Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:wireguard:server [2020/10/16 16:12] – [3. Firewall] split to extras vgaeteradocs:guide-user:services:vpn:wireguard:server [2023/09/27 14:16] – optimize links vgaetera
Line 1: Line 1:
 ====== WireGuard server ====== ====== WireGuard server ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>WireGuard|WireGuard]] server on OpenWrt.   * This how-to describes the method for setting up [[wp>WireGuard|WireGuard]] server on OpenWrt.
   * Follow [[docs:guide-user:services:vpn:wireguard:client|WireGuard client]] for client setup and [[docs:guide-user:services:vpn:wireguard:extras|WireGuard extras]] for additional tuning.   * Follow [[docs:guide-user:services:vpn:wireguard:client|WireGuard client]] for client setup and [[docs:guide-user:services:vpn:wireguard:extras|WireGuard extras]] for additional tuning.
-  * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues. 
  
 ===== Goals ===== ===== Goals =====
-{{section>docs:guide-user:services:vpn:openvpn:server#goals&noheader&nofooter&noeditbutton}}+  * Encrypt your internet connection to enforce security and privacy. 
 +    * Prevent traffic leaks and spoofing on the client side. 
 +  * Bypass regional restrictions using commercial providers. 
 +    * Escape client side content filters and internet censorship. 
 +  * Access your LAN services remotely without port forwarding.
  
-===== Instructions =====+===== Command-line instructions =====
 ==== 1. Preparation ==== ==== 1. Preparation ====
-Set up [[docs:guide-user:services:ddns:client|DDNS client]] if required. +Install the required packages
-Install the packages and specify the VPN server configuration parameters.+Specify configuration parameters for VPN server.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install wireguard+opkg install wireguard-tools
  
 # Configuration parameters # Configuration parameters
-WG_IF="vpn" +VPN_IF="vpn" 
-WG_PORT="51820" +VPN_PORT="51820" 
-WG_ADDR="192.168.9.1/24" +VPN_ADDR="192.168.9.1/24" 
-WG_ADDR6="fdf1:e8a1:8d3f:9::1/64"+VPN_ADDR6="fd00:9::1/64"
 </code> </code>
  
 ==== 2. Key management ==== ==== 2. Key management ====
-Generate server keys and a pre-shared key. +Generate and exchange [[docs:guide-user:services:vpn:wireguard:basics#key_management|keys]] between client and server.
-[[docs:guide-user:services:vpn:wireguard:start#key_management|Exchange]] the keys between the server and the client using [[docs:guide-user:troubleshooting:backup_restore|file transfer]] or copy-paste.+
  
 <code bash> <code bash>
Line 35: Line 37:
 umask go= umask go=
 wg genkey | tee wgserver.key | wg pubkey > wgserver.pub wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
-wg genpsk > wgserver.psk+wg genkey | tee wgclient.key | wg pubkey > wgclient.pub 
 +wg genpsk > wgclient.psk
  
 # Server private key # Server private key
-WG_KEY="$(cat wgserver.key)"+VPN_KEY="$(cat wgserver.key)"
  
 # Pre-shared key # Pre-shared key
-WG_PSK="$(cat wgserver.psk)"+VPN_PSK="$(cat wgclient.psk)"
  
 # Client public key # Client public key
-WG_PUB="$(cat wgclient.pub)"+VPN_PUB="$(cat wgclient.pub)"
 </code> </code>
  
 ==== 3. Firewall ==== ==== 3. Firewall ====
-Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup.+Consider VPN network as private
 +Assign VPN interface to LAN zone to minimize firewall setup.
 Allow access to VPN server from WAN zone. Allow access to VPN server from WAN zone.
  
Line 55: Line 59:
 uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[0]="lan"
 uci rename firewall.@zone[1]="wan" uci rename firewall.@zone[1]="wan"
-uci del_list firewall.lan.network="${WG_IF}" +uci del_list firewall.lan.network="${VPN_IF}" 
-uci add_list firewall.lan.network="${WG_IF}"+uci add_list firewall.lan.network="${VPN_IF}"
 uci -q delete firewall.wg uci -q delete firewall.wg
 uci set firewall.wg="rule" uci set firewall.wg="rule"
 uci set firewall.wg.name="Allow-WireGuard" uci set firewall.wg.name="Allow-WireGuard"
 uci set firewall.wg.src="wan" uci set firewall.wg.src="wan"
-uci set firewall.wg.dest_port="${WG_PORT}"+uci set firewall.wg.dest_port="${VPN_PORT}"
 uci set firewall.wg.proto="udp" uci set firewall.wg.proto="udp"
 uci set firewall.wg.target="ACCEPT" uci set firewall.wg.target="ACCEPT"
Line 69: Line 73:
  
 ==== 4. Network ==== ==== 4. Network ====
-Set up VPN interface and peers.+Configure VPN interface and peers.
  
 <code bash> <code bash>
 # Configure network # Configure network
-uci -q delete network.${WG_IF+uci -q delete network.${VPN_IF
-uci set network.${WG_IF}="interface" +uci set network.${VPN_IF}="interface" 
-uci set network.${WG_IF}.proto="wireguard" +uci set network.${VPN_IF}.proto="wireguard" 
-uci set network.${WG_IF}.private_key="${WG_KEY}" +uci set network.${VPN_IF}.private_key="${VPN_KEY}" 
-uci set network.${WG_IF}.listen_port="${WG_PORT}" +uci set network.${VPN_IF}.listen_port="${VPN_PORT}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR}" +uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"+uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
  
 # Add VPN peers # Add VPN peers
 uci -q delete network.wgclient uci -q delete network.wgclient
-uci set network.wgclient="wireguard_${WG_IF}" +uci set network.wgclient="wireguard_${VPN_IF}" 
-uci set network.wgclient.public_key="${WG_PUB}" +uci set network.wgclient.public_key="${VPN_PUB}" 
-uci set network.wgclient.preshared_key="${WG_PSK}" +uci set network.wgclient.preshared_key="${VPN_PSK}" 
-uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32" +uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32" 
-uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"+uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
 uci commit network uci commit network
 /etc/init.d/network restart /etc/init.d/network restart
Line 93: Line 97:
  
 ===== Testing ===== ===== Testing =====
-{{section>docs:guide-user:services:vpn:openvpn:server#testing&noheader&nofooter&noeditbutton}}+Establish the VPN connection. 
 +Verify your routing with [[man>traceroute(8)|traceroute]] and [[man>traceroute6(8)|traceroute6]]. 
 + 
 +<code bash> 
 +traceroute openwrt.org 
 +traceroute6 openwrt.org 
 +</code> 
 + 
 +Check your IP and DNS provider. 
 +  * [[https://ipleak.net/|ipleak.net]] 
 +  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 108: Line 122:
 pgrep -f -a wg; wg show; wg showconf vpn pgrep -f -a wg; wg show; wg showconf vpn
 ip address show; ip route show table all ip address show; ip route show table all
-ip rule show; ip -6 rule show; iptables-save; ip6tables-save+ip rule show; ip -6 rule show; nft list ruleset
  
 # Persistent configuration # Persistent configuration
-uci show network; uci show firewall +uci show network; uci show firewall; crontab -l
-grep -v -e "^#" -e "^$" /etc/crontabs/root+
 </code> </code>
  
  • Last modified: 2023/10/29 02:22
  • by vgaetera