User Tools

Site Tools


docs:guide-user:services:vpn:wireguard:extra

WireGuard extras

Introduction

Extras

References

Web interface

Install the necessary packages if you want to manage VPN settings and view VPN status via web interface.

# Install packages
opkg update
opkg install luci-proto-wireguard luci-app-wireguard
  • Navigate to LuCI → Network → Interfaces to configure WireGuard.
  • Navigate to LuCI → Status → WireGuard Status to view WireGuard status.

Dynamic IP

Periodically re-resolve inactive peer hostnames for VPN peers with dynamic IP addresses.

# Periodically re-resolve inactive peers
cat << "EOF" >> /etc/crontabs/root
* * * * * /usr/bin/wireguard_watchdog
EOF

Site-to-site

Implement plain routing between server side LAN and client side LAN assuming that:

  • 192.168.1.0/24 - server side LAN
  • 192.168.2.0/24 - client side LAN
  • 192.168.9.0/24 - VPN network

Add route to client side LAN on VPN server.

uci set network.wgclient.route_allowed_ips="1"
uci -q delete network.wgclient.allowed_ips
uci add_list network.wgclient.allowed_ips="192.168.2.0/24"
uci add_list network.wgclient.allowed_ips="192.168.9.0/24"
uci commit network
/etc/init.d/network restart

Add route to server side LAN on VPN client.

uci set network.wgserver.route_allowed_ips="1"
uci -q delete network.wgserver.allowed_ips
uci add_list network.wgserver.allowed_ips="192.168.1.0/24"
uci add_list network.wgserver.allowed_ips="192.168.9.0/24"
uci commit network
/etc/init.d/network restart

Consider VPN network as private and assign VPN interface to LAN zone on VPN client.

uci del_list firewall.wan.network="wg0"
uci add_list firewall.lan.network="wg0"
uci commit firewall
/etc/init.d/firewall restart

Split gateway

If VPN gateway is not your LAN gateway. Implement plain routing between LAN network and VPN network assuming that:

  • 192.168.1.0/24 - LAN network
  • 192.168.1.2/24 - VPN gateway
  • 192.168.9.0/24 - VPN network

Add port forwarding for VPN server on LAN gateway.

uci -q delete firewall.wg
uci set firewall.wg="redirect"
uci set firewall.wg.name="Redirect-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.src_dport="51820"
uci set firewall.wg.dest="lan"
uci set firewall.wg.dest_ip="192.168.1.2"
uci set firewall.wg.family="ipv4"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

Add route to VPN network via VPN gateway on LAN gateway.

uci -q delete network.vpn
uci set network.vpn="route"
uci set network.vpn.interface="lan"
uci set network.vpn.target="192.168.9.0/24"
uci set network.vpn.gateway="192.168.1.2"
uci commit network
/etc/init.d/network restart

PBR

Use different routing paths with PBR. Route LAN clients to WAN and other clients to VPN.

uci set network.wan.ip4table="1"
uci set network.wan6.ip6table="1"
uci -q delete network.lan_wan
uci set network.lan_wan="rule"
uci set network.lan_wan.in="lan"
uci set network.lan_wan.lookup="1"
uci commit network
/etc/init.d/network restart

NAT6

Enable NAT6 with IPv6 masquerading if you have no public prefix for VPN6 network.

opkg update
opkg install kmod-ipt-nat6
cat << EOF > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d" \
| ip6tables-restore -T nat
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
/etc/init.d/firewall restart

Fix DNS leak

Prevent DNS leak on OpenWrt client utilizing a VPN-routed DNS provider or DNS encryption.

Modify the VPN connection using NetworkManager on Linux desktop client.

nmcli connection modify WG_CON ipv4.dns-priority "-50" ipv6.dns-priority "-50"

Kill switch

Prevent traffic leak on OpenWrt client isolating VPN interface in a separate firewall zone.

uci -q delete firewall.vpn
uci set firewall.vpn="zone"
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="REJECT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.forward="REJECT"
uci set firewall.vpn.masq="1"
uci set firewall.vpn.mtu_fix="1"
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci del_list firewall.wan.network="wg0"
uci add_list firewall.vpn.network="wg0"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/vpn/wireguard/extra.txt · Last modified: 2019/10/05 22:30 by vgaetera