remarks, inconsistencies or
questions in the Advanced Networking Forum.

If you are new to DDWRT/networking/iptables you probably do not understand everything, no worries just
use it as a cook-book and follow the steps.
In small print I have added some explanation but that is not necessary to get things working 😊

General Remarks
The most important parts of Wireguard are the public/private keys and the Allowed IP.
The public key is distributed to the peers.
The Allowed IP serves two roles, the first is that the allowed IP is used to know which of the peers public keys
(if there is more than one peer) should be used to encrypt the packets.
Therefore the Allowed IP's must be unique for each peer!

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 1

The second one is security, if Wireguard detects a source IP which is not in the Allowed IP's the packets are
discarded.
The keys are 32 bytes long and can be easily represented in Base64 encoding in 44 characters the last
character is always an =.

To work with this guide DDWRT you need build 52242 or higher.
See Forum guidelines where to download firmware

As WireGuard is a routed solution all three involved subnets have to be different. So the Servers subnet, the
WG subnet and the Clients subnet all have to be different!

Furthermore testing can only be done from outside e.g. with your phone or laptop on cellular data or from a
friends/neighbours internet.

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 2

Table of Contents
Introduction ............................................................................................................................................................1
General Remarks ....................................................................................................................................................1
DDWRT as Wireguard server ..................................................................................................................................4
Android Client .........................................................................................................................................................7
Windows Client.................................................................................................................................................... 10
iOS Client ............................................................................................................................................................. 14
Linux (Ubuntu 20.04 LTS) Client .......................................................................................................................... 14
DDWRT as client .................................................................................................................................................. 15
Now head back to the DDWRT Wireguard Client ........................................................................................... 17
IPv6 leaking on Clients ......................................................................................................................................... 19
IPv6 running on Server ........................................................................................................................................ 19
Preshared Key ...................................................................................................................................................... 20
Optional Settings ................................................................................................................................................. 21
Router in Wireless Access Point Mode (WAP)..................................................................................................... 21
Accessing routers NAS from the internet ............................................................................................................ 21
Using the Wireguard server/router as DNS server .............................................................................................. 21
Obfuscation ......................................................................................................................................................... 21
Troubleshooting .................................................................................................................................................. 22
Some information from wg and how to interpret ........................................................................................... 23
Mitigating attacks on the WireGuard Server....................................................................................................... 23
Known problems and solutions ........................................................................................................................... 23
Be Patient ........................................................................................................................................................ 23
MTU size problems (Connection, but hang, slow loading, no streaming media, no RDP, packet loss etc.) ... 23
Connection checking and tracking................................................................................................................... 24
Missing firewall rules ....................................................................................................................................... 24
Shortcut Forwarding Engine (SFE) ................................................................................................................... 24
Using CPU governor ......................................................................................................................................... 24
Default route kicking in too soon .................................................................................................................... 24
Manual stopping and starting ......................................................................................................................... 25
"WAN" interface not detected ........................................................................................................................ 25
Running multiple tunnels ................................................................................................................................ 25
Tunnel does not start on reboot ..................................................................................................................... 25
DNSMasq not resolving domain name ............................................................................................................ 25
References: .......................................................................................................................................................... 26
Wireguard server in the cloud: ............................................................................................................................ 26
Setup Oracle free OpenVPN cloud server ....................................................................................................... 26
Amazon Web services (AWS)........................................................................................................................... 26
Changelog: ........................................................................................................................................................... 26

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 3

DDWRT as Wireguard server
Although this chapter is titled setup as Wireguard server, it is actually a peer to peer network, it is only the
firewall and iptables rules that makes it a server or a client.
So to begin do the following
1. In the DDWRT GUI go to Setup/Tunnels
2. Add Tunnel
3. Tunnel: Enable
4. Protocol Type: WireGuard
5. CVE-2019-14899 Mitigation: Disable, see next paragraph
6. Tunnel Obfuscation: Disable this is fo obfuscating tunnel traffic in case a firewall is blocking
WireGuard traffic, but only works if the client also has Obfuscation enabled.
7. NAT via tunnel: Disable as this is our own server and we know its subnet we can take that into
account when connecting our peers.
8. Set local port at 51810, but you can use any port you want as long as it is not used by other services,
but be careful that all peers have to use the same local port. (The default WireGuard port (51820) should
not be used if you use other non WireGuard tunnels)
9. MTU size: this will be automatically calculated, so leave empty (for IPv4 it defaults to 1440 (or 1432
for PPPoE), for IPv6 it defaults to 1420 (or 1412 for PPPoE)). When in doubt use the safer 1420/1412
value.
10. Click Generate Key, this is your Public key which you have to distribute to the other peers
11. Firewall Inbound: Disabled (unchecked), as this is the server the tunnel has to accept incoming (new)
connections.
12. Kill Switch: Disable (unchecked), we do not want to stop normal traffic from using the WAN.
13. Advanced Settings: Show
14. Allow Clients WAN Access: Enable, if you want to have your connecting WireGuard clients to have
internet access via the server (NAT out via the servers WAN).
15. Bypass LAN Same-Origin Policy: Enable (checked)
This will NAT traffic coming from the WG interface out onto br0 (and all other br interfaces) so that
clients on the LAN can be easily reached as those can have their own firewall blocking non-local
traffic.
Downside is you will lose logging and access control as all traffic now originates from the routers IP
address instead of from the WG interface.
The rule is: iptables -t nat -I POSTROUTING -o br+ -s $(nvram get get oet${i}_ipaddrmask) -j MASQUERADE
16. Builds 44980 and over set IP address and subnet mask with CIDR notation in the IP address/Netmask
box e.g.: 10.4.0.1/24 (the box takes also an additional IPv6 address, separate addresses with comma)
Builds prior to build 44980 have separate boxes for IP address and Netmask in that case use 10.4.0.1 and
255.255.255.0.
17. Save/Apply

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 4

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 5
When the interface (oet1) is setup and you specify a netmask of /24 (255.255.255.0) it will automatically create a route
in the routing table routing 10.4.0.0/24 via the Wireguard interface (oet1) this assumes that all your Client/Peers are
using an IP address in that subnet.
If you use a netmask of 255.255.255.255 then it will not setup a route and you have to setup a route manually to route
the Allowed IP's through the tunnel.

As always when you are done setting up REBOOT the router!

CVE-14899
Starting with build 41786 a vulnerability in OVPN/Wireguard has been patched.
This has a side effect that you no longer can connect to clients on the local servers LAN.
So for access to LAN clients disabling this option can be necessary.

Disabling is a minor safety risk, (most WG implementations do not even has this option and I personally have
it Disabled), so if you want to keep it enabled and have problems accessing LAN clients then use one of the
workarounds described below.

Workarounds for CVE 14899

This is the short version assuming you use the first tunnel interface
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j MASQUERADE

This is the long version which searches for the actual tunnel interface
WGIF="$(wg | awk '/interface/ {gsub("interface:", "", $2); print $2}')"
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get ${WGIF}_ipaddr/$(nvram get ${WGIF}_netmask) -j MASQUERADE

These rules SNAT's all traffic out of br0 so you cannot distinguish which is the source, this also has security and logging
concerns.

There is another solution instead of the SNAT rule and that is adding the following to the firewall but you have to do it
after the Wireguard interface is up is up so you need a script checking for that (if you want that contact me). The
problem is that the firewall rules from Wireguard are separate from the rest of the firewall rules and this rule has to be
executed later than the Wireguard , and if Wireguard restarts the rule has to be applied once more so basically we are
talking about a continuous script running and checking.
Furthermore this rule can expose your LAN side to the CVE attack, if you have your IOT things separated and tight control
over your LAN you should be good, if your LAN is hacked you have got bigger problems:
iptables -t raw -I PREROUTING -i br0 -j ACCEPT

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 6

Android Client
Download the latest Android client from the Google Play store, search for Wireguard and install the
Wireguard app: https://play.google.com/store/apps/details?id=com.wireguard.android

Head back to the router to setup the Peer:

1. In the DDWRT GUI go to Setup/Tunnels
2. Click Add Peer and the Peers interface will open
3. Give you Peer a name I named it "Phone"
4. Peer Tunnel IP: 10.4.0.6, this is the address the Android client is going to use
5. Peer Tunnel DNS: 8.8.8.8 or any other DNS server you trust. It is even possible to use your own
DDWRT router as DNS server, in recent builds DNSMasq should listen on the WireGuard (oet)
interface for DNS requests.
6. Allowed IP's: 10.4.0.6/32, as you can have multiple peers make sure you use /32 as subnetmask.
7. As this is a roaming client we do not specify an Endpoint.
8. Persistent Keep Alive: 25, if you are behind a firewall/NAT which is usually the case.
9. Route allowed IP's: Enable, as the phone has only one IP address this is the only one we have to allow
and which has to route back to the phone
10. Client Config File: Show, now you can enter the Peer Tunnel Address IP/Mask , the Peer tunnel DNS,
the Peer tunnel endpoint and the Keep alive settings for that peer.

Note 1: IPv6 is under construction.

Note 2: multiple entries are separated with a comma
Note 3: if you use an IPv6 address as Endpoint then place brackets around it e.g.:

11. Click QR-code, DDWRT generates a QR code with Peer Tunnel Address IP/Mask, Listen port, Tunnel
DNS Public Key of the Router, Persistent Keep Alive, Private Key for the Android client to use and the
Endpoint to use.

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 7

 You can also download the config file by clicking the Export Peer Config button (starting with build
47040) en store it in a safe place.
Note: DDWRT also adds MTU to the config file, but Android and Windows often work better if you let
the OS decide what to use, so for Android and Windows you can delete MTU.
Note: if you Remove QR-code then the private key of the peer is deleted also as a safety measure (the VPN
providers do the same they do not keep private keys ), so if you regenerate a new QR code a new private key is
made and you have to reread the QR code on your client.
So if you want to keep the QR code available either do not delete it or copy it from your router and store it in a
safe place.
The QR code can be found in /tmp/wireguard/oetX_peerX-svg and can be shown by opening it in a web
browser.

Now go back to your Android client

1. Open the Wireguard app
2. Click the blue button with the + sign to add the tunnel
3. Click Create from QR code
4. Give the client permission to use the camera.
5. Point the camera at the QR code

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 8

 6. If it can read the QR code you will be asked for a Tunnel name, name it wireguard 😊
7. Press on "wireguard" to view your tunnel
8. You probably have to change some of the parameters, so click on the pencil sign in the upper hand
right corner.
(The IP address is filled in and also the default listen port for this client. Although the listen port can be different
from the peer port (see 10), usually the same port is chosen)
9. Scroll down to the bottom to view the Allowed IPs, 0.0.0.0/0 means anything is accepted and a route
is created to route everything through the tunnel (like a redirect default gateway of OpenVPN) you
can exclude private addresses by ticking the box.
Perhaps you do not want to route all your traffic through the Wireguard interface, but only want to
connect to your home LAN in that case set for Allowed IPs:
10.4.0.1/32, 192.168.1.0/24 (when routing a whole subnet take care that the last digit is 0)
(10.4.0.1/32 is the Wireguard server, if you also want to reach other Peers then use 10.4.0.0/24.
192.168.1.0/24 is the routers subnet so that all clients on the subnet can be reached, note: clients have a
firewall usually you have to tweak the firewall of those clients (or disable the firewall for testing) to allow IP
addresses from 10.4.0.0/24.)
10. The Endpoint which is the routers address you entered in the Config File box and behind the endpoint
is the listen port of the server, in our case 51810
Furthermore check that PersistentKeepalive is set and delete MTU so that the client will use its own
default.
11. When you are done with changing the settings click the floppy icon in the upper hand right corner to
save the configuration.

12. Start the wireguard client by sliding the toggle switch after the name of the client (wireguard) and
give permission to setup a connection.
13. If you have a connection and traffic you see on the bottom of the screen:
Transfer
rx: xxx B, tx xxx B

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 9

 14. On the Router after a page refresh you can see the traffic flowing:

15. Most phones have settings to enable the VPN connection (WireGuard or OpenVPN) on start-up and to
set a kill switch, this is however phone/Android version specific.
If you have those settings on your phone you might find them at:
Settings->Connections->More connection settings->VPN->Wireguard settings->Always-on VPN-
>enable
For the Kill switch you can enable "Block connections without VPN"

Windows Client
Download the latest Windows client from:
https://download.wireguard.com/windows-client/wireguard-installer.exe
or look at:
https://www.wireguard.com/install/?downloadwindowsprealpha=1

You can setup up manually or you can setup from a downloaded config file (starting with build 47040).
To setup using a config file generate a QR code (you might need to renew your browser, warning generating a
QR code generates a new Public Key), you can now download the config file by clicking the Export Peer Config
button (see the Android Client)

When you use the downloaded conf file check the endpoint address, you probably need to enter your DDNS
address, set the Persistent Keepalive to 20 or 25 and remove the MTU setting so that the client will use its
own default.

So here we go:
1. Install the Wireguard client
2. Open Wireguard

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 10

 3. You will be greeted by this window:

4. You can import tunnel from file which you generated, but we setup manually so click on the drop
down button next to Add Tunnel and choose Add empty tunnel
5. Choose a Name I called it :wireguard
6. Your Private Key is already generated
7. Under Interface add:
a. Address = 10.4.0.7/32
b. DNS = 8.8.8.8 (or some other DNS server of your liking)
(you can also set the routers address as DNS server like 192.168.1.1, but you have to enable the routers
wireguard interface to listen to DNS queries.
In the routers GUI , Services/Services, Additional DNSMasq Options add: interface=oet1)I
8. Now head over to the router to get the routers Public key and Copy the Public key
9. Head back to the Windows Wireguard Interface
10. Add the following to the interface
a. [Peer]
b. PublicKey= [insert the copied Public Key of the router]
c. AllowedIPs=0.0.0.0/1, 128.0.0.0/1
If you only want to route traffic to your router and its routers subnet you enter:
10.4.0.1/32, 192.168.1.0/24, 8.8.8.8/32
(the allowed IP's are also used to set the route via the Wireguard interface, this actually means that all
your traffic is routed through the wireguard interface, it s like OpenVPN Redirect Default Gateway.
the first entry is always necessary to reach the other peer (in this case the DDWRT server), the second
entry is the local subnet of your router/wireguard server so that you can reach anything on your local
LAN, note that clients on the local LAN have a firewall which will block incoming traffic form a different
subnet like 10.4.0.0/24, so you have to open the firewall for that subnet.
The third entry is the DNS server, the windows client does not seem to work without setting the DNS
server to route via the Wireguard interface)
d. Endpoint = me.ddns.org:51810 (I use DDNS to get my endpoint but you can also specify an IP
address)

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 11

 This is the end result

e. Click Save
f. You can enable the kill switch so that only traffic goes out via the tunnel, this also blocks local
traffic
g. The Windows Wireguard client is now ready and can be activated after you setup the Peer in
the router

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 12

Head back to the router to setup the peer:
1. In the DDWRT GUI go to Setup/Tunnels
2. Click Add Peer and the Peers interface will open
3. Give your Peer a logical name
4. Allowed IP's: 10.4.0.7/32 this is the address you have given to the Wireguard Windows client
(Note: you cannot have the same allowed IP in multiple peers that is why you must use /32 as
subnetmask)
5. Peer Public Key: copy/paste the public key from your windows client the one starting with Cad… (you
can use any means of secure transportation to exchange keys)

6. Route Allowed IP's: Enable (depending on used netmask of the tunnel there will already be a routing of the
whole tunnels subnet via the tunnel but do this for but for completeness)
7. This is actually all you have to do, the Peer Tunnel IP,Peer Tunnel DNS are only used to setup your
Wireguard client with a QR code or with a file (DDWRT cannot do that yet)
8. If the client is roaming i.e. does not have a fixed IP address such as your phone connecting from
outside you do not use the endpoint address.
If the peer has a fixed address you can enable Endpoint and enter the IP address and the port the peer is
listening on.
You can enter a DDNS address (URL) but Wireguard resolves this to an IP address at startup, so the IP address is
not periodically checked.
If it cannot resolve at startup the Peer is not started at all and you cannot connect!
If you use an endpoint do not forget to set Persistent Keepalive to 20 or 25 (seconds)

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 13

iOS Client
Download the latest iOS client from the WireGuard website:
https://itunes.apple.com/us/app/wireguard/id1451685025?ls=1&mt=12
or look at: https://www.wireguard.com/install/?downloadwindowsprealpha=1

The iOS client works the same as the Android client you can also use the generated QR code.

Linux (Ubuntu 20.04 LTS) Client

1. On the Linux client: Install WireGuard:
sudo apt install wireguard
2. On the DDWRT Router: Add Peer, Enable Show Config File and fill in the details and if done Save
3. Make Peer Config, Export Peer Config and download your .conf file as wg0.conf and move it to the Linux
client into /etc/wireguard/
4. On the Linux client, bring your WireGuard interface up with the following command:
sudo wg-quick up wg0
5. Check the status of your WG connection:
sudo wg
6. When you're done with your WG interface, you can take it down:
sudo wg-quick down wg0

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 14

DDWRT as client
There are already a lot of commercial VPN providers which are offering Wireguard.
This chapter is for setting up the DDWRT Wireguard client to a DDWRT server although the principles are the
same.
The DDWRT client is setup in normal gateway mode and has a Local IP address of 192.168.5.1. (subnet
192.168.5.0/24). (For all routed VPN solutions the subnet of the server , the VPN and the client has to be
different, so you need three different subnets)

For setting up Wireguard to a commercial VPN provider see the DDWRT WireGuard Client setup Guide.
Go to the DDWRT Wireguard Client
1. In the DDWRT GUI go to Setup/Tunnels
2. Add Tunnel
3. Tunnel: Enable
4. Protocol Type: Wireguard
5. Set local port at 51810, but can be changed if you want to, but be careful that all peers have to use the
same local port
6. MTU size: this will be automatically calculated, so leave empty (it defaults to1440 (or 1432, for PPPoE),
for IPv6 it defaults to 1420 (or 1412 for PPPoE))
7. Click Generate Key, this is your Public key which you have to distribute to the other peers
8. Set IP Address/Netmask: 10.4.0.5/24 (builds prior to 44980 use 10.4.0.5 and Netmask 255.255.255.0)
9. CVE-2019-14899 Mitigation: Disable, (As the other side (the server) has NAT disabled we can get away with
havening it Enabled, Rule of thumb: if other side has NAT Disabled this side can have CVE Mitigation Enabled) CVE
Mitigation will block Local Client access for traffic originating from the tunnel and if you do not NAT the traffic it will
originate from the servers subnet.
So why do I disable it, traffic can also come from another client connected via WG to the server i.e. my phone and
that will have the tunnels subnet, so If I want to be able to use my phone connected to the WG server to connect to
the DDWRT client which is also connected to the WG server I have to disable it
10. Nat via Tunnel: Enable.
You can choose to Disable NAT as this is connected to our own WG server and we know the subnet of this
client so we can take steps on the server to add the necessary routing. This is known as a site-to-site setup
and covered in the Advanced Setup guide.
11. DNS servers via tunnel: Optional, you can set the WG server as DNS server to use e.g. 192.168.0.1 see:
Using the Wireguard server/router as DNS server or any other server of your liking the DNS server will be
used when the tunnel is up and always routed via the tunnel (important in case of using Policy Based
Routing)
You can set multiple DNS server which will all be added on top of resolv.dnsmasq.
12. Firewall Inbound: Disabled (unchecked) for Commercial providers you should check, but this is to our own
server which we trust and more importantly we want bidirectional traffic (site-to-site)
13. Kill Switch: Disabled (unchecked), the Kill switch when enabled is intelligent, meaning that when PBR is
used, only the IP addresses in the PBR field are blocked from accessing the WAN and if you do not use PBR
all LAN clients connected to br0 are blocked.
Take note: only traffic coming from clients connected via br0 are blocked so if you have made your own
unbridged interfaces you have to block them by hand!, see the last section of this guide and always check!
Also note the kill switch is disabled if you disable WireGuard.
14. Source Routing (PBR): your choice, default is "Route all Sources via VPN"
15. Destination Routing: your choice, default is "Route All Destinations via Default Route"
16. Save/Apply
17. Copy the Local Public key

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 15

Head back to the DDWRT Wireguard Server
1. In the DDWRT GUI go to Setup/Tunnels
2. Click Add Peer and the Peers interface will open
1. Give the Peer a logical name (my client is an Netgear R7800 😊 ) and enter the Peer's tunnel IP address
(10.4.0.5) just as a reminder what the Peer's tunnel IP address is. It has no actual function.
3. Allowed IP's: 10.4.0.5/32, 192.168.5.0/24, 10.4.0.5/32 is the tunnels address of the client, as the client
has NAT disabled we also have to allow the routers subnet of the client.
4. Route Allowed IP's via Tunnel: Enable, necessary to make a route back for subnet 192.168.5.0/24 via the
tunnel
DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 16
5. Paste the Local Public key from your Wireguard client from step 17 in the Peer Public Key box (you can
use any means of secure transportation to exchange keys)
6. If the client is roaming i.e. does not have a fixed IP address such as your phone connecting from outside
you do not use the endpoint address.
If the peer has a fixed address you can enable Endpoint and enter the IP address and the port the peer is
listening on.
You can enter a DDNS address (URL) but Wireguard resolves this to an IP address at startup, so the IP
address is not periodically checked.
If it cannot resolve at startup, the Peer is not started at all and you cannot connect!
If you use an endpoint do not forget to set Persistent Keepalive to 20 or 25 (seconds).
7. Save and Apply
This is the end result:

8. Copy the Local Public Key of the server, save it somewhere to use later to enter in the client in the next
step (you can use any means of secure transportation to exchange keys)
9. In this example we did not enable NAT on the client. If you do want the client to have internet access via
the server you have to NAT traffic for the client out of the Servers WAN interface
(Administration/Commands Save as Firewall):
iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o $(get_wanface) -j MASQUERADE
If you did enable NAT on the client you allow Internet Access by enabling "Allow Clients WAN Access" which will NAT
traffic from the oet interface (10.4.0.0) out via the WAN.

Now head back to the DDWRT Wireguard Client

2. In the DDWRT GUI go to Setup/Tunnels
3. Click Add Peer and the Peers interface will open
4. Give the Peer a name and enter the Peer's tunnel IP address just as a reminder what the Peer's tunnel IP
address is. It has no actual function.
5. Endpoint: Enable

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 17

6. Endpoint: [ myddns ] (the DDWRT Wireguard servers address), use the Pubic WAN IP address or the DDNS
address of the server.
7. Allowed IP's: 0.0.0.0/1,128.0.0.0/1 , assuming that the DDWRT client is routing all traffic to the server,
like a redirect default gateway.
If you only want to connect to your server and the local servers subnet then use:
10.4.0.0/24,192.168.1.0/24 (which is the servers subnet)
In this case I also have added the subnet of the server 192.168.1.0/24, this is done to create a route to the server, of
course adding 0.0.0.0/1, 128.0.0.0/1 already routes everything to the server unless you are using PBR (like I am
doing) then the "default route" of 0.0.0.0/1,128.0.0.0/1 is discarded. For the IP addresses entered in the PBR field
everything is routed to the WG server, but by adding the servers subnet, we create a route for all other clients to
the WG server, So PBR clients will route everything to the WG server, all other clients will use the WAN but know to
find the WG server and can make a connection to it
8. Paste the Public key from the Wireguard Server from step 8 in the Peer Public Key box.
9. Route Allowed IP's via tunnel: Enable, so that all your traffic is routed to your WG server, if you only want
to route traffic to the servers LAN than only enter the servers LAN subnet here and the servers WG IP
address (Peer Tunnel IP), or use Policy Based Routing
10. Persistent Keepalive: 25, if you are behind a NAT/Firewall (which is usual the case) the firewall often drops
the connection if there is no activity, this keeps the connection open
11. Save and Apply and Reboot Server and Client routers
12. Check Connection, have a look at the Wireguard status Windows from client and server, refresh with F5
(some browser need CTL+F5, but just changing tabs also works).
Be patient it can take a couple of minutes before the tunnels are up and working

More information about DNS server settings and Options can be found in the WireGuard Client Setup Guide

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 18

CVE-14899
Starting with build 41791 the CVE-14899 vulnerability is patched preventing local access to LAN clients . In the first
paragraph in which the server setup is described there are already three solutions to this problem with either disabling
the patch, using the iptables rule to SNAT traffic out of br0, or allow traffic coming from br0.

There is however another solution if you are using a DDWRT router as your WireGuard client and that is not to use NAT,
so on the client in the GUI: Disable NAT via Tunnel.

On the server side

1. Enable the clients traffic to leave the server out onto the internet (Administration/Commands Save as Firewall):
iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o $(get_wanface) -j MASQUERADE
2. Allow non NAT'ted traffic from the client to enter the server:
In the peers Allowed IP's add the subnet of the client, there already is 10.4.0.5/32, we add the local subnet of
the peer (that has to be different from the local servers subnet!) which in this case is 192.168.5.0/24. So the
Allowed IP's will show:
10.4.0.5/32,192.168.5.0/24
3. If you have Route Allowed IP's via tunnel enabled then that subnet will also be routed out via the tunnel
interface
4. Now you can enable the CVE-2019-14899 Mitigation in the GUI again and everything will still be functional

IPv6 leaking on Clients

If your Windows, Android or iOS clients also uses IPv6 there are circumstances in which you might "leak" via
IPv6.
So either use a kill switch or disable IPv6 or route IPv6 via the WG client by adding in the allowed IP's:
::/0
Note this last trick could also stop your WG from working as IPv6 can take precedence and there is no one
listening.

IPv6 running on Server

Starting with build 51013 DDWRT is slowly starting to support IPv6 on the WireGuard server, but it is a WIP.
If you experience problems please send a detailed report.
On the server side besides an IPv4 address the server has to have a "private" IPv6 address for that an ULA is
used (addresses starting with fd) you can generate your own ULA at: https://www.ip-six.de/index.php

For my WG network I have generated: fddb:b40f:f9bc:4ba5 as Private IPv6 address (ULA).

So the server is the first in this WG network and has IPv6 address of:
fddb:b40f:f9bc:4ba5:0000:0000:0000:0001 this can be written shorter as: fddb:b40f:f9bc:4ba5::1
You also specify a prefix (in IPv4 terminology a netmask where /24 corresponds with /64 and /32 with /128)

The servers Address:

The Peers Allowed IP's, which is the Address of the peer both IPv4 and IPv6:

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 19

If you use allowed IP's on the client side and you want a /64 prefix then use: fddb:b40f:f9bc:4ba5::0/64

The Client (Windows desktop),

note the address of: fddb:b40f:f9bc:4ba5::2/64 (also valid is /128)
The allowed IP's is actually ::/0 (meaning everything so everything is allowed and everything is routed via the
tunnel), which translates to ::/1, 8000::/1
As DNS servers the routers IP and IPv6 address is set
The endpoint address is the internet (GUA) IPv6 address of the router between brackets for this client:

Preshared Key
Wireguard can use a pre-shared key as extra security, this is a simple static key like tls-auth/crypt key in
OpenVPN.
This option adds a base64 pre-shared key as an additional layer of symmetric-key cryptography to be mixed
into the already existing public-key cryptography, for post-quantum resistance.

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 20

 1. Open Routers Wireguard interface (Setup/Tunnels)
2. Click Generate Pre-shared Key for the peer you want to use the key with, note the key is longer than
the box so make sure you copy the whole key!
3. Copy the key to your Client/Peer
a. Android client has a box to paste the key in
b. Windows client add under [Peer]: PresharedKey = [paste key]

From the CLI you can use: wg genpsk to generate the key

Optional Settings
Optional settings like Firewall, Killswitch etc are described in the WireGuard client setup guide.

Router in Wireless Access Point Mode (WAP)

If the router is in WAP mode (https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point), see the
WireGuard Advanced setup guide.

Accessing routers NAS from the internet

When you want to access the routers NAS via internet with an app like andSMB it appears you have to change
the hosts allow in tmp/smb.conf to include the WireGuard subnet (10.4.0.0/24): hosts allow = 10.4.0.0/24.
You can copy tmp/smb.conf to /jffs/etc/ if you have permanent/usb storage so that it will be read from there
(since build 42693). See page 17 of the WireGuard Advanced setup guide

Using the Wireguard server/router as DNS server

Instead of a public DNS server for the Peers like 8.8.8.8, you can use your router as DNS server e.g. you use
192.168.1.1 as DNS server.
First of all you need to enable "Local DNS" (the Local DNS option is removed in builds past 43290, but in those
builds it is automatically enabled if DNSMasq is enabled).
If the client is a DDWRT router or other router with DNS rebind protection you have to disable that. For a
DDWRT client disable "No DNS Rebind" options in the GUI on Services/Services or add in the DNSMasq
additional config: rebind-domain-ok=/[servers LAN Domain]/

Next setup the router to listen on the wireguard Tunnel interface (oet1) so under Services/Services, Additional
DNSmasq Options add: interface=oet1.
Starting with build 45980 the interface should be added automatically.

The windows client can only use the DNS server from the Wireguard interface so if you specify your router as
DNS server it can only resolve URL's after the tunnel is up, and if you use an URL as endpoint (like
me.ddns.org:51810) then it will not work as it cannot resolve the address.
The android and DDWRT client use their normal DNS servers before the client is up

Obfuscation
WireGuard obfuscation is a work in progress and maybe the definitive implementation will change, so it is not
yet in the manual.

It is intended to obfuscate WG traffic so it should be able to pass a blocking firewall.

On the server side enable it and set the password in the tunnel section.
Note the whole tunnel is obfuscated.

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 21

On the client (the side which has an endpoint enabled in the peer)
Do the same but it should be set in the Peer section just under the endpoint.
Use the same password.

It will lower throughput.

I have also made an implementation were you set the obfuscation per peer on the server side but in that case
you also have to set the Remote listen port, advantage is that a server can have clients with and without
obfuscation.

Let me know what you think, if it works and how it affect throughput.

Reference
https://github.com/infinet/xt_wgobfs

Troubleshooting
Start with rebooting the Server and all Peers

Enable syslogd at Services/Services/Sytem Log

If you are still using the script: In the script enable DEBUG by uncommenting the line:
#DEBUG= # uncomment/comment to enable/disable debug mode

Basic troubleshooting with: ping, traceroute 8.8.8.8

Advanced troubleshooting with: tcpdump -i oet1

Send detailed information when asking for help, show the output of the following commands (CLI, with
telnet/putty) after you attempted to make a connection:
wg
wg showconf oet1
ip route show
iptables -vnL FORWARD | grep oet
iptables -vnL INPUT
iptables -vnL -t nat
iptables -vnL -t raw
nvram show | grep oet
grep -E -i 'oet|wireguard' /var/log/messages
cat /tmp/wireguard/oet1_private #only with console_debug=1
nvram get wan_gateway
get_wanface
ifconfig
date
when having DNS problems after deleting a tunnel:
cat /tmp/resolv.dnsmasq
nvram get wg_get_dns
grep name /var/log/messages
When you also use IPv6:
ip -6 route show
ip6tables -vnL
ip6tables -vnL -t nat

Furthermore a Screenshot of WireGuard settings page (enable Advanced settings) is also very useful.

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 22

Some information from wg and how to interpret
From the command line (telnet/putty) the wg command shows the status of the tunnel interface.
If under transfer there are some bytes send but 0 received it can indicate a problem with the keys, or a
networking/port forward problem.
If a few bytes are received it indicates a routing problem so check ip address and allowed IP's.

Mitigating attacks on the WireGuard Server

If you have frequent login attempts you will not run a risk of someone breaking in as the keys should provide a
strong encryption.
But the frequent attempts do use CPU cycles.
You can do a number of things:
First use a non default port, e.g. something else than 51820.
Second use Pre-shared key to stop the login process at its earliest stage, furthermore (although not really
necessary) it gives an extra layer of security.
Third use the firewall rules to stop frequent failed attempts :
# set tunnel number to used tunnel default is 1
TUN_NR=1
WG_PORT="$(nvram get oet${TUN_NR}_port)"
iptables -I INPUT -p udp --dport $WG_PORT -i $(get_wanface) -m state --state NEW -m recent --update --
seconds 60 --hitcount 4 -j DROP
iptables -I INPUT -p udp --dport $WG_PORT -i $(get_wanface) -m state --state NEW -m recent --set

Reference: https://upcloud.com/resources/tutorials/iptables-firewall-recent-triggering-ipset

Known problems and solutions

Always restart the router after making changes (especially after deleting a tunnel) and something is not
working.

Be Patient
I have tested a number of providers and their servers are sometimes slow to respond.
It can take up to minutes before the WireGuard tunnel suddenly starts to work.
So after setting up or reboot wait at least 3-4 minutes before thinking it is not working!

MTU size problems (Connection, but hang, slow loading, no streaming media, no RDP, packet
loss etc.)
MTU problems often manifest themselves as connections which hang during periods of active usage, or does
not load the whole page when browsing.
Or you can connect but not see or use streaming media (like an IP Camera, or with sites like Facebook,
WhatsApp, Instagram, RDP etc.) or your connection is unexpected slow and you experience packet loss.
This is often seen when one side of the connection is using IPv6 and/or CGNAT and/or using LTE.

The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent
unfragmented over a particular network path. Wireguard requires that packets be sent unfragmented.
MTU size is set in the GUI and is standard for IPv4: 1440 (1432 for PPPoE) for IPv6: 1420 (1412 for PPPoE).
If your provider supports IPv6 but you are not then manually set the MTU to: 1420 (or 1412 for PPPoE)
But sometimes this is still too high especially if you are using connection via LTE.

You can try lowering the MTU wit trial and error i.e. start at 1024 (for IPv6 the minimum MTU is 1280) and
work your way up or use the approach describe at: https://www.sonassi.com/help/troubleshooting/setting-
correct-mtu-for-openvpn
Normally the MTU has to be set the same on both sides.
DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 23
Android, Windows and iOS can use their own defaults so when having problems connecting from Windows,
Android or iOS you can try to delete the MTU entry in the conf file and let the OS itself decide what to use

Make sure to reboot the router after changing!

Checking the right MTU size:

https://hamy.io/post/0003/optimizing-openvpn-throughput/
https://blog.hambier.lu/post/solving-openvpn-mtu-issues

Connection checking and tracking

To check a connection run: traceroute your.target.xyz or more specifically for testing UDP: mtr -4
your.target.xyz -u -b -z from the command line, disable the VPN.

Missing firewall rules

In very rare circumstances a race condition in the firewall can be the cause of not all necessary firewall rules
being implemented correctly.
Especially the rule opening up the WG port. You can check this from the CLI (telnet/Putty):
iptables -vnL INPUT
root@R6400v2:~# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
86 5184 ACCEPT all -- oet1 * 0.0.0.0/0 0.0.0.0/0 state NEW
8572 892K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51810
21922 3376K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Other firewall rules can be checked with: iptables -vnL FORWARD

If the rule about the opening up the WG port is missing you can add it manually (if working
Administration/Commands Save Firewall):
iptables -I INPUT -p udp --dport $(nvram get oet1_port) -j ACCEPT

Shortcut Forwarding Engine (SFE)

If you have a complicated network setup with VLAN's and unbridged VAP's, SFE can play tricks with
connection tracking, so switch SFE off ( for Broadcom users CTF&FA is rumoured to work).

Using CPU governor

Some routers (Atheros() can use a CPU governor which can dynamically switch the CPU cores of the router.
When using Wireguard as a server the cores power down when idling, and the cores can be powered down
independently form each other. As WireGuard is multithreaded this could potentially break WireGuard.
So when having troubles do not use a CPU governor

Default route kicking in too soon

Builds after 43031 have extra wait time before the default route kicks in, so those should not be affected, if
this still should be a problem you will see a warning in syslog viewed from the CLI with:
grep -i wireguard /var/log/messages.
On some builds/routers/setup the default route can kick in too soon after a reboot, one symptom can be that the time is
not correct this also can happen if you have manually specified a slow time server (DDWRT works best if you leave the
time server field empty).
If you suspect this is the case then it is easy to check and mitigate.
Disable the Route Allowed IP's via tunnel and add the following in Administration/Commands, Save as Startup (reboot
after each change).:
sleep 60
ip route add 0.0.0.0/1 dev oet1
ip route add 128.0.0.0/1 dev oet1

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 24

Manual stopping and starting
If you manual want to stop and start WireGuard you can do the following (assuming WG is on oet1 and setup
and enabled):
To stop:
ip link set oet1 down

To start again:
ip link set oet1 up
/usr/bin/wireguard-restart.sh
Under normal circumstances it is not necessary to restart the whole firewall and as that will stop other traffic
also it is normally not done. But in some circumstances it is necessary (e.g. NAT loopback problems). The
restart of the firewall will also trigger restart of Wireguard.
service firewall restart #optional not necessary under normal circumstances

To disable/enable a tunnel use (X is the tunnel number 0=disable /1=enable):

nvram set oetX_en=0/1
nvram commit
/usr/bin/wireguard-restart.sh
"WAN" interface not detected
Under very special circumstances (certain Marvell and Quantenna devices where the default interface is not
properly detected especially when used without a WAN e.g. used as a WAP),
The "WAN" interface (which should be br0 on a WAP) is not detected.
Builds starting with build 44980 should work and can be checked with (from CLI):
grep -i wireguard /var/log/messages
This should show: "WireGuard no wan_gateway detected, assuming WAP"
If not read on
The routing table (ip route show) will not display a route from the endpoint via the "WAN"
In that case try the following rules (Administration/Commands, Save Firewall):
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
route add -host $(nvram get oet1_rem0) gw $(nvram get wan_gateway) dev $WAN_IF

Running multiple tunnels

When running multiple tunnels make sure the Local (Listen) port is unique.
Also note that running multiple tunnels to the same provider with the same Local Public key will not always
work as the Local Public key is part of the (crypto-key) routing.
Also do not re-use the same IP address for the tunnels give each tunnel an unique IP address.

Tunnel does not start on reboot

When rebooting services are frequently restarted this can end in a race condition which prevents the tunnel
to start. Simply add the following in Administration/Commands and Save Startup:
sleep 30
sh /usr/bin/wireguard-restart.sh

DNSMasq not resolving domain name

If you have more tunnels and/or OpenVPN and have a WG tunnel with a domain name (e.g. a DDNS address)
instead of an IP address, it is possible that the domain name will not resolve as the other tunnels and/or
OpenVPN are busy configuring DNSMasq (this can also be useful when using other DNS systems like
DNSCrypt).
You can mitigate this by adding in the DNSMasq Additional config a line to always resolve the domain name
with a fixed DNS resolver:
server=/myserver.vpnprovider.com/9.9.9.9

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 25

References:
https://wiki.dd-wrt.com/wiki/index.php/Wireguard
https://www.wireguard.com/quickstart/
https://www.wireguard.com/
https://github.com/pirate/wireguard-docs
https://www.wireguard.com/papers/wireguard.pdf
https://wiki.archlinux.org/index.php/WireGuard
https://stackoverflow.com/questions/65178004/what-does-ip-4-rule-add-table-main-suppress-prefixlength-
0-meaning
ipv6:
https://angristan.xyz/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/
https://try.popho.be/wg.html
suppress prefix length and wg quick
https://ro-che.info/articles/2021-02-27-linux-routing
https://stackoverflow.com/questions/65178004/what-does-ip-4-rule-add-table-main-suppress-prefixlength-
0-meaning
Packet flow:
https://www.procustodibus.com/blog/2021/01/wireguard-endpoints-and-ip-addresses/

Wireguard server in the cloud:

Setup Oracle free OpenVPN cloud server
https://www.youtube.com/watch?v=E-CLtExRzX8
https://mateo.cogeanu.com/2020/wireguard-vpn-pihole-on-free-oracle-cloud/
Amazon Web services (AWS)
https://www.youtube.com/watch?v=m-i2JBtG4FE

Changelog:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397 scroll to bottom of the page.

DDWRT Wireguard setup guide by egc, last modified: 14-Aug-23 page 26