FreshTomato Wiki

User Tools

Site Tools

Trace: ipt-graphs ipt-24 nas-ups advanced-pbr status-overview vpn-client advanced-tor advanced-firewall ipt-realtime status-log
vpn-wireguard

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
vpn-wireguard [2025/09/29 18:44] – [Status] -Move description of first block of text above screenshot hogwildvpn-wireguard [2026/03/08 21:42] (current) pedro
Line 7: Line 7:
 Note that tabs or other interface components in your menus may be different colours, depending on which web interface theme is chosen in the Admin Access menu. Note that tabs or other interface components in your menus may be different colours, depending on which web interface theme is chosen in the Admin Access menu.
  
-This HOWTO: [[wireguard_on_freshtomato|Set up WireGuard]] includes an introduction to WireGuard and some basic theory.+For an introduction to WireGuard, and some basic theory, the [[wireguard_on_freshtomato|Set up WireGuard]] HOWTO may be helpful.
  
 Unless using an external VPN provider, it's best to "nominate" a main router that will produce configuration files. Clients, such as other FreshTomato routers and other devices should import the configuration generated by the main router. Certain configuration changes may require you to delete and reimport the configuration on those client devices. Unless using an external VPN provider, it's best to "nominate" a main router that will produce configuration files. Clients, such as other FreshTomato routers and other devices should import the configuration generated by the main router. Certain configuration changes may require you to delete and reimport the configuration on those client devices.
  
 Note that WireGuard only supports UDP stream, not TCP. Note that WireGuard only supports UDP stream, not TCP.
- 
  
 ===== Current development status ===== ===== Current development status =====
Line 35: Line 34:
   * Integrity VPN   * Integrity VPN
   * NordVPN   * NordVPN
-  * PIA (Private Internet Access+  * PIA (Private Internet Access)
   * ProtonVPN   * ProtonVPN
   * SurfShark   * SurfShark
Line 46: Line 45:
 [[https://www.linksysinfo.org/index.php?threads/wireguard-on-freshtomato.76295/page-23#post-348056|How to Connect to a VPN Provider's WireGuard Tunnel on FreshTomato]] [[https://www.linksysinfo.org/index.php?threads/wireguard-on-freshtomato.76295/page-23#post-348056|How to Connect to a VPN Provider's WireGuard Tunnel on FreshTomato]]
  
 +===== Scripts =====
 +
 +The Scripts tab allows you to define custom shell commands that are executed automatically at specific stages of the WireGuard interface lifecycle. This is useful for starting or stopping additional services, adding firewall rules (e.g. iptables), or configuring custom routing when the tunnel comes up or goes down. \\ \\  There are four script hooks available:
 +
 +  * Pre-Up Script – runs before the interface is brought up
 +  * Post-Up Script – runs after the interface has been brought up
 +  * Pre-Down Script – runs before the interface is taken down
 +  * Post-Down Script – runs after the interface has been taken down
 +
 +To reference the current WireGuard interface name dynamically within any script, use ''%i'' (without quotes) — it will be substituted with the actual interface name at runtime (e.g. wg0, wg1, etc.).
 +
 +Example:
 +
 +>iptables -A FORWARD -i %i -j ACCEPT
  
 ===== Status ===== ===== Status =====
Line 62: Line 75:
  
 {{::vpn-wireguard-stop_now-2025.3.png?76}}   terminates the current WireGuard VPN tunnel and stops the service. {{::vpn-wireguard-stop_now-2025.3.png?76}}   terminates the current WireGuard VPN tunnel and stops the service.
- 
  
 ===== Wireguard Configuration ===== ===== Wireguard Configuration =====
Line 85: Line 97:
  
 {{::vpn-wireguard-config_tab-2025.3.png?95}}  here, enter the main configuration settings for the chosen interface. {{::vpn-wireguard-config_tab-2025.3.png?95}}  here, enter the main configuration settings for the chosen interface.
- 
  
 ===== Interface ===== ===== Interface =====
Line 99: Line 110:
  \\  \\
  
-**Poll Interval** - WireGuard's PersistentKeepalive setting. +**Poll Interval** - a watchdog timer for the WireGuard connection (in minutes)
- +
-This determines how often clients behind NAT send keepalive packets to maintain NAT mappings. +
- +
- \\+
  
-  * The recommended setting is 25 seconds. This causes WireGuard \\ to send a small packet to its peer every 25 seconds when no \\ other traffic occursThis keeps the connection alive through \\ NAT or firewalls that might otherwise close idle UDP sessions. \\ \\  +This causes FreshTomato to ping 1.1.1.1 via the WireGuard interface. If no reply is received in time, the wg service is restarted.\\  \\
-  * Default: 0. This disables the feature, so packets are sent only\\ as needed. This is fine for most users not behind restrictive NAT.+
  
  \\  \\
Line 222: Line 228:
   * Routing Policy - this lets you create rules, specifying which devices \\ or destination addresses/subnets should have their Internet traffic \\ routed through the VPN or directly to the internet, without encryption. \\ This can include "split-tunneling". \\ \\    * Routing Policy - this lets you create rules, specifying which devices \\ or destination addresses/subnets should have their Internet traffic \\ routed through the VPN or directly to the internet, without encryption. \\ This can include "split-tunneling". \\ \\ 
   * Routing Policy (Strict) - only explicitly-defined traffic will go through the\\ tunnel. All other traffic is excluded and can't use the tunnel.   * Routing Policy (Strict) - only explicitly-defined traffic will go through the\\ tunnel. All other traffic is excluded and can't use the tunnel.
- 
  
 ===== Peer Parameters ===== ===== Peer Parameters =====
Line 289: Line 294:
  
  \\  \\
- 
  
 ===== Import Config from file ===== ===== Import Config from file =====
Line 320: Line 324:
  
 {{::vpn-wireguard-peers_tab-2025.3.png?95|Peers}} in this tab, you enter settings for the peer devices. {{::vpn-wireguard-peers_tab-2025.3.png?95|Peers}} in this tab, you enter settings for the peer devices.
- 
  
 ===== Peers ===== ===== Peers =====
- 
  
 This section allows you to enter and view settings for all peers of this WireGuard interface/instance. This section allows you to enter and view settings for all peers of this WireGuard interface/instance.
Line 368: Line 370:
  
 \\ \\
- 
  
 ===== Peer's Parameters ===== ===== Peer's Parameters =====
Line 427: Line 428:
  
 {{::vpn-wireguard-peers-peers_parameters-add_to_peers-2025.3.png?80}} clicking this adds all completed settings in the section to the [Peers] section in the WireGuard Configuration file. \\   \\   \\ {{::vpn-wireguard-peers-peers_parameters-clean-2025.3.png?80}}** **clicking this will clear all fields in this section, but won't save those changes until you click Save. {{::vpn-wireguard-peers-peers_parameters-add_to_peers-2025.3.png?80}} clicking this adds all completed settings in the section to the [Peers] section in the WireGuard Configuration file. \\   \\   \\ {{::vpn-wireguard-peers-peers_parameters-clean-2025.3.png?80}}** **clicking this will clear all fields in this section, but won't save those changes until you click Save.
- 
  
 ===== Status ===== ===== Status =====
Line 435: Line 435:
 If a link is up, the handshake done and the tunnel established, you should see the peer's interface ID, and the the time of the latest handshake process. You should also see real-time traffic data such as bytes transmitted (tx) and bytes received (rx). These details confirm the tunnel is established and data is flowing through it. If a link is up, the handshake done and the tunnel established, you should see the peer's interface ID, and the the time of the latest handshake process. You should also see real-time traffic data such as bytes transmitted (tx) and bytes received (rx). These details confirm the tunnel is established and data is flowing through it.
  
-For example, for this WireGuard instance: + \\
  
 +For example, for this WireGuard instance:
  
 The first block of text includes this router's: The first block of text includes this router's:
Line 445: Line 445:
   - Public key   - Public key
   - UDP listening port   - UDP listening port
- 
- \\ 
- 
  
  \\ \\ {{::vpn-wireguard-status-2025.3.png?473}}  \\ \\ {{::vpn-wireguard-status-2025.3.png?473}}
  
 \\ \\
- 
-The first block of text includes this router's: 
- 
-  - WireGuard Interface name 
-  - Interface's alias (if set) 
-  - Public key 
-  - UDP listening port 
- 
- \\ 
  
 The second block of text displays the Peer's: \\ The second block of text displays the Peer's: \\
Line 469: Line 457:
   - Latest Handshake performed   - Latest Handshake performed
   - Number of bytes sent and received by this peer   - Number of bytes sent and received by this peer
- 
  
 ===== WireGuard Notes and Troubleshooting ===== ===== WireGuard Notes and Troubleshooting =====
Line 482: Line 469:
  
  \\  \\
- 
  
 ==== General Troubleshooting ==== ==== General Troubleshooting ====
Line 498: Line 484:
     * Remote LAN IP     * Remote LAN IP
  
- \\  The point of failure found will provide critical insight into the type of issue you are facing.+ \\  The point of failure you find will guide you in understanding what type of issue you are facing.
  
  \\  \\
 +
 +==== Problem: Traffic flowing in only one Direction ====
  
  \\  \\
 +
 +Sometimes, it may occur that from one end of your setup ("A)", you can ping devices and both VPN virtual interfaces at the other end ("B"), however, from end B, you cannot ping the remote router or devices or the client VPN virtual interface at end A.
 +
 +It this occurs, please check that there are default routes setup from B to A. Also, please check that on the client side, (in this case, end B), the "Inbound firewall" option is disabled. On the server side, make sure to add the client's subnet, so it knows how to route traffic from the server back to the client.
  
  
vpn-wireguard.1759167874.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki