Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:wireguard:client [2019/08/07 19:56] – [4. Network] jeffdocs:guide-user:services:vpn:wireguard:client [2023/10/28 18:47] – [2. Key management] vgaetera
Line 1: Line 1:
 ====== WireGuard client ====== ====== WireGuard client ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This guide describes how to configure OpenWrt to run [[wp>WireGuard|WireGuard]] client+  * This how-to describes the method for setting up [[wp>WireGuard|WireGuard]] client on OpenWrt
-  * You can use it to connect to your own WireGuard server or a commercial WireGuard provider+  * Follow [[docs:guide-user:services:vpn:wireguard:server|WireGuard server]] for server setup and [[docs:guide-user:services:vpn:wireguard:extras|WireGuard extras]] for additional tuning.
-  * Follow [[basic|WireGuard basic]] for server setup and [[docs:guide-user:network:tunneling_interface_protocols#protocol_wireguard_wireguard_vpn|WireGuard protocol]] for additional tuning.+
  
 ===== Goals ===== ===== Goals =====
-{{section>..:openvpn:basic#goals&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions ===== +===== Command-line instructions =====
- +
-Be aware that the use of ''uci'' will destroy any formatting and remove any comments from your config files. +
- +
-TODO: Confirm the changes noted below and that they are functional+
 ==== 1. Preparation ==== ==== 1. Preparation ====
-Install the packages and specify the VPN client configuration parameters.+Install the required packages
 +Specify configuration parameters for VPN client.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install wireguard+opkg install wireguard-tools
  
 # Configuration parameters # Configuration parameters
-WG_IF="wg0+VPN_IF="vpn
-WG_SERV="SERVER_NAME_OR_IP_ADDRESS+VPN_SERV="SERVER_ADDRESS
-WG_PORT="51820" +VPN_PORT="51820" 
-WG_ADDR="192.168.9.2/24" +VPN_ADDR="192.168.9.2/24" 
-WG_ADDR6="fdf1:7610:d152:3a9c::2/64"+VPN_ADDR6="fd00:9::2/64"
 </code> </code>
  
-==== 2. Key exchange ==== +==== 2. Key management ==== 
-Export the client public key to the server. +Generate and exchange [[docs:guide-user:services:vpn:wireguard:basics#key_management|keys]] between server and client.
-Import the server public key and pre-shared key from the server.+
  
 <code bash> <code bash>
 # Generate keys # Generate keys
-WG_PRIVKEY="$(wg genkey)"+umask go= 
 +wg genkey | tee wgserver.key | wg pubkey > wgserver.pub 
 +wg genkey | tee wgclient.key | wg pubkey > wgclient.pub 
 +wg genpsk > wgclient.psk
  
-Export to the server +Client private key 
-echo "${WG_PRIVKEY}| wg pubkey+VPN_KEY="$(cat wgclient.key)"
  
-Import from the server +Pre-shared key 
-WG_PUBKEY="COPY_PASTE_SERVER_PUBKEY+VPN_PSK="$(cat wgclient.psk)
-WG_PSK="COPY_PASTE_SERVER_PSK"+ 
 +# Server public key 
 +VPN_PUB="$(cat wgserver.pub)"
 </code> </code>
  
 ==== 3. Firewall ==== ==== 3. Firewall ====
-Consider VPN network as public and assign VPN interface to WAN zone to minimize firewall setup.+Consider VPN network as public
 +Assign VPN interface to WAN zone to minimize firewall setup.
  
 <code bash> <code bash>
 # Configure firewall # Configure firewall
-uci del_list firewall.@zone[1].network="${WG_IF}" +uci rename firewall.@zone[0]="lan" 
-uci add_list firewall.@zone[1].network="${WG_IF}"+uci rename firewall.@zone[1]="wan" 
 +uci del_list firewall.wan.network="${VPN_IF}" 
 +uci add_list firewall.wan.network="${VPN_IF}"
 uci commit firewall uci commit firewall
 service firewall restart service firewall restart
 </code> </code>
  
-Adds to ''/etc/config/firewall'' in the ''config zone'' for WAN 
- 
-  list network 'wg0' 
 ==== 4. Network ==== ==== 4. Network ====
-Set up VPN interface and peers.+Configure VPN interface and peers.
  
 <code bash> <code bash>
 # Configure network # Configure network
-uci -q delete network.${WG_IF+uci -q delete network.${VPN_IF
-uci set network.${WG_IF}="interface" +uci set network.${VPN_IF}="interface" 
-uci set network.${WG_IF}.proto="wireguard" +uci set network.${VPN_IF}.proto="wireguard" 
-uci set network.${WG_IF}.private_key="${WG_PRIVKEY}" +uci set network.${VPN_IF}.private_key="${VPN_KEY}" 
-uci set network.${WG_IF}.preshared_key="${WG_PSK}" +uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR}" +uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
-uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"+
  
 # Add VPN peers # Add VPN peers
 uci -q delete network.wgserver uci -q delete network.wgserver
-uci set network.wgserver="wireguard_${WG_IF}" +uci set network.wgserver="wireguard_${VPN_IF}" 
-uci set network.wgserver.public_key="${WG_PUBKEY}" +uci set network.wgserver.public_key="${VPN_PUB}" 
-uci set network.wgserver.endpoint_host="${WG_SERV}" +uci set network.wgserver.preshared_key="${VPN_PSK}" 
-uci set network.wgserver.endpoint_port="${WG_PORT}"+uci set network.wgserver.endpoint_host="${VPN_SERV}" 
 +uci set network.wgserver.endpoint_port="${VPN_PORT}"
 uci set network.wgserver.route_allowed_ips="1" uci set network.wgserver.route_allowed_ips="1"
 uci set network.wgserver.persistent_keepalive="25" uci set network.wgserver.persistent_keepalive="25"
-uci add_list network.wgserver.allowed_ips="0.0.0.0/1" +uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
-uci add_list network.wgserver.allowed_ips="128.0.0.0/1"+
 uci add_list network.wgserver.allowed_ips="::/0" uci add_list network.wgserver.allowed_ips="::/0"
 uci commit network uci commit network
Line 89: Line 88:
 </code> </code>
  
-Adds to ''/etc/config/network'' +Resolve [[docs:guide-user:services:vpn:wireguard:extras#race_conditions|race conditions]] and configure [[docs:guide-user:services:vpn:wireguard:extras#dynamic_connection|dynamic connection]] if necessary.
- +
-<code> +
-config interface 'wg0' +
-       option proto 'wireguard' +
-       option private_key 'COPY_PASTE_CLIENT_PRIVATE_KEY' +
-       option preshared_key 'COPY_PASTE_SERVER_PSK'        # This is optional, based on your peer's config +
-       list addresses '192.168.9.2/24' +
-       list addresses 'fdf1:7610:d152:3a9c::2/64' +
- +
-config wireguard_wg0 'wgserver' +
-       option public_key 'COPY_PASTE_SERVER_PUBKEY' +
-       option endpoint_host 'SERVER_NAME_OR_IP_ADDRESS' +
-       option endpoint_port '51820' +
-       option route_allowed_ips '1' +
-       option persistent_keepalive '25' +
-       list allowed_ips '0.0.0.0/1' +
-       list allowed_ips '128.0.0.0/1' +
-       list allowed_ips '::/0' +
-</code> +
- +
-See also[[?do=showtag&tag=DNSCrypt+DoH+DoT|DNS encryption]]+
  
 ===== Testing ===== ===== Testing =====
-{{section>..:openvpn:basic#testing&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:vpn:wireguard:server#testing&noheader&nofooter&noeditbutton}}
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
-{{section>basic#troubleshooting&noheader&nofooter&noeditbutton}} +{{section>docs:guide-user:services:vpn:wireguard:server#troubleshooting&noheader&nofooter&noeditbutton}}
- +
-{{tag>How-to VPN WireGuard}}+
  
  • Last modified: 2024/12/01 22:32
  • by aveao