Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:services:vpn:wireguard:basic [2020/10/06 06:59] – use more consistent naming vgaeteradocs:guide-user:services:vpn:wireguard:server [2023/10/29 02:22] (current) – [2. Key management] vgaetera
Line 1: Line 1:
 ====== WireGuard server ====== ====== WireGuard server ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>WireGuard|WireGuard]] server on OpenWrt.   * This how-to describes the method for setting up [[wp>WireGuard|WireGuard]] server on OpenWrt.
-  * Follow [[docs:guide-user:services:vpn:wireguard:client|WireGuard client]] for client setup and [[docs:guide-user:services:vpn:wireguard:extra|WireGuard extras]] for additional tuning+  * Follow [[docs:guide-user:services:vpn:wireguard:client|WireGuard client]] for client setup and [[docs:guide-user:services:vpn:wireguard:extras|WireGuard extras]] for additional tuning.
-  * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.+
  
 ===== Goals ===== ===== Goals =====
-{{section>docs:guide-user:services:vpn:openvpn:basic#goals&noheader&nofooter&noeditbutton}}+  * Encrypt your internet connection to enforce security and privacy. 
 +    * Prevent traffic leaks and spoofing on the client side. 
 +  * Bypass regional restrictions using commercial providers. 
 +    * Escape client side content filters and internet censorship. 
 +  * Access your LAN services remotely without port forwarding.
  
-===== Instructions =====+===== Command-line instructions =====
 ==== 1. Preparation ==== ==== 1. Preparation ====
-Set up [[docs:guide-user:services:ddns:client|DDNS client]] if required. +Install the required packages
-Install the packages and specify the VPN server configuration parameters.+Specify configuration parameters for VPN server.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install wireguard+opkg install wireguard-tools
  
 # Configuration parameters # Configuration parameters
-WG_IF="vpn" +VPN_IF="vpn" 
-WG_PORT="51820" +VPN_PORT="51820" 
-WG_ADDR="192.168.9.1/24" +VPN_ADDR="192.168.9.1/24" 
-WG_ADDR6="fdf1:e8a1:8d3f:9::1/64"+VPN_ADDR6="fd00:9::1/64"
 </code> </code>
  
 ==== 2. Key management ==== ==== 2. Key management ====
-Generate server keys and a pre-shared key. +Generate and [[docs:guide-user:services:vpn:wireguard:basics#key_management|exchange keys]] between server and client.
-[[docs:guide-user:services:vpn:wireguard:start#key_management|Exchange]] the keys between the server and the client using [[docs:guide-user:troubleshooting:backup_restore|file transfer]] or copy-paste.+
  
 <code bash> <code bash>
Line 35: Line 37:
 umask go= umask go=
 wg genkey | tee wgserver.key | wg pubkey > wgserver.pub wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
-wg genpsk > wg.psk+wg genkey | tee wgclient.key | wg pubkey wgclient.pub 
 +wg genpsk > wgclient.psk
  
 # Server private key # Server private key
-WG_KEY="$(cat wgserver.key)"+VPN_KEY="$(cat wgserver.key)"
  
 # Pre-shared key # Pre-shared key
-WG_PSK="$(cat wg.psk)"+VPN_PSK="$(cat wgclient.psk)"
  
 # Client public key # Client public key
-WG_PUB="$(cat wgclient.pub)"+VPN_PUB="$(cat wgclient.pub)"
 </code> </code>
  
 ==== 3. Firewall ==== ==== 3. Firewall ====
-Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup.+Consider VPN network as private
 +Assign VPN interface to LAN zone to minimize firewall setup.
 Allow access to VPN server from WAN zone. Allow access to VPN server from WAN zone.
  
Line 55: Line 59:
 uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[0]="lan"
 uci rename firewall.@zone[1]="wan" uci rename firewall.@zone[1]="wan"
-uci rename firewall.@forwarding[0]="lan_wan" +uci del_list firewall.lan.network="${VPN_IF}" 
-uci del_list firewall.lan.network="${WG_IF}" +uci add_list firewall.lan.network="${VPN_IF}"
-uci add_list firewall.lan.network="${WG_IF}"+
 uci -q delete firewall.wg uci -q delete firewall.wg
 uci set firewall.wg="rule" uci set firewall.wg="rule"
 uci set firewall.wg.name="Allow-WireGuard" uci set firewall.wg.name="Allow-WireGuard"
 uci set firewall.wg.src="wan" uci set firewall.wg.src="wan"
-uci set firewall.wg.dest_port="${WG_PORT}"+uci set firewall.wg.dest_port="${VPN_PORT}"
 uci set firewall.wg.proto="udp" uci set firewall.wg.proto="udp"
 uci set firewall.wg.target="ACCEPT" uci set firewall.wg.target="ACCEPT"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
 ==== 4. Network ==== ==== 4. Network ====
-Set up VPN interface and peers.+Configure VPN interface and peers.
  
 <code bash> <code bash>
 # Configure network # Configure network
-uci -q delete network.${WG_IF+uci -q delete network.${VPN_IF
-uci set network.${WG_IF}="interface" +uci set network.${VPN_IF}="interface" 
-uci set network.${WG_IF}.proto="wireguard" +uci set network.${VPN_IF}.proto="wireguard" 
-uci set network.${WG_IF}.private_key="${WG_KEY}" +uci set network.${VPN_IF}.private_key="${VPN_KEY}" 
-uci set network.${WG_IF}.listen_port="${WG_PORT}" +uci set network.${VPN_IF}.listen_port="${VPN_PORT}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR}" +uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"+uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
  
 # Add VPN peers # Add VPN peers
 uci -q delete network.wgclient uci -q delete network.wgclient
-uci set network.wgclient="wireguard_${WG_IF}" +uci set network.wgclient="wireguard_${VPN_IF}" 
-uci set network.wgclient.public_key="${WG_PUB}" +uci set network.wgclient.public_key="${VPN_PUB}" 
-uci set network.wgclient.preshared_key="${WG_PSK}" +uci set network.wgclient.preshared_key="${VPN_PSK}" 
-uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32" +uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32" 
-uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"+uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
 uci commit network uci commit network
-/etc/init.d/network restart+service network restart
 </code> </code>
  
 ===== Testing ===== ===== Testing =====
-{{section>docs:guide-user:services:vpn:openvpn:basic#testing&noheader&nofooter&noeditbutton}}+Establish the VPN connection. 
 +Verify your routing with [[man>traceroute(8)|traceroute]] and [[man>traceroute6(8)|traceroute6]]. 
 + 
 +<code bash> 
 +traceroute openwrt.org 
 +traceroute6 openwrt.org 
 +</code> 
 + 
 +Check your IP and DNS provider. 
 +  * [[https://ipleak.net/|ipleak.net]] 
 +  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 101: Line 114:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/network restart; sleep 10+service log restart; service network restart; sleep 10
  
 # Log and status # Log and status
Line 108: Line 121:
 # Runtime configuration # Runtime configuration
 pgrep -f -a wg; wg show; wg showconf vpn pgrep -f -a wg; wg show; wg showconf vpn
-ip address show; ip route show table all type unicast +ip address show; ip route show table all 
-ip rule show; ip -6 rule show; iptables-save; ip6tables-save+ip rule show; ip -6 rule show; nft list ruleset
  
 # Persistent configuration # Persistent configuration
-uci show network; uci show firewall +uci show network; uci show firewall; crontab -l
-grep -v -e "^#" -e "^$" /etc/crontabs/root+
 </code> </code>
  
  • Last modified: 2023/10/29 02:22
  • by vgaetera