Kernel 5 for Omada Routers with wireguard support
I would like to have kernel 5 on omada routers with wireguard support. Current available VPN options are very, very limited, especially for logging and trouble resolution. With wireguard er605 should reach quite the same speed as PPTP. Wireguard is also very easy to manage
Following fields should be available:
- PrivateKey=SomeKey (there should be a field where one can paste own private key generated with as example wg genkey and a button "generate key" which will warn a user that current key will be overwritten and ask for confirmation to overwrite with yes or no)
Address should have a button with + sign for adding additional address as most will use multiple, as example 10.1.2.3.4/32 for vpn client to some vpn, 18.104.22.168/24 for own vpn subnet, 22.214.171.124/32 for connection to another peer, ...
- ListenPort=51820 (udp port 51820 is default wireguard port)
- DNS=126.96.36.199,188.8.131.52 (I would make cloudflare's dns default, best if it is not a field for each dns, but a field where dns is separated by as example commata)
- MTU=1420 (this value should be available to be set, as different networks may require different mtu's
- PostUp and PostDown fields if that somehow is configurable with omada router, as example iptables
7. Add Peer button.
Add Peer button creates new peer entry with following fields:
- PublicKey = PeersPublicKey
- AllowedIPs = 0.0.0.0/0, ::/0 (field to enter allowed ip's separated by commata, in current example 0.0.0.0/0 will route all ipv4 traffic over that peer, ::/0 will route all ipv6 over that peer)
- Endpoint = 184.108.40.206 (field to enter IP address of the peer you want to connect)
- PersistentKeepalive = 25 (field where one can enter in seconds timespan beetwen keepalive's, if router is behind a firewall, 25 is pretty good and mostly default value)
Config should be checked/optimized on save, there is not much which needs to be checked, here are few examples:
1. you can not use 0.0.0.0/0, ::/0 in two peer entries, it triggers special wireguard mode which routes all the traffic undefined in other peers to go through this peer).
2. Config should be checked for duplicates in Address entries, in private keys (2 same private keys can not be 2 different peers)
3. DNS should be pingable
4. MTU value in some way checked with local settings and warn user if somewhere something is wrong
5. PostUp field is enough if same for iptables, where -A is used when adding, -D when removing, means converting on the fly PostUp to PostDown as well as reversed.
6. Missing public keys
7. If one uses domains, then a check if domain resolves any ip like nslookup somedoma . in otherwise connection might fail
8. No conflicting routes by allowedIps (you can implement even such tool: 𝐡𝐭𝐭𝐩𝐬://𝐰𝐰𝐰.𝐩𝐫𝐨𝐜𝐮𝐬𝐭𝐨𝐝𝐢𝐛𝐮𝐬.𝐜𝐨𝐦/𝐛𝐥𝐨𝐠/𝟐𝟎𝟐𝟏/𝟎𝟑/𝐰𝐢𝐫𝐞𝐠𝐮𝐚𝐫𝐝-𝐚𝐥𝐥𝐨𝐰𝐞𝐝𝐢𝐩𝐬-𝐜𝐚𝐥𝐜𝐮𝐥𝐚𝐭𝐨𝐫/ )
9. ListenPort should be automatically added (active/inactive) to firewall and reachable per public ip (unless active checkbox is unmarked)
10. Duplicate Peers
What else tplink could check and add is then more about omada internals, but probably correct iptables/routes should be used for access to different VLAN's if in configuration of wireguard VPN one can choose just like for other protocols which subnets it should use. Release beta then you will quickly find out what other users are missing.
With all those settings, wireguard can route all traffic using one of any peers (some would say it is client mode) where at the same time it provides to other peers a connection, any of its peers can use then in their configuration 0.0.0.0/0, ::/0 in allowed IP's of omada router and all the traffic would be routed over omada. There is no need for client/server mode, as wireguard acts as both thats why it is actually to say that any peer connection is client mode or server mode, its just depends on setting of allowed ip's/routes.
Maybe above sounds complicated, but wireguard is probably the easiest VPN to setup. Would love to see it in omada and with full performance using kernel 5, with version 4 wireguard should work too if kernel 5 is really impossible for omada routers.
There are many advantages of wireguard and it is recommended protocol for budget devices like er605. If tplink wants to check the performance, you easily can install latest opewrt which has kernel 5 and install wireguard, then test the performance which you can get with er605 and you will know better if you want to enable it in omada or not. Openwrt's GUI of wireguard luci app is also pretty well and simple. In omada I would wish a possibility to assign emails to peer configs which can be sent per click to that email, in case of changing as example old private key, user is suggested to keep the old peer for 24 hours.
You also could easily add Split-Tunneling as with wireguard you can add/remove/edit peers on the fly and each peer should have a button (use as gateway) or something, by clicking that button proper routes are assigned/changed/deleted. Actually two buttons would be nice 1. send gateway config 2. send peer config. Gateway config would be a config for that user/publickey where omada router's peer has AllowedIPs=0.0.0.0/0;::/0. Peer config would be adding to AllowedIPs only the IP which peer uses as Address so that traffic as example your mobile phone uses own mobile connection but is at the same time connected to all peers and has access to all your local networks encrypted over wireguard. You will probably find better names for both options.
Above is at least how I can see it working, probably tplink team has better overview of what is required for that to happen and if it is possible at all to get firmware's for omada routers with kernel version supporting wireguard, it is already too late, many are disappointed that wireguard is not available with omada, however, hope tp-link says better too late than never and releases it.