Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:wireguard:client [2019/08/03 03:36] – Split client from basic vgaeteradocs:guide-user:services:vpn:wireguard:client [2023/10/28 18:47] – [2. Key management] vgaetera
Line 1: Line 1:
 ====== WireGuard client ====== ====== WireGuard client ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This guide describes how to configure OpenWrt to run [[wp>WireGuard|WireGuard]] client+  * This how-to describes the method for setting up [[wp>WireGuard|WireGuard]] client on OpenWrt
-  * You can use it to connect to your own WireGuard server or a commercial WireGuard provider+  * Follow [[docs:guide-user:services:vpn:wireguard:server|WireGuard server]] for server setup and [[docs:guide-user:services:vpn:wireguard:extras|WireGuard extras]] for additional tuning.
-  * Follow [[basic|WireGuard basic]] for server setup and [[docs:guide-user:network:tunneling_interface_protocols#protocol_wireguard_wireguard_vpn|WireGuard protocol]] for additional tuning.+
  
 ===== Goals ===== ===== Goals =====
-{{section>..:openvpn:basic#goals&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions ===== 
-{{page>meta:infobox:wip&noheader&nofooter&noeditbtn}} +==== 1. Preparation ==== 
- +Install the required packages. 
-Client configuration.+Specify configuration parameters for VPN client.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install wireguard+opkg install wireguard-tools
  
 # Configuration parameters # Configuration parameters
-WG_IF="wg0+VPN_IF="vpn
-WG_PORT="49999+VPN_SERV="SERVER_ADDRESS
-WG_ADDR="SERVER_NAME_OR_IP_ADDRESS+VPN_PORT="51820
-WG_PRIVKEY="$(wg genkey)+VPN_ADDR="192.168.9.2/24
-echo "${WG_PRIVKEY}| wg pubkey +VPN_ADDR6="fd00:9::2/64
-WG_PUBKEY="COPY_PASTE_SERVER_PUBKEY"+</code>
  
 +==== 2. Key management ====
 +Generate and exchange [[docs:guide-user:services:vpn:wireguard:basics#key_management|keys]] between server and client.
 +
 +<code bash>
 +# Generate keys
 +umask go=
 +wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
 +wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
 +wg genpsk > wgclient.psk
 +
 +# Client private key
 +VPN_KEY="$(cat wgclient.key)"
 +
 +# Pre-shared key
 +VPN_PSK="$(cat wgclient.psk)"
 +
 +# Server public key
 +VPN_PUB="$(cat wgserver.pub)"
 +</code>
 +
 +==== 3. Firewall ====
 +Consider VPN network as public.
 +Assign VPN interface to WAN zone to minimize firewall setup.
 +
 +<code bash>
 # Configure firewall # Configure firewall
-uci del_list firewall.@zone[1].network="${WG_IF}" +uci rename firewall.@zone[0]="lan" 
-uci add_list firewall.@zone[1].network="${WG_IF}"+uci rename firewall.@zone[1]="wan" 
 +uci del_list firewall.wan.network="${VPN_IF}" 
 +uci add_list firewall.wan.network="${VPN_IF}"
 uci commit firewall uci commit firewall
 service firewall restart service firewall restart
 +</code>
  
 +==== 4. Network ====
 +Configure VPN interface and peers.
 +
 +<code bash>
 # Configure network # Configure network
-uci -q delete network.${WG_IF+uci -q delete network.${VPN_IF
-uci set network.${WG_IF}="interface" +uci set network.${VPN_IF}="interface" 
-uci set network.${WG_IF}.proto="wireguard" +uci set network.${VPN_IF}.proto="wireguard" 
-uci set network.${WG_IF}.private_key="${WG_PRIVKEY}" +uci set network.${VPN_IF}.private_key="${VPN_KEY}" 
-uci add_list network.${WG_IF}.addresses="192.168.9.2/24+uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}
-uci add_list network.${WG_IF}.addresses="fdf1:7610:d152:3a9c::2/64"+uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}" 
 + 
 +# Add VPN peers
 uci -q delete network.wgserver uci -q delete network.wgserver
-uci set network.wgserver="wireguard_${WG_IF}" +uci set network.wgserver="wireguard_${VPN_IF}" 
-uci set network.wgserver.public_key="${WG_PUBKEY}" +uci set network.wgserver.public_key="${VPN_PUB}" 
-uci set network.wgserver.endpoint_host="${WG_ADDR}" +uci set network.wgserver.preshared_key="${VPN_PSK}" 
-uci set network.wgserver.endpoint_port="${WG_PORT}"+uci set network.wgserver.endpoint_host="${VPN_SERV}" 
 +uci set network.wgserver.endpoint_port="${VPN_PORT}"
 uci set network.wgserver.route_allowed_ips="1" uci set network.wgserver.route_allowed_ips="1"
-uci add_list network.wgserver.allowed_ips="0.0.0.0/1+uci set network.wgserver.persistent_keepalive="25
-uci add_list network.wgserver.allowed_ips="128.0.0.0/1"+uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
 uci add_list network.wgserver.allowed_ips="::/0" uci add_list network.wgserver.allowed_ips="::/0"
 uci commit network uci commit network
Line 54: Line 88:
 </code> </code>
  
-See also: [[?do=showtag&tag=DNSCrypt+DoH+DoT|DNS encryption]]+Resolve [[docs:guide-user:services:vpn:wireguard:extras#race_conditions|race conditions]] and configure [[docs:guide-user:services:vpn:wireguard:extras#dynamic_connection|dynamic connection]] if necessary.
  
 ===== Testing ===== ===== Testing =====
-{{section>..:openvpn:basic#testing&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:vpn:wireguard:server#testing&noheader&nofooter&noeditbutton}}
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
-{{section>basic#troubleshooting&noheader&nofooter&noeditbutton}} +{{section>docs:guide-user:services:vpn:wireguard:server#troubleshooting&noheader&nofooter&noeditbutton}}
- +
-{{tag>How-to VPN WireGuard}}+
  
  • Last modified: 2024/12/01 22:32
  • by aveao