FreshTomato Wiki

User Tools

Site Tools

Trace: 2fa
vpn-wireguard

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
vpn-wireguard [2025/08/13 21:00] – [Interface] hogwildvpn-wireguard [2025/08/13 22:38] (current) – [Interface] -punctuation hogwild
Line 5: Line 5:
 WireGuard can be configured/run via the web interface, or at the command line. Either interface lets you configure Wireguard settings and generate configuration scripts. This page describes how to configure Wireguard through the web interface. WireGuard can be configured/run via the web interface, or at the command line. Either interface lets you configure Wireguard settings and generate configuration scripts. This page describes how to configure Wireguard through the web interface.
  
-To configure WireGuard //manually//, and for some basic theory, see the HOWTO: [[wireguard_on_freshtomato|Set up WireGuard]] . That page is appropriate when an external VPN provider is not involved.+To configure WireGuard //manually//, and for some basic theory, see the HOWTO: [[wireguard_on_freshtomato|Set up WireGuard]] . That page is more appropriate when you're not using an external VPN provider. It is more intended to discuss the configuration VPNs with a hub-and-spoke or mesh topology.
  
 Unless using an external VPN provider, it's best to "nominate" a main router that will produce configurations. Clients, such as other FreshTomato routers and other devices, must import the configuration generated by this main router. Relevant configuration changes may require you to delete and reimport the configuration on those client devices. Unless using an external VPN provider, it's best to "nominate" a main router that will produce configurations. Clients, such as other FreshTomato routers and other devices, must import the configuration generated by this main router. Relevant configuration changes may require you to delete and reimport the configuration on those client devices.
Line 47: Line 47:
  \\ \\  \\ \\
  
-{{::vpn-wireguard-down-2025.3.png?73}}    indicates the Wireguard service isn't running and no VPN tunnel is currently established on this interface.  \\  \\+{{::vpn-wireguard-down-2025.3.png?73}}    indicates the Wireguard service isn't running and no VPN tunnel currently exists on this interface.  \\  \\ 
  
 {{::vpn-wireguard-start_now-2025.3.png?80}}   clicking this starts the WireGuard service, and makes the interface negotiate a VPN tunnel to peers. {{::vpn-wireguard-start_now-2025.3.png?80}}   clicking this starts the WireGuard service, and makes the interface negotiate a VPN tunnel to peers.
  
-This may take timeespecially on slower routers.+ \\ {{::vpn-wireguard-up-2025.3.png?76}}    indicates the selected WireGuard connection is runningand connected to the configured peers.
  
- \\ \\ {{::vpn-wireguard-up-2025.3.png?76}}    indicates the selected WireGuard connection is running, and connected to the configured peers. + \\ 
- +
- \\+
  
 {{::vpn-wireguard-stop_now-2025.3.png?81}}   terminates the current WireGuard VPN tunnel and stops the service. {{::vpn-wireguard-stop_now-2025.3.png?81}}   terminates the current WireGuard VPN tunnel and stops the service.
Line 105: Line 103:
  
 **Config file** - here, enter the path to a WireGuard configuration file. **Config file** - here, enter the path to a WireGuard configuration file.
 +
 +If a path/file is specified here, all other settings in the web interface will be ignored.\\
  
  \\  \\
Line 122: Line 122:
 **Public Key** - displays the tunnel's public key. **Public Key** - displays the tunnel's public key.
  
-This is automatically generated by WireGuard from the Private Key. This field cannot be directly edited.+WireGuard automatically generates this using the Private Key. This field cannot be directly edited.
  
  \\  \\
Line 128: Line 128:
 **VPN Interface IP** - the IP address to be assigned to the virtual network interface. **VPN Interface IP** - the IP address to be assigned to the virtual network interface.
  
-This is used only to communicate //inside// the tunnel. It is independent from the physical network interface's IP addresses. To prevent addressing conflicts on participating networks or VPN peers, this must be a unique address space, specifically set aside for the VPN.+This is used to communicate only //inside// the tunnel. It is independent from the physical network interface's IP addresses. To prevent addressing conflicts on participating networks or VPN peers, this must be a unique address space, specifically set aside for the VPN.
  
 It must be written using CIDR notation. For  example: "10.0.0.1/32". Addresses should be separated by commas or newline characters. It must be written using CIDR notation. For  example: "10.0.0.1/32". Addresses should be separated by commas or newline characters.
Line 140: Line 140:
  
  \\  \\
 +
 +This is usually wanted in site-to-site topology VPNs.\\
  
 This setting is the same as the “DNS” setting in a wg-quick configuration file This setting is the same as the “DNS” setting in a wg-quick configuration file
Line 166: Line 168:
  
 **Respond to DNS** - enables dnsmasq to resolve DNS queries arriving on this interface. **Respond to DNS** - enables dnsmasq to resolve DNS queries arriving on this interface.
 +
 + \\
 +
 +**Routing Mode -** Here, select the mode to used on the WireGuard interface.
 +
 +This option appears only when one of the Internal hub-and-spoke or mesh VPN types is selected.\\
 +
 +  * Off - FreshTomato won't add any routing rules for the the\\ WireGuard interface.\\ 
 +  * Auto - choosing this means the WireGuard interface will be routed \\ using the default table (the same number as the interface port)\\ 
 +  * Custom Table  -  this option will route the WireGuard interface \\ using a custom table number. If you choose this option, you must \\ include the table number in the additional field.
 +
 + \\
  
  \\  \\
Line 174: Line 188:
  
   * **Create NAT on tunnel** - enables Network Address Translation on the tunnel.\\ When checked, FreshTomato rewrites the source addresses \\ of packets going through the tunnel, making them appear as if \\ they originated from the router itself (using the router’s VPN tunnel IP), \\ rather than from their original LAN addresses. \\ \\ This helps VPN clients behind the tunnel to access external networks, \\ such as the Internet. It can also simplify routing by hiding the client's \\ real IP behind the tunnel's IP. This is useful if the VPN clients are on \\ private or overlapping IP ranges, or if the destination network only knows \\ about the server IP address.\\  \\    * **Create NAT on tunnel** - enables Network Address Translation on the tunnel.\\ When checked, FreshTomato rewrites the source addresses \\ of packets going through the tunnel, making them appear as if \\ they originated from the router itself (using the router’s VPN tunnel IP), \\ rather than from their original LAN addresses. \\ \\ This helps VPN clients behind the tunnel to access external networks, \\ such as the Internet. It can also simplify routing by hiding the client's \\ real IP behind the tunnel's IP. This is useful if the VPN clients are on \\ private or overlapping IP ranges, or if the destination network only knows \\ about the server IP address.\\  \\ 
-  * **Inbound Firewall** - adds firewall rules to let inbound Wireguard traffic the through the WAN interface. \\ This opens the necessary WireGuard port so clients can connect \\ from outside networks. \\ In this way, incoming Wireguard traffic \\ is accepted without requiring additional manual firewall rule configuration. \\ Supports NAT (Network Address Translation) and other related security rules for Wireguard tunnels.+  * **Inbound Firewall** - adds firewall rules to let inbound Wireguard traffic  through the WAN interface. \\ This opens the necessary WireGuard port so clients can connect \\ from outside networks. As a result, incoming Wireguard traffic is \\ accepted without requiring additional manual firewall rule configuration. \\ This supports NAT and otherrelated WireGuard security rules.
  
  \\   \\ **Type of VPN** - lets you set the type of VPN topology generated.  \\   \\ **Type of VPN** - lets you set the type of VPN topology generated.
Line 184: Line 198:
   * Hub and Spoke - All peers can only communicate via the Hub.   * Hub and Spoke - All peers can only communicate via the Hub.
   * Full Mesh (defined Endpoint only) - FreshTomato will try to create \\ a full mesh among peers with EndPoint defined.   * Full Mesh (defined Endpoint only) - FreshTomato will try to create \\ a full mesh among peers with EndPoint defined.
-  * Full MeshFreshTomato will try to establish a full mesh \\ between all peers.+  * Full Mesh FreshTomato will try to establish a full mesh \\ between all peers.
   * External VPN Provider - FreshTomato will try to establish \\ a VPN connection with an external VPN provider.   * External VPN Provider - FreshTomato will try to establish \\ a VPN connection with an external VPN provider.
  
  \\  \\
  
-Depending on which setting you choose, other fields will appear in which to configure more settings.+Depending on the setting you choose, other fields will appear in which to configure more settings.
  
 To learn about WireGuard topologies, see this webpage: [[https://www.procustodibus.com/blog/2020/10/wireguard-topologies/|Procustodibus: Primary WireGuard Topologies]]\\  \\ To learn about WireGuard topologies, see this webpage: [[https://www.procustodibus.com/blog/2020/10/wireguard-topologies/|Procustodibus: Primary WireGuard Topologies]]\\  \\
  
-**Redirect Internet traffic**+**Redirect Internet traffic ** 
 + 
 + \\ 
 + 
 +  * \\  
 +  * All \\  
 +  * Routing Policy \\  
 +  * Routing Policy (Strict)
  
 \\ \\
vpn-wireguard.1755115254.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki