Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:wireguard:basic [2020/10/06 06:59] – use more consistent naming vgaetera | docs:guide-user:services:vpn:wireguard:server [2023/10/28 18:45] – [2. Key management] wording vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== WireGuard server ====== | ====== WireGuard server ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| - | * Follow [[docs: | + | |
| ===== Goals ===== | ===== Goals ===== | ||
| - | {{section> | + | * Encrypt your internet connection to enforce security and privacy. |
| + | * Prevent traffic leaks and spoofing on the client side. | ||
| + | * Bypass regional restrictions using commercial providers. | ||
| + | * Escape client side content filters and internet censorship. | ||
| + | * Access your LAN services | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| ==== 1. Preparation ==== | ==== 1. Preparation ==== | ||
| - | Set up [[docs: | + | Install the required |
| - | Install the packages and specify the VPN server | + | Specify configuration parameters for VPN server. |
| <code bash> | <code bash> | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg install wireguard | + | opkg install wireguard-tools |
| # Configuration parameters | # Configuration parameters | ||
| - | WG_IF=" | + | VPN_IF=" |
| - | WG_PORT=" | + | VPN_PORT=" |
| - | WG_ADDR=" | + | VPN_ADDR=" |
| - | WG_ADDR6="fdf1: | + | VPN_ADDR6="fd00: |
| </ | </ | ||
| ==== 2. Key management ==== | ==== 2. Key management ==== | ||
| - | Generate | + | Generate and exchange |
| - | [[docs: | + | |
| <code bash> | <code bash> | ||
| Line 35: | Line 37: | ||
| umask go= | umask go= | ||
| wg genkey | tee wgserver.key | wg pubkey > wgserver.pub | wg genkey | tee wgserver.key | wg pubkey > wgserver.pub | ||
| - | wg genpsk | + | wg genkey | tee wgclient.key | wg pubkey |
| + | wg genpsk > wgclient.psk | ||
| # Server private key | # Server private key | ||
| - | WG_KEY=" | + | VPN_KEY=" |
| # Pre-shared key | # Pre-shared key | ||
| - | WG_PSK=" | + | VPN_PSK=" |
| # Client public key | # Client public key | ||
| - | WG_PUB=" | + | VPN_PUB=" |
| </ | </ | ||
| ==== 3. Firewall ==== | ==== 3. Firewall ==== | ||
| - | Consider VPN network as private | + | Consider VPN network as private. |
| + | Assign | ||
| Allow access to VPN server from WAN zone. | Allow access to VPN server from WAN zone. | ||
| Line 55: | Line 59: | ||
| uci rename firewall.@zone[0]=" | uci rename firewall.@zone[0]=" | ||
| uci rename firewall.@zone[1]=" | uci rename firewall.@zone[1]=" | ||
| - | uci rename firewall.@forwarding[0]=" | + | uci del_list firewall.lan.network=" |
| - | uci del_list firewall.lan.network=" | + | uci add_list firewall.lan.network=" |
| - | uci add_list firewall.lan.network=" | + | |
| uci -q delete firewall.wg | uci -q delete firewall.wg | ||
| uci set firewall.wg=" | uci set firewall.wg=" | ||
| uci set firewall.wg.name=" | uci set firewall.wg.name=" | ||
| uci set firewall.wg.src=" | uci set firewall.wg.src=" | ||
| - | uci set firewall.wg.dest_port=" | + | uci set firewall.wg.dest_port=" |
| uci set firewall.wg.proto=" | uci set firewall.wg.proto=" | ||
| uci set firewall.wg.target=" | uci set firewall.wg.target=" | ||
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| ==== 4. Network ==== | ==== 4. Network ==== | ||
| - | Set up VPN interface and peers. | + | Configure |
| <code bash> | <code bash> | ||
| # Configure network | # Configure network | ||
| - | uci -q delete network.${WG_IF} | + | uci -q delete network.${VPN_IF} |
| - | uci set network.${WG_IF}=" | + | uci set network.${VPN_IF}=" |
| - | uci set network.${WG_IF}.proto=" | + | uci set network.${VPN_IF}.proto=" |
| - | uci set network.${WG_IF}.private_key=" | + | uci set network.${VPN_IF}.private_key=" |
| - | uci set network.${WG_IF}.listen_port=" | + | uci set network.${VPN_IF}.listen_port=" |
| - | uci add_list network.${WG_IF}.addresses=" | + | uci add_list network.${VPN_IF}.addresses=" |
| - | uci add_list network.${WG_IF}.addresses=" | + | uci add_list network.${VPN_IF}.addresses=" |
| # Add VPN peers | # Add VPN peers | ||
| uci -q delete network.wgclient | uci -q delete network.wgclient | ||
| - | uci set network.wgclient=" | + | uci set network.wgclient=" |
| - | uci set network.wgclient.public_key=" | + | uci set network.wgclient.public_key=" |
| - | uci set network.wgclient.preshared_key=" | + | uci set network.wgclient.preshared_key=" |
| - | uci add_list network.wgclient.allowed_ips=" | + | uci add_list network.wgclient.allowed_ips=" |
| - | uci add_list network.wgclient.allowed_ips=" | + | uci add_list network.wgclient.allowed_ips=" |
| uci commit network | uci commit network | ||
| - | / | + | service |
| </ | </ | ||
| ===== Testing ===== | ===== Testing ===== | ||
| - | {{section>docs: | + | Establish the VPN connection. |
| + | Verify your routing with [[man>traceroute(8)|traceroute]] and [[man> | ||
| + | |||
| + | <code bash> | ||
| + | traceroute openwrt.org | ||
| + | traceroute6 openwrt.org | ||
| + | </ | ||
| + | |||
| + | Check your IP and DNS provider. | ||
| + | * [[https:// | ||
| + | * [[https:// | ||
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 101: | Line 114: | ||
| <code bash> | <code bash> | ||
| # Restart services | # Restart services | ||
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 108: | Line 121: | ||
| # Runtime configuration | # Runtime configuration | ||
| pgrep -f -a wg; wg show; wg showconf vpn | pgrep -f -a wg; wg show; wg showconf vpn | ||
| - | ip address show; ip route show table all type unicast | + | ip address show; ip route show table all |
| - | ip rule show; ip -6 rule show; iptables-save; | + | ip rule show; ip -6 rule show; nft list ruleset |
| # Persistent configuration | # Persistent configuration | ||
| - | uci show network; uci show firewall | + | uci show network; uci show firewall; crontab |
| - | grep -v -e " | + | |
| </ | </ | ||