FreshTomato Wiki

User Tools

Site Tools

Trace: releases admin-iptraffic jffs admin-jffs2 splashd basic-static wireguard_on_freshtomato mac_address basic-wfilter admin-config
vpn-wireguard

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
vpn-wireguard [2025/09/16 16:21] – [Import Config from file] hogwildvpn-wireguard [2025/11/19 20:30] (current) – [Problem: Traffic flowing in one Direction] -Change to: " hogwild
Line 7: Line 7:
 Note that tabs or other interface components in your menus may be different colours, depending on which web interface theme is chosen in the Admin Access menu. Note that tabs or other interface components in your menus may be different colours, depending on which web interface theme is chosen in the Admin Access menu.
  
-This HOWTO: [[wireguard_on_freshtomato|Set up WireGuard]] includes an introduction to WireGuard and some basic theory.+For an introduction to WireGuard, and some basic theory, the [[wireguard_on_freshtomato|Set up WireGuard]] HOWTO may be helpful.
  
 Unless using an external VPN provider, it's best to "nominate" a main router that will produce configuration files. Clients, such as other FreshTomato routers and other devices should import the configuration generated by the main router. Certain configuration changes may require you to delete and reimport the configuration on those client devices. Unless using an external VPN provider, it's best to "nominate" a main router that will produce configuration files. Clients, such as other FreshTomato routers and other devices should import the configuration generated by the main router. Certain configuration changes may require you to delete and reimport the configuration on those client devices.
Line 99: Line 99:
  \\  \\
  
-**Poll Interval** - WireGuard's PersistentKeepalive setting.+**Poll Interval** - a watchdog timer for the WireGuard connection (in minutes)
  
-This determines how often clients behind NAT send keepalive packets to maintain NAT mappings. +This causes FreshTomato to ping 1.1.1.1 via the WireGuard interface. If no reply is received in time, the wg service is restarted.\\  \\
- +
- \\ +
- +
-  * The recommended setting is 25 secondsThis causes WireGuard \\ to send a small packet to its peer every 25 seconds when no \\ other traffic occurs. This keeps the connection alive through \\ NAT or firewalls that might otherwise close idle UDP sessions. \\ \\  +
-  * Default: 0. This disables the feature, so packets are sent only\\ as needed. This is fine for most users not behind restrictive NAT.+
  
  \\  \\
Line 293: Line 288:
 ===== Import Config from file ===== ===== Import Config from file =====
  
-Available since r2025.3, this lets you quickly and easily import a pre-generated WireGuard configuration file. This file can come from an external VPN provider, or other source, such as another WireGuard endpoint. Files must be compatible with the wg-quick format (usually ending in "*.conf"). Note that+Available since r2025.3, this lets you quickly and easily import a pre-generated WireGuard configuration file. This file can come from an external VPN provider, or another WireGuard endpoint. Files must be compatible with the wg-quick format (usually ending in "*.conf").
  
 Typically, with an external VPN provider, you choose appropriate settings on their website for the configuration you want. The VPN provider then generates a corresponding configuration file to import. For most providers, this will be a wg-quick compatible file. Typically, with an external VPN provider, you choose appropriate settings on their website for the configuration you want. The VPN provider then generates a corresponding configuration file to import. For most providers, this will be a wg-quick compatible file.
  
-While FreshTomat's function requires file to be wg-quick compatible format for import, it does not maintain that format, or even save configuration file. Instead, after import, settings are divided up and stored in NVRAM as separate variables. To quickly view all the settings, use the "nvram show" command.+Even though FreshTomato requires the file to be in wg-quick compatible format for import, it doesn'save any configuration file. Instead, after import, settings are divided up and stored in NVRAM as separate variables. To quickly view all the settings, use the "nvram show" command.
  
 For example, to display all variables and their settings for the "wg0" interface, type: For example, to display all variables and their settings for the "wg0" interface, type:
  
-"nvram show|grep wg0_" +"nvram show|grep wg0_"  \\  \\ 
- \\  + 
-  \\+ \\ 
 The only exception occurs when you copy a configuration file to a folder on the router and enter a path to that file in the //Config File// field. In that case, that file will be saved as a configuration file, in wg-quick format. The only exception occurs when you copy a configuration file to a folder on the router and enter a path to that file in the //Config File// field. In that case, that file will be saved as a configuration file, in wg-quick format.
  
Line 433: Line 429:
  
 If a link is up, the handshake done and the tunnel established, you should see the peer's interface ID, and the the time of the latest handshake process. You should also see real-time traffic data such as bytes transmitted (tx) and bytes received (rx). These details confirm the tunnel is established and data is flowing through it. If a link is up, the handshake done and the tunnel established, you should see the peer's interface ID, and the the time of the latest handshake process. You should also see real-time traffic data such as bytes transmitted (tx) and bytes received (rx). These details confirm the tunnel is established and data is flowing through it.
 +
 + \\
  
 For example, for this WireGuard instance: For example, for this WireGuard instance:
- 
- \\ \\ {{::vpn-wireguard-status-2025.3.png?473}} 
- 
-\\ 
  
 The first block of text includes this router's: The first block of text includes this router's:
Line 447: Line 441:
   - UDP listening port   - UDP listening port
  
- \\+ \\ \\ {{::vpn-wireguard-status-2025.3.png?473}} 
 + 
 +\\
  
 The second block of text displays the Peer's: \\ The second block of text displays the Peer's: \\
Line 485: Line 481:
     * Remote LAN IP     * Remote LAN IP
  
- \\  The point of failure found will provide critical insight into the type of issue you are facing.+ \\  The point of failure you find will guide you in understanding what type of issue you are facing.
  
  \\  \\
 +
 +
 +==== Problem: Traffic flowing in only one Direction ====
  
  \\  \\
 +
 +Sometimes, it may occur that from one end of your setup ("A)", you can ping devices and both VPN virtual interfaces at the other end ("B"), however, from end B, you cannot ping the remote router or devices or the client VPN virtual interface at end A.
 +
 +It this occurs, please check that there are default routes setup from B to A. Also, please check that on the client side, (in this case, end B), the "Inbound firewall" option is disabled. On the server side, make sure to add the client's subnet, so it knows how to route traffic from the server back to the client.
  
  
vpn-wireguard.1758036090.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki