Show pagesourceOld revisionsBacklinksBack to top × Table of Contents WireGuard extras Introduction Extras References Web interface Dynamic connection Dynamic IP Race conditions Site-to-site IPv6 site-to-site Disable gateway redirection Split gateway DNS over VPN Kill switch Multi-client Automated WireGuard extras This article relies on the following: Accessing OpenWrt CLI Managing configurations Managing packages Managing services Introduction This how-to describes the most common WireGuard tuning scenarios adapted for OpenWrt. Follow WireGuard server for server setup and WireGuard client for client setup. Follow WireGuard protocol for protocol-specific interface options. Follow Random generator to overcome low entropy issues. Extras References WireGuard for mobile/desktop/server WireGuard documentation WireGuard configuration examples Web interface Install the necessary packages if you want to manage VPN settings and view VPN status using web interface. # Install packages opkg update opkg install luci-proto-wireguard luci-app-wireguard /etc/init.d/rpcd restart Navigate to LuCI → Network → Interfaces to configure WireGuard. Navigate to LuCI → Status → WireGuard Status to view WireGuard status. Dynamic connection Preserve default route to restore WAN connectivity when VPN is disconnected. # Preserve default route uci set network.wan.metric="100" uci set network.wan6.metric="100" uci commit network /etc/init.d/network restart Dynamic IP Periodically re-resolve inactive peer hostnames for VPN peers with dynamic IP addresses. # Periodically re-resolve inactive peers cat << "EOF" >> /etc/crontabs/root * * * * * /usr/bin/wireguard_watchdog EOF uci set system.@system[0].cronloglevel="9" uci commit system /etc/init.d/cron restart Race conditions Resolve the race condition with sysntpd service. # Resolve race conditions cat << "EOF" >> /etc/crontabs/root * * * * * date -s 2030-01-01; /etc/init.d/sysntpd restart EOF uci set system.@system[0].cronloglevel="9" uci commit system /etc/init.d/cron restart Site-to-site Implement plain routing between server side LAN and client side LAN assuming that: 192.168.1.0/24 - server side LAN 192.168.2.0/24 - client side LAN Add route to client side LAN on VPN server. uci set network.wgclient.route_allowed_ips="1" uci add_list network.wgclient.allowed_ips="192.168.2.0/24" uci commit network /etc/init.d/network restart Add route to server side LAN on VPN client. uci set network.wgserver.route_allowed_ips="1" uci add_list network.wgserver.allowed_ips="192.168.1.0/24" uci commit network /etc/init.d/network restart Consider VPN network as private and assign VPN interface to LAN zone on VPN client. uci del_list firewall.wan.network="vpn" uci add_list firewall.lan.network="vpn" uci commit firewall /etc/init.d/firewall restart IPv6 site-to-site Provide IPv6 site-to-site connectivity assuming that: fdf1:e8a1:8d3f:1::/64 - server side LAN fdf1:e8a1:8d3f:2::/64 - client side LAN Add route to client side LAN on VPN server. uci set network.lan.ip6assign="64" uci set network.lan.ip6hint="1" uci set network.vpn.ip6prefix="fdf1:e8a1:8d3f::/48" uci add_list network.wgclient.allowed_ips="fdf1:e8a1:8d3f:2::/64" uci commit network /etc/init.d/network restart Add route to server side LAN on VPN client. uci set network.lan.ip6assign="64" uci set network.lan.ip6hint="2" uci set network.vpn.ip6prefix="fdf1:e8a1:8d3f::/48" uci add_list network.wgserver.allowed_ips="fdf1:e8a1:8d3f:1::/64" uci commit network /etc/init.d/network restart Disable gateway redirection If you do not need to redirect all traffic to VPN. Disable gateway redirection on VPN client. uci del_list network.wgserver.allowed_ips="0.0.0.0/0" uci del_list network.wgserver.allowed_ips="::/0" uci commit network /etc/init.d/network restart Split gateway If VPN gateway is not your LAN gateway. Implement plain routing between LAN network and VPN network assuming that: 192.168.1.0/24 - LAN network 192.168.1.2/24 - VPN gateway 192.168.9.0/24 - VPN network Add port forwarding for VPN server on LAN gateway. uci -q delete firewall.wg uci set firewall.wg="redirect" uci set firewall.wg.name="Redirect-WireGuard" uci set firewall.wg.src="wan" uci set firewall.wg.src_dport="51820" uci set firewall.wg.dest="lan" uci set firewall.wg.dest_ip="192.168.1.2" uci set firewall.wg.family="ipv4" uci set firewall.wg.proto="udp" uci set firewall.wg.target="DNAT" uci commit firewall /etc/init.d/firewall restart Add route to VPN network via VPN gateway on LAN gateway. uci -q delete network.vpn uci set network.vpn="route" uci set network.vpn.interface="lan" uci set network.vpn.target="192.168.9.0/24" uci set network.vpn.gateway="192.168.1.2" uci commit network /etc/init.d/network restart DNS over VPN Utilize DNS over VPN to prevent DNS leak. Disable peer DNS and configure a VPN-routed DNS provider on OpenWrt client. Modify the VPN connection using NetworkManager on Linux desktop client. nmcli connection modify id VPN_CON ipv4.dns-search ~. ipv6.dns-search ~. ipv4.dns-priority -50 ipv6.dns-priority -50 Kill switch Prevent traffic leak on OpenWrt client isolating VPN interface in a separate firewall zone. uci rename firewall.@forwarding[0]="lan_wan" uci set firewall.lan_wan.enabled="0" uci -q delete firewall.vpn uci set firewall.vpn="zone" uci set firewall.vpn.name="vpn" uci set firewall.vpn.input="REJECT" uci set firewall.vpn.output="ACCEPT" uci set firewall.vpn.forward="REJECT" uci set firewall.vpn.masq="1" uci set firewall.vpn.mtu_fix="1" uci add_list firewall.vpn.network="vpn" uci del_list firewall.wan.network="vpn" uci -q delete firewall.lan_vpn uci set firewall.lan_vpn="forwarding" uci set firewall.lan_vpn.src="lan" uci set firewall.lan_vpn.dest="vpn" uci commit firewall /etc/init.d/firewall restart Multi-client Set up multi-client VPN server. Generate client keys and profiles. Configure VPN peers. # Configuration parameters WG_IDS="wgserver wgclient wglaptop wgmobile" WG_PKI="." WG_IF="vpn" WG_PORT="$(uci get network.${WG_IF}.listen_port)" WG_ADDRS="$(uci get network.${WG_IF}.addresses)" WG_ADDR="${WG_ADDRS%% *}" WG_ADDR6="${WG_ADDRS##* }" # Fetch WAN IP address . /lib/functions/network.sh network_flush_cache network_find_wan NET_IF network_get_ipaddr NET_ADDR "${NET_IF}" WG_SERV="${NET_ADDR}" # Fetch FQDN from DDNS client NET_FQDN="$(uci -q get "$(uci -q show ddns \ | sed -n -e "/\.enabled='1'$/s//.lookup_host/p" \ | sed -n -e "1p")")" if [ -n "${NET_FQDN}" ] then WG_SERV="${NET_FQDN}" fi # Generate client keys umask go= mkdir -p ${WG_PKI} for WG_ID in ${WG_IDS#* } do if [ ! -e "${WG_PKI}/${WG_ID}.pub" ] then wg genkey \ | tee ${WG_PKI}/${WG_ID}.key \ | wg pubkey > ${WG_PKI}/${WG_ID}.pub fi if [ ! -e "${WG_PKI}/${WG_ID}.psk" ] then wg genpsk > ${WG_PKI}/${WG_ID}.psk fi done # Generate client profiles WG_SFX="1" for WG_ID in ${WG_IDS#* } do let WG_SFX++ cat << EOF > ${WG_PKI}/${WG_ID}.conf [Interface] Address = ${WG_ADDR%.*}.${WG_SFX}/24, ${WG_ADDR6%:*}:${WG_SFX}/64 PrivateKey = $(cat ${WG_PKI}/${WG_ID}.key) DNS = ${WG_ADDR%/*}, ${WG_ADDR6%/*} [Peer] PublicKey = $(cat ${WG_PKI}/${WG_IDS%% *}.pub) PresharedKey = $(cat ${WG_PKI}/${WG_ID}.psk) PersistentKeepalive = 25 AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = ${WG_SERV}:${WG_PORT} EOF done ls ${WG_PKI}/*.conf # Back up client profiles cat << EOF >> /etc/sysupgrade.conf /root EOF # Add VPN peers WG_SFX="1" for WG_ID in ${WG_IDS#* } do let WG_SFX++ uci -q delete network.${WG_ID} uci set network.${WG_ID}="wireguard_${WG_IF}" uci set network.${WG_ID}.public_key="$(cat ${WG_PKI}/${WG_ID}.pub)" uci set network.${WG_ID}.preshared_key="$(cat ${WG_PKI}/${WG_ID}.psk)" uci add_list network.${WG_ID}.allowed_ips="${WG_ADDR%.*}.${WG_SFX}/32" uci add_list network.${WG_ID}.allowed_ips="${WG_ADDR6%:*}:${WG_SFX}/128" done uci commit network /etc/init.d/network restart Perform OpenWrt backup. Extract client profiles from the archive and import them to your clients. Automated Automated VPN server installation and client profiles generation. opkg update opkg install curl URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/wireguard" cat << EOF > wireguard-server.sh $(curl "${URL}/server?codeblock=0") $(curl "${URL}/server?codeblock=1") $(curl "${URL}/server?codeblock=2") $(curl "${URL}/server?codeblock=3") sleep 10 $(curl "${URL}/extras?codeblock=14") EOF sh wireguard-server.sh This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2020/12/04 07:48by vgaetera