TP-Link ER605 v2 WireGuard VPN(TrueNAS core 13.0 comparison)

近期在弄老闆許願的案子，BeagleBone Black(Debian) installed wakeonlan, crontab 區域喚醒如期正常；TrueNAS的WireGuard VPN參考官網也正常，唯有近期換的TP-Link ER605一直設定失敗，弄得本貓要抓狂，抓抓抓~找了YouTube找找找，後來找到官網說明，喵~

WireGurad VPN(TrueNAS core, based on FreeBSD) Server side:

1. Key Generation(See ref 1.)找自己要個工作目錄(找不到之前參考的網站了...等等我拉希望能找到)
   root登錄後(還在想有甚麼其他的方式sudo之類的，但懶懶~~)
   # cd ~
   # umask 077
   # wg genkey > privatekey
   # wg pubkey < privatekey > publickey
2. vi /root/wg0.conf
   [Interface]
   Address = 172.20.20.1/32(自行設定，本貓不知道不遵循class A, B, C的subnet masking會怎麼樣)
   PrivateKey = generated in step 1
   ListenPort = 51820(ER605設定網頁：如果內網有其他WireGuard之類VPN請不要設定外網port 51820，Transmission-NAT-Virtual Server 51820；外網51821轉TrueNAS ip內網51820)
   # 外網ip:51820-><router_private_ip>:51820(其實不用自己設定virtual server對應)
   # 外網ip:51821-><TrueNAS_DHCP_IP_reservation>:51820
   # [When setting open ports for NAT, do not select the reserved ports (1723/1701 is reserved for PPTP/L2TP, 1194 is reserved for OpenVPN, 51820 is reserved for WireGuard, and the specific ports you reserved).] This is a comment.
   [Peer]
   PublicKey = generated in the cient side(copy and paste)
   AllowedIPs = 172.20.20.2/32(自行設定)
3. 好像wireguard這個東東，但使用上configuration file之前報錯，挖個坑再找資料寫(好像到處是坑了......)
   # wg-quick up /root/wg0.conf
   # wg
   看看介面狀況
   # ping 172.20.20.2
   試試與客戶端的連線怎樣
   or
   # sudo tcpdump -i wg0
   看看倒底發生什麼事
   成功可以往後跳
4. init scripts
   Tasks-Init/Shutdown Scripts
   Type:Command
   Description:wg(自己訂，要弄成"電腦乖乖"也行，但不建議中文，可能會有編碼問題)
   When: POSTINT
   Command: mkdir -p /usr/local/etc/wireguard && cp /root/wg0.conf /usr/local/etc/wireguard/wg0.conf && wg-quick up /usr/local/etc/wireguard/wg0.conf

Client side(iOS, iPhone 13mini same applies for windows client and debian client[kind of the same steps in ref 1. key generation])

1. create from scracth
2. create a key pair
3. setting up the parameters
   Interface
   Name: 自行設定
   Public Key: generated from step 1.
   Addresses: 172.20.20.2/32
   DNS servers: 8.8.8.8(好像有人說不設定不能上網??沒測試過，本貓也沒有self-host DNS server，路由器也沒有設定DNS相關功能)
   Peer
   Public Key: copy and paste from the server's public key
   Endpoint: server_ip:51821(可以用DDNS或中華電信非固定制固定IP，路由器設定外網IP:51820轉內網IP[路由器本身]:51820，TrueNAS的是外網IP:51821轉內網IP[TrueNAS內網IP]:51820 )
   Allowed IPs: 172.20.20.1/32

ER605 v2 WireGuard VPN settings

See ref 2./3. 剛起步就接觸FreeBSD的本貓真的不是很喜歡GUI的設定方式，想搞死人的windows每次改版都要浪費時間熟悉，當使用者時間多，不用喵喵叫、找草地、草地打滾、找貓打架??

• ER605 v2 server side(router private subnet: 192.168.125.0/24)
  Name: 自行設定
  MTU: 1420
  Listen Port: 51820(不知道改了會怎麼樣，GUI的設定沒有需要有其他驗證方式)
  Private Key:
  Local Address: 192.168.124.2(router private network in 192.168.125.0/24)
  Status: enabled
• Client side (iOS iPhone 13 mini)
  Interface
  Name: 自行設定
  Public Key: can be generated itself
  Address: 172.20.1.2/32 (自行設定，不要和路由器與路由器WireGuard Local Address相同即可)
  DNS server: 8.8.8.8
  Peer
  Public Key: copy and paste from the server's public key
  Endpoint: public_ip_address_of_server:51820(port對應伺服器設定，沒改為51820)
  Allowed IPs: 0.0.0.0/0(超奇怪的設定，代表redirect all traffic to the interface)
  測試後Client 可PING server private subnet(192.168.125.0/24)
  PING server WireGuard local address 192.168.124.2/192.168.124.1都沒回應...
  可用但沒達到本貓的目的(只想存取內網，沒有要redirect all traffic)

還在找方法設定"不要" Redirect all traffic through the tunnel interface，本貓只是想存取內網裝置而已，沒有要Netflex and chill或用其他國家的網域買機票，喵~~

Last but not the least, love ya guys on https://forums.freebsd.org/.

References

1. Quick Start - WireGuard
   https://www.wireguard.com/quickstart/
2. How to configure WireGuard VPN on Omada Router in Standalone mode?
   https://www.tp-link.com/us/support/faq/3559/
3. How to configure Wireguard VPN on Omada Gateway
   https://www.vigi.com/mx/support/faq/4298/
4. Simple and Secure VPN in FreeBSD – Introducing WireGuard
   https://forums.freebsd.org/threads/simple-and-secure-vpn-in-freebsd-introducing-wireguard.78628/
5. Setup wireguard between two 13.2+ FreeBSD hosts
   https://forums.freebsd.org/threads/setup-wireguard-between-two-13-2-freebsd-hosts.89196/