TorGuard related OpenWRT scripts

Project maintained by TorGuard Hosted on GitHub Pages — Theme by mattgraham

TorGuard related OpenWRT scripts

TorGuard Wireguard Installation

Installation can be performed by running /usr/bin/tginstall:

download and install with wget

# first download functions script
wget -O /usr/bin/tgsetup && chmod +x /usr/bin/tgsetup && /usr/bin/tgsetup

download and install with curl

curl -o /usr/bin/tgsetup && chmod +x /usr/bin/tgsetup && /usr/bin/tgsetup

Script descriptions


All function of all scripts are currently in file /usr/bin/tgfunctions.


Torguard initialization script. Script generates new keypair and retrieves wireguard interface options from TorGuard server to which a user connects to with your torguard credentials, then it creates wireguard interface. After script finishes, please recheck your new interface if all values are there and if everything is ok, reboot your device.


Script to initialize torguard config when none exists.


tginstall vars

all other values are retrieved from /etc/config/torguard.


tgsetup upgrades/downloads all required scripts as well as it creates new torguard config from scratch. Old is renamed/backed up to /etc/config/torguard.old


Script to remove all tg bins and rename configs with suffix .old


Only upgrades bins, configs are not enabled, if you want to update configs too, then use please tgsetup.

torguard’s wireguard api v1

Currently only whitelisted/whitelabeled keys work and to get one can be performed in several ways

You can use the API manually, retrieve required values with a browser.

Public key for API usage has to be converted first into appropriate format by replacing suffix = with %3D

API Expiration

Currently every connection will work for 12 hours, no disconnect will happen, but after 12 hours your client will lose ability to connect to the internet. To prevent this, one could either run a cronjob or start a service tgapi which runs by default every 5 minutes ensuring that the config is extended for 12 hours from the timestamp API call is executed.

Validation loop script

This script extends/validates connection to keep your wg active. Current restriction set by TorGuard is 12 hours, please check always directly on torguard homepage/forum for any changes on this. Script can run on every linux system. If it uses wget or curl depends only on tginstall/tginit process finding/using either curl or wget.

tgapi service

Demo service file which can be used instead of cronjob is created by tginit, it is very simple, please extend it according to your needs

tgapi service script /etc/init.d/tgapi

this script is auto created and you do not need to change it, this is only for the information about how service file looks like for user who might want to enable the same on other systems where scripts for openwrt would not work.

#!/bin/sh /etc/rc.common
# Copyright (c) 2021 TorGuard forum user 19807409



reload_service() {
        procd_send_signal /usr/bin/tgapitest

start_service() {
        procd_set_param command /usr/bin/tgapitest
        procd_set_param respawn

API URL is configured in file /usr/bin/tgapitest.


Basic endless loop:

# Copyright (c) 2021 TorGuard forum user 19807409
# endless loop running every 1 minutes (60 seconds)
while true
        /usr/bin/curl --cacert /etc/torguard/ca.crt -k https://YOURUSERNAME:YOURPASS@TGSERVERIP:1443/api/v1/setup?public-key=AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJLLL%3D
        sleep ${WAITTIME}

/usr/bin/tgapitest is auto created and is overwritten with every tginstall run, there is no need for a user to make any changes on that file, here is example with dummy values, please use IP’s instead of domains for torguard as domains might deliver you different servers where server’s public keys would differ.

During tginit/tginstall, script checks if curl/wget exist as well if certificate exists making according steps/settings and creating this service file.

Example for New York shared server

first you need to convert your WG public key into API used formatting

Convert your public key to API format

TorGuard API works for now with raw public keys, but to make it correct, public key has to to be converted into url format meaning that some signs have to be replaced, as example replacing suffix = with %3D

Current implementation of urlencode in script is a little buggy and is disabled by default. Script uses currently public key for api calls which works with current api. You can manually convert with this tool (or any other) and save your api public key with:

uci set torguard.@wireguard_tg0[0].wgapipubkey='AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJLLL%3D'

to show your currently set api key, use, run

uci get torguard.@wireguard_tg0[0].wgapipubkey
Example API URL


speedperf - show all settings

to show full list of available servers and their settings and set closest/fastest to your location

uci show speedperf

speedperf default settings

Install speed perf manually

# Get speedperf bin
wget -O /etc/config/speedperf

# Get speedperf config
wget -O /usr/bin/speedperf

# set speedperf bin as executable
chmod +x /usr/bin/speedperf

How to start speedperf script

  1. Run with default settings


FAQ (Freqently Asked Question)

Frequently Asked Questions on Wiki