Wireguard can be configured/run via the web interface, or at the command line. Either interface lets you configure Wireguard settings and generate configuration scripts. This page describes how to configure Wireguard through the web interface.

To configure Wireguard manually, and for some basic theory, see this HOWTO: Set up Wireguard

Unless you're using an external VPN provider, you are advised to “nominate” a main router where configurations will be produced. Clients, such as other FreshTomato routers, and other devices must import the configuration generated by this main router. Relevant configuration changes may require you to delete and reimport the configuration on those client devices.

The Wireguard web interface menu has been working since r2024.1. PBR (Policy-based Routing) and the kill switch feature are supported since r2025.3. Split-tunnelling is supported from within Policy-based Routing.

More importantly, two serious bugs in r2025.3 and earlier can cause kernel panics. See the Wireguard Notes and Troubleshooting section at the bottom for details.

Starting with r2025.3, FreshTomato supports the import of preconfigured Wireguard configuration scripts from external VPN providers.

The following VPN providers' scripts have been tested as working:

• Integrity VPN
• NordVPN
• PIA (Private Internet Access
• ProtonVPN
• SurfShark
• Windscribe
  

Alternatively, many have succeeded in using the following tutorial to manually configure settings for an external VPN Provider:

How to Connect to a VPN Provider's Wireguard Tunnel on FreshTomato

This setting affects the creation of peer configurations.

• Hub and Spoke - All peers can only communicate via the Hub.
• Full Mesh (defined Endpoint only) - FreshTomato will try to create
  a full mesh among peers with EndPoint defined.
• Full Mesh: FreshTomato will try to establish a full mesh
  between all peers.
• External VPN Provider - FreshTomato will try to establish
  a VPN connection with an external VPN provider.

1. A bug in FreshTomato's CTF support for Wireguard resulted in
   a kernel panic and router reboot right after bringing up the wg0
   interface. This is believed to have been fixed. The fix should be
   available in r2025.4 or in an image built from the current git.
   For earlier releases, there are some reports of disabling CTF
   working as a workaround.
2. Another serious bug exists in which a kernel panic and reboot
   may occur if the WAN interface is disconnected.
   This may occur even when the disconnect is expected,
   such as after clicking Release Connection in the Overview menu.
3. Some users have reported speed issues when enabling CTF
   when Wireguard is running, while others have experienced no issues
   or even greatly increased throughput.

Please remember these troubleshooting tips when trying to configure your VPN:

• wg show (via the command line) output will help you
  understand the relationship between peers.
• route (via the command line) can help you to verify
  routing decisions when the VPN is connected.
• traceroute is a must when verifying end-to-end connectivity.
  A good approach is to test the following in order:
  • Local LAN IP
  • Local VPN IP
  • Remote VPN IP
  • Remote LAN IP

The point of failure will provide critical insight into whatever issue you are facing.