Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:wireguard:client [2020/09/22 15:34] – [Troubleshooting] router time sync on boot fix bill888docs:guide-user:services:vpn:wireguard:client [2023/10/28 18:47] – [2. Key management] vgaetera
Line 1: Line 1:
 ====== WireGuard client ====== ====== WireGuard client ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>WireGuard|WireGuard]] client on OpenWrt.   * This how-to describes the method for setting up [[wp>WireGuard|WireGuard]] client on OpenWrt.
-  * You can use it to connect to your own WireGuard server or a commercial WireGuard provider. +  * Follow [[docs:guide-user:services:vpn:wireguard:server|WireGuard server]] for server setup and [[docs:guide-user:services:vpn:wireguard:extras|WireGuard extras]] for additional tuning.
-  * Follow [[docs:guide-user:services:vpn:wireguard:basic|WireGuard basic]] for server setup and [[docs:guide-user:services:vpn:wireguard:extra|WireGuard extras]] for additional tuning.+
  
 ===== Goals ===== ===== Goals =====
-{{section>docs:guide-user:services:vpn:openvpn:basic#goals&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions =====+===== Command-line instructions =====
 ==== 1. Preparation ==== ==== 1. Preparation ====
-Install the packages and specify the VPN client configuration parameters+Install the required packages
-Each client should have a unique WG_ADDR to avoid collisions.+Specify configuration parameters for VPN client.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install wireguard+opkg install wireguard-tools
  
 # Configuration parameters # Configuration parameters
-WG_IF="wg0+VPN_IF="vpn
-WG_SERV="SERVER_NAME_OR_IP_ADDRESS+VPN_SERV="SERVER_ADDRESS
-WG_PORT="51820" +VPN_PORT="51820" 
-WG_ADDR="192.168.9.2/24" +VPN_ADDR="192.168.9.2/24" 
-WG_ADDR6="fdf1:7610:d152:3a9c::2/64"+VPN_ADDR6="fd00:9::2/64"
 </code> </code>
  
 ==== 2. Key management ==== ==== 2. Key management ====
-Generate client keys. +Generate and exchange [[docs:guide-user:services:vpn:wireguard:basics#key_management|keys]] between server and client.
-Exchange the public keys and the pre-shared key between the server and the client using [[docs:guide-user:troubleshooting:backup_restore|file transfer]] or copy-paste.+
  
 <code bash> <code bash>
-# Generate and exchange the keys+# Generate keys
 umask go= umask go=
 +wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
 wg genkey | tee wgclient.key | wg pubkey > wgclient.pub wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
 +wg genpsk > wgclient.psk
  
-WG_KEY="$(cat wgclient.key)" +# Client private key 
-WG_PSK="$(cat wg.psk)" +VPN_KEY="$(cat wgclient.key)" 
-WG_PUB="$(cat wgserver.pub)"+ 
 +# Pre-shared key 
 +VPN_PSK="$(cat wgclient.psk)" 
 + 
 +# Server public key 
 +VPN_PUB="$(cat wgserver.pub)"
 </code> </code>
  
 ==== 3. Firewall ==== ==== 3. Firewall ====
-Consider VPN network as public and assign VPN interface to WAN zone to minimize firewall setup.+Consider VPN network as public
 +Assign VPN interface to WAN zone to minimize firewall setup.
  
 <code bash> <code bash>
Line 49: Line 55:
 uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[0]="lan"
 uci rename firewall.@zone[1]="wan" uci rename firewall.@zone[1]="wan"
-uci rename firewall.@forwarding[0]="lan_wan" +uci del_list firewall.wan.network="${VPN_IF}" 
-uci del_list firewall.wan.network="${WG_IF}" +uci add_list firewall.wan.network="${VPN_IF}"
-uci add_list firewall.wan.network="${WG_IF}"+
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
 ==== 4. Network ==== ==== 4. Network ====
-Set up VPN interface and peers.+Configure VPN interface and peers.
  
 <code bash> <code bash>
 # Configure network # Configure network
-uci -q delete network.${WG_IF+uci -q delete network.${VPN_IF
-uci set network.${WG_IF}="interface" +uci set network.${VPN_IF}="interface" 
-uci set network.${WG_IF}.proto="wireguard" +uci set network.${VPN_IF}.proto="wireguard" 
-uci set network.${WG_IF}.private_key="${WG_KEY}" +uci set network.${VPN_IF}.private_key="${VPN_KEY}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR}" +uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"+uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
  
 # Add VPN peers # Add VPN peers
 uci -q delete network.wgserver uci -q delete network.wgserver
-uci set network.wgserver="wireguard_${WG_IF}" +uci set network.wgserver="wireguard_${VPN_IF}" 
-uci set network.wgserver.public_key="${WG_PUB}" +uci set network.wgserver.public_key="${VPN_PUB}" 
-uci set network.wgserver.preshared_key="${WG_PSK}" +uci set network.wgserver.preshared_key="${VPN_PSK}" 
-uci set network.wgserver.endpoint_host="${WG_SERV}" +uci set network.wgserver.endpoint_host="${VPN_SERV}" 
-uci set network.wgserver.endpoint_port="${WG_PORT}"+uci set network.wgserver.endpoint_port="${VPN_PORT}"
 uci set network.wgserver.route_allowed_ips="1" uci set network.wgserver.route_allowed_ips="1"
 uci set network.wgserver.persistent_keepalive="25" uci set network.wgserver.persistent_keepalive="25"
Line 80: Line 85:
 uci add_list network.wgserver.allowed_ips="::/0" uci add_list network.wgserver.allowed_ips="::/0"
 uci commit network uci commit network
-/etc/init.d/network restart+service network restart
 </code> </code>
  
-Make possible to manage VPN connection [[docs:guide-user:services:vpn:wireguard:extra#dynamic_connection|dynamically]].+Resolve [[docs:guide-user:services:vpn:wireguard:extras#race_conditions|race conditions]] and configure [[docs:guide-user:services:vpn:wireguard:extras#dynamic_connection|dynamic connection]] if necessary.
  
 ===== Testing ===== ===== Testing =====
-{{section>docs:guide-user:services:vpn:openvpn:basic#testing&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:services:vpn:wireguard:server#testing&noheader&nofooter&noeditbutton}}
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
-{{section>docs:guide-user:services:vpn:wireguard:basic#troubleshooting&noheader&nofooter&noeditbutton}} +{{section>docs:guide-user:services:vpn:wireguard:server#troubleshooting&noheader&nofooter&noeditbutton}}
- +
-Wireguard is 'time sensitive' If the router's clock is out of sync, the VPN tunnel will refuse to pass traffic. At the time of writing, this is because the IP addresses of the NTP servers could not be resolved via DNS when the router boots up.  There are a variety of solutions. +
- +
-**LUCI > System > System > Local Time**    Click on 'Sync with browser' button.  Unfortunately, this step must be completed every time the router is rebooted. +
- +
-Another option is to specify the actual IP addresses of the NTP servers. +
- +
-Another creative solution is described here by forum member 'uniquename' +
-[[https://forum.openwrt.org/t/problematic-wireguard-at-the-time/56435/36|owrt forum link]] +
- +
-Add the following to **LUCI > System > Startup > Local Startup** script  or to **/etc/rc.local** +
- +
-''date -s "2030-01-01 00:00:00" '' +
- +
- +
- +
- +
- +
  
  • Last modified: 2024/12/01 22:32
  • by aveao