Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revisionBoth sides next revision
docs:guide-user:services:vpn:wireguard:basic [2020/10/06 06:59] – use more consistent naming vgaeteradocs:guide-user:services:vpn:wireguard:server [2023/10/28 18:45] – [2. Key management] wording vgaetera
Line 1: Line 1:
 ====== WireGuard server ====== ====== WireGuard server ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>WireGuard|WireGuard]] server on OpenWrt.   * This how-to describes the method for setting up [[wp>WireGuard|WireGuard]] server on OpenWrt.
-  * Follow [[docs:guide-user:services:vpn:wireguard:client|WireGuard client]] for client setup and [[docs:guide-user:services:vpn:wireguard:extra|WireGuard extras]] for additional tuning+  * Follow [[docs:guide-user:services:vpn:wireguard:client|WireGuard client]] for client setup and [[docs:guide-user:services:vpn:wireguard:extras|WireGuard extras]] for additional tuning.
-  * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.+
  
 ===== Goals ===== ===== Goals =====
-{{section>docs:guide-user:services:vpn:openvpn:basic#goals&noheader&nofooter&noeditbutton}}+  * Encrypt your internet connection to enforce security and privacy. 
 +    * Prevent traffic leaks and spoofing on the client side. 
 +  * Bypass regional restrictions using commercial providers. 
 +    * Escape client side content filters and internet censorship. 
 +  * Access your LAN services remotely without port forwarding.
  
-===== Instructions =====+===== Command-line instructions =====
 ==== 1. Preparation ==== ==== 1. Preparation ====
-Set up [[docs:guide-user:services:ddns:client|DDNS client]] if required. +Install the required packages
-Install the packages and specify the VPN server configuration parameters.+Specify configuration parameters for VPN server.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install wireguard+opkg install wireguard-tools
  
 # Configuration parameters # Configuration parameters
-WG_IF="vpn" +VPN_IF="vpn" 
-WG_PORT="51820" +VPN_PORT="51820" 
-WG_ADDR="192.168.9.1/24" +VPN_ADDR="192.168.9.1/24" 
-WG_ADDR6="fdf1:e8a1:8d3f:9::1/64"+VPN_ADDR6="fd00:9::1/64"
 </code> </code>
  
 ==== 2. Key management ==== ==== 2. Key management ====
-Generate server keys and a pre-shared key. +Generate and exchange [[docs:guide-user:services:vpn:wireguard:basics#key_management|keys]] between server and client.
-[[docs:guide-user:services:vpn:wireguard:start#key_management|Exchange]] the keys between the server and the client using [[docs:guide-user:troubleshooting:backup_restore|file transfer]] or copy-paste.+
  
 <code bash> <code bash>
Line 35: Line 37:
 umask go= umask go=
 wg genkey | tee wgserver.key | wg pubkey > wgserver.pub wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
-wg genpsk > wg.psk+wg genkey | tee wgclient.key | wg pubkey wgclient.pub 
 +wg genpsk > wgclient.psk
  
 # Server private key # Server private key
-WG_KEY="$(cat wgserver.key)"+VPN_KEY="$(cat wgserver.key)"
  
 # Pre-shared key # Pre-shared key
-WG_PSK="$(cat wg.psk)"+VPN_PSK="$(cat wgclient.psk)"
  
 # Client public key # Client public key
-WG_PUB="$(cat wgclient.pub)"+VPN_PUB="$(cat wgclient.pub)"
 </code> </code>
  
 ==== 3. Firewall ==== ==== 3. Firewall ====
-Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup.+Consider VPN network as private
 +Assign VPN interface to LAN zone to minimize firewall setup.
 Allow access to VPN server from WAN zone. Allow access to VPN server from WAN zone.
  
Line 55: Line 59:
 uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[0]="lan"
 uci rename firewall.@zone[1]="wan" uci rename firewall.@zone[1]="wan"
-uci rename firewall.@forwarding[0]="lan_wan" +uci del_list firewall.lan.network="${VPN_IF}" 
-uci del_list firewall.lan.network="${WG_IF}" +uci add_list firewall.lan.network="${VPN_IF}"
-uci add_list firewall.lan.network="${WG_IF}"+
 uci -q delete firewall.wg uci -q delete firewall.wg
 uci set firewall.wg="rule" uci set firewall.wg="rule"
 uci set firewall.wg.name="Allow-WireGuard" uci set firewall.wg.name="Allow-WireGuard"
 uci set firewall.wg.src="wan" uci set firewall.wg.src="wan"
-uci set firewall.wg.dest_port="${WG_PORT}"+uci set firewall.wg.dest_port="${VPN_PORT}"
 uci set firewall.wg.proto="udp" uci set firewall.wg.proto="udp"
 uci set firewall.wg.target="ACCEPT" uci set firewall.wg.target="ACCEPT"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
 ==== 4. Network ==== ==== 4. Network ====
-Set up VPN interface and peers.+Configure VPN interface and peers.
  
 <code bash> <code bash>
 # Configure network # Configure network
-uci -q delete network.${WG_IF+uci -q delete network.${VPN_IF
-uci set network.${WG_IF}="interface" +uci set network.${VPN_IF}="interface" 
-uci set network.${WG_IF}.proto="wireguard" +uci set network.${VPN_IF}.proto="wireguard" 
-uci set network.${WG_IF}.private_key="${WG_KEY}" +uci set network.${VPN_IF}.private_key="${VPN_KEY}" 
-uci set network.${WG_IF}.listen_port="${WG_PORT}" +uci set network.${VPN_IF}.listen_port="${VPN_PORT}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR}" +uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"+uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
  
 # Add VPN peers # Add VPN peers
 uci -q delete network.wgclient uci -q delete network.wgclient
-uci set network.wgclient="wireguard_${WG_IF}" +uci set network.wgclient="wireguard_${VPN_IF}" 
-uci set network.wgclient.public_key="${WG_PUB}" +uci set network.wgclient.public_key="${VPN_PUB}" 
-uci set network.wgclient.preshared_key="${WG_PSK}" +uci set network.wgclient.preshared_key="${VPN_PSK}" 
-uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32" +uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32" 
-uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"+uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
 uci commit network uci commit network
-/etc/init.d/network restart+service network restart
 </code> </code>
  
 ===== Testing ===== ===== Testing =====
-{{section>docs:guide-user:services:vpn:openvpn:basic#testing&noheader&nofooter&noeditbutton}}+Establish the VPN connection. 
 +Verify your routing with [[man>traceroute(8)|traceroute]] and [[man>traceroute6(8)|traceroute6]]. 
 + 
 +<code bash> 
 +traceroute openwrt.org 
 +traceroute6 openwrt.org 
 +</code> 
 + 
 +Check your IP and DNS provider. 
 +  * [[https://ipleak.net/|ipleak.net]] 
 +  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 101: Line 114:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/network restart; sleep 10+service log restart; service network restart; sleep 10
  
 # Log and status # Log and status
Line 108: Line 121:
 # Runtime configuration # Runtime configuration
 pgrep -f -a wg; wg show; wg showconf vpn pgrep -f -a wg; wg show; wg showconf vpn
-ip address show; ip route show table all type unicast +ip address show; ip route show table all 
-ip rule show; ip -6 rule show; iptables-save; ip6tables-save+ip rule show; ip -6 rule show; nft list ruleset
  
 # Persistent configuration # Persistent configuration
-uci show network; uci show firewall +uci show network; uci show firewall; crontab -l
-grep -v -e "^#" -e "^$" /etc/crontabs/root+
 </code> </code>
  
  • Last modified: 2023/10/29 02:22
  • by vgaetera