Nordvpn Wireguard Router

DD-WRT WireGuard Setup Guide

  1. Then I could forward any traffic coming from a subnet / VLAN interface through the NordVPN WireGuard tunnel. This is done reading other forum posts and other stuff online. I'll try to post here, do not know if it will be formatted nicely though. ## Linux ### WireGuard Install `WireGuard` on a linux machine.
  2. If you're setting up two routers, you should change the second router’s local IP address to a different one from the main router's. (In this case, the main router's IP is 192.168.1.1, while the one you’re connecting to a NordVPN server is accessible via 192.168.2.1) 2. Navigate to Setup IPV6.
The DD-WRT UI is constantly evolving and there are multiple variations depending on the specific build and version of the firmware. You may not see the exact same options in the same order as below.
This guide was produced using DD-WRT v39715.
  1. Navigate to the home page of your router - By default 192.168.1.1.

  2. Go to Setup > Tunnels > and click the Add Tunnel button. Choose Enable and select WireGuard from the dropdown menu.

  3. Set the MTU value of the WireGuard tunnel to 1412.

  4. Click the Generate Key button and go to the Client Area on the IVPN website to add the generated public key to the Key Management area. Make note of the IP address we assign to your public key and add it to the IP address field and enter 255.255.255.255 in the Subnet Mask field.

    Hint: After clicking Generate Key, it may or may not be possible to copy the public key displayed on the Tunnels page. Click the Save and Apply Settings buttons, then go to Administration >Commands and enter wg in the Commands box, then click Run Commands . This will display details of the WireGuard connection including the public key, which can be easily copied.
  5. Click the Add Peer button and enter the following peer configuration (as also shown in the screen shot below):

    • Peer Tunnel IP: 0.0.0.0
    • Peer Tunnel DNS: 172.16.0.1
    • Endpoint: Enable
    • Endpoint Address: Enter an IVPN WireGuard server IP address (available via the WireGuard Server List in the Client Area) and choose a port:
    • Allowed IPs: 0.0.0.0/0
    • Persistent Keepalive: 25
    • Peer Public Key: Enter an IVPN WireGuard server public key (available via the WireGuard Server List in the Client Area)
    • Use Pre-shared Key: Disable
    Note: You are welcome to use whichever server you prefer. The Endpoint Address and Peer Public Key in the example above are specific to our server in Sweden.
  6. Click the Save button, then click the Apply Settings button.

  7. In Administration > Commands, enter the following:

    Save Startup:

    Save Firewall:

    Note: The iptables commands above create a kill-switch firewall to prevent leaks. The routing table in DD-WRT is reset every time the Apply Settings button is clicked anywhere in the web interface and it takes time for the Custom Script to reapply the routing. If you prefer or do not mind leaks, please only enterin the Save Firewall area.

    Save Custom Script:

  8. In Setup > Basic Setup, you might consider setting IVPN DNS servers in the Network Address Server Settings (DHCP) area:

    • Static DNS 1: 172.16.0.1
    • Static DNS 2: 198.245.51.147
  9. Click the Save button, then click the Apply Settings button.

  10. Reboot your router and wait for a minute or two for everything to settle, then reboot your computer system.

The WireGuard protocol is intended to be the future of VPNs, promising better speeds and security. We tested NordVPN's implementation, and WireGuard appears set to deliver on its promises.

Motivation

For a moderately security conscious geek like myself, there can be a number ofreasons to want to set up a home VPN server:

  1. Accessing your home computer via screen sharing without exposing it to theInternet (and thereby to potential evil-doers).
  2. Accessing servers with IP white lists (common case for security hardened IT systems).
  3. Accessing county-IP-filtered things like Netflix while travelling.
  4. Browsing privately from insecure WiFi networks.
  5. Getting access to services that are blocked inside restrictive corporate networks.
What is nordlynx

I have use cases for all of those from time to time, and after a bunch offrustrated attempts at getting OpenVPN working as I want it to, I decided totry Wireguard, a fairly new VPN software that promises to cut through someof the complexities of OpenVPN or IPSec, while delivering a secure(and fast) connection.Getting it set up can be a little tricky if you (like me) don’t usually do alot of networking stuff and don’t know all the ins and outs of it, so here’smy “Wireguard for dummies” explanation.

Important clarification

To Wireguard, there are no dedicated servers or clients, there are only “peers”.For the set up described here, one side will act as a server, and the other sideas a client, so I’ll use those terms to describe them for clarity.

Installing the Wireguard server

The official Wireguard installation page has instructions for lots ofdifferent platforms. My Wireguard server is on a RaspberryPi (running RaspbianBuster), so I followed the instructions for Debian, which worked great.

The rest of these instructions should work on any other UNIX-y server(or even for running Wireguard inside a Docker container if that’s more your speed).

Once you’ve got it installed, we can proceed.

Configuring the Wireguard server, part 1

Generate a private key

Run wg genkey on the Wireguard server, and copy it so we can use it for theserver configuration file.As the name implies, the private key should be kept private to ensure thesecurity of the VPN connection.

For this example, we’ll use 6NJepbdEduV97+exampleprivatekeydontusethis= - donot use that key in your real setup, generate your own.

Server configuration file

Edit (or create) the file /etc/wireguard/wg0.conf to look something like this:

Nordvpn Wireguard Router

Here, we use 10.14.0.0/24 as the “address” for the Wireguard server. The /24at the end means we will be using a subnet of all IP addresses from 10.14.0.1to 10.14.0.254.

This is a separate IP network from my home LAN, and should not overlap with it.Connecting VPN clients will then use an IP inside this network, and be able toaccess my LAN via routing, which we’ll set up later.

Configuring the Wireguard client, part 1

In my example, I’m using the Wireguard client for macOS, but theconfiguraiton file format is the same for all clients, so you should be able touse whichever version you prefer. There are links to clients for macOS, Android,iOS, Windows and a whole bunch of Linux and BSDs on the aforementionedWireguard installation page.

To get started, first create a new tunnel:

The macOS client fills out the PrivateKey field when creating a new tunnel.If your client doesn’t, you can generate one on the server with the wg genkeycommand we used above. It should not be the same as the private key used in theserver configuration.

Copy the generated public key (again, the macOS client generates itautomatically for us) so we can put it in to the server configuration.

Configuring the Wireguard server, part 2

On the server, edit /etc/wireguard/wg0.conf again.

Below the configuration we added in step 1, add this:

Fill in the public key from the client.

The IP address in AllowedIPs determines which IP address inside the subnetwe set up on the server (10.14.0.0/24) the client should be allowed to use.10.14.0.10/32 means that the client will have to use the IP 10.14.0.10, andcan thus only have one active connection at a time.

That is a reasonable configuration, in my opinion. If you have multiple devicesyou want to connect, you should use separate public/private keys and give thema different IP address.

Once you’ve added this, we’re ready to start the Wireguard server, do this byrunning sudo wg-quick up wg0.

That’ll output something like this:

When that is done, check the server status by running sudo wg.That should output something like this:

Copy server’s public key from the status info, so we can use it to configurethe client.

Configuring the Wireguard client, part 2

Now the server is running, we have everything we need to configure the client.

Go edit the tunnel we created earlier, and change the configuration to somethinglike this (leaving the private key we set up earlier alone, so it matches thepublic key in the server config):

There are a few important thing to keep note of here, when adopting thisconfiguration for your own use:

  1. The PublicKey must be the public key of the server. Each side has its ownprivate key and the other side’s public key.

  2. The Address in the [Interface] section on the client should match theAllowedIPs set in the [Peer] section on the server.

  3. AllowedIPs on the client determines what IP addresses are routed throughthe VPN connection. Here we use 0.0.0.0/0 as a wildcard to ask that alltraffic is sent through the VPN. That is what you need for reasons 2-5described in the motivation section. If you just want to access your home LANthrough the VPN, and use your regular network connection for everything else,fill in its network instead, e.g. 192.168.1.0/24.

    ::/0 does the same for IPv6.

  4. The DNS entry defines the DNS server that’ll be used when trying to accessthe network through the VPN. In this example, it’s the IP address of the routerin my home LAN.

  5. Endpoint is the hostname (or IP address) plus port number where the Wireguardserver can be reached. If you have the average home LAN, you’llneed to set up port forwarding in your home router to make the Wireguardserver accessible from the Internet.

    How this is done, is different from router to router, so I can’t provide muchmore detail than that.

    If you don’t have a static IP, you’ll probably want to set up dynamic DNS, too.

Final touches

To allow clients connected to your Wireguard server to connect to your LAN(and the Internet), you’ll need to configure the server to act as a router.

On Raspbian, this is done by editing /etc/sysctl.conf and editing thenet.ipv4.ip_forward line to say net.ipv4.ip_forward=1. If the line is notpresent already, add it.

For IPv6 routing, also set net.ipv6.conf.all.forwarding=1 in the same file.

Does Nordvpn Support Wireguard

You’ll also want Wireguard to start automatically on reboot. On Raspbian, thisis done by running:

Once that is done, try rebooting to see if everything loads correctly and ensurethe IP forwarding we enabled is loaded correctly.

Nordlynx Protocol

After rebooting, running sudo wg should give you the same output as before,indicating that the Wireguard server is running as expected.

Try it out

Once that’s all done, you should be able to connect, on macOS that can beachieved via this activate button (sensitive details redacted):

Nordlynx Adapter Can't Be Reached

If all goes well, you should see the information change to indicate data flowingthrough the VPN connection, like this:

Nordvpn Wire Guard Router Bits

As you can see, I’ve set up multiple tunnel configs, one forwarding all traffic,and one just giving access to the home LAN.

If you connect to the server and run sudo wg, you should see something like this:

Acknowledgments

I wrote this after having the friendly people in the #wireguard channel onFreenode (IRC) help me understand Wireguard better. Tekken tag tournament 1 pc download. Thanks, y’all.

This document and its illustrations are released under the terms ofCreative Commons CC0, and are thus free for anyone to use as they wish.