Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:wireguard:server [2020/10/18 05:22] – reorganize sections vgaetera | docs:guide-user:services:vpn:wireguard:server [2023/09/27 14:16] – optimize links vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== WireGuard server ====== | ====== WireGuard server ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 8: | Line 8: | ||
| ===== Goals ===== | ===== Goals ===== | ||
| * Encrypt your internet connection to enforce security and privacy. | * Encrypt your internet connection to enforce security and privacy. | ||
| - | * Prevent | + | * Prevent traffic |
| * Bypass regional restrictions using commercial providers. | * Bypass regional restrictions using commercial providers. | ||
| * Escape client side content filters and internet censorship. | * Escape client side content filters and internet censorship. | ||
| * Access your LAN services remotely without port forwarding. | * Access your LAN services remotely without port forwarding. | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| ==== 1. Preparation ==== | ==== 1. Preparation ==== | ||
| - | Set up [[docs: | + | Install the required |
| - | Install the packages and specify the VPN server | + | Specify configuration parameters for VPN server. |
| <code bash> | <code bash> | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg install wireguard | + | opkg install wireguard-tools |
| # Configuration parameters | # Configuration parameters | ||
| - | WG_IF=" | + | VPN_IF=" |
| - | WG_PORT=" | + | VPN_PORT=" |
| - | WG_ADDR=" | + | VPN_ADDR=" |
| - | WG_ADDR6="fdf1: | + | VPN_ADDR6="fd00: |
| </ | </ | ||
| ==== 2. Key management ==== | ==== 2. Key management ==== | ||
| - | Generate | + | Generate and exchange |
| - | [[docs: | + | |
| <code bash> | <code bash> | ||
| Line 38: | Line 37: | ||
| umask go= | umask go= | ||
| wg genkey | tee wgserver.key | wg pubkey > wgserver.pub | wg genkey | tee wgserver.key | wg pubkey > wgserver.pub | ||
| - | wg genpsk > wgserver.psk | + | wg genkey | tee wgclient.key | wg pubkey > wgclient.pub |
| + | wg genpsk > wgclient.psk | ||
| # Server private key | # Server private key | ||
| - | WG_KEY=" | + | VPN_KEY=" |
| # Pre-shared key | # Pre-shared key | ||
| - | WG_PSK=" | + | VPN_PSK=" |
| # Client public key | # Client public key | ||
| - | WG_PUB=" | + | VPN_PUB=" |
| </ | </ | ||
| ==== 3. Firewall ==== | ==== 3. Firewall ==== | ||
| - | Consider VPN network as private | + | Consider VPN network as private. |
| + | Assign | ||
| Allow access to VPN server from WAN zone. | Allow access to VPN server from WAN zone. | ||
| Line 58: | Line 59: | ||
| uci rename firewall.@zone[0]=" | uci rename firewall.@zone[0]=" | ||
| uci rename firewall.@zone[1]=" | uci rename firewall.@zone[1]=" | ||
| - | uci del_list firewall.lan.network=" | + | uci del_list firewall.lan.network=" |
| - | uci add_list firewall.lan.network=" | + | uci add_list firewall.lan.network=" |
| uci -q delete firewall.wg | uci -q delete firewall.wg | ||
| uci set firewall.wg=" | uci set firewall.wg=" | ||
| uci set firewall.wg.name=" | uci set firewall.wg.name=" | ||
| uci set firewall.wg.src=" | uci set firewall.wg.src=" | ||
| - | uci set firewall.wg.dest_port=" | + | uci set firewall.wg.dest_port=" |
| uci set firewall.wg.proto=" | uci set firewall.wg.proto=" | ||
| uci set firewall.wg.target=" | uci set firewall.wg.target=" | ||
| Line 72: | Line 73: | ||
| ==== 4. Network ==== | ==== 4. Network ==== | ||
| - | Set up VPN interface and peers. | + | Configure |
| <code bash> | <code bash> | ||
| # Configure network | # Configure network | ||
| - | uci -q delete network.${WG_IF} | + | uci -q delete network.${VPN_IF} |
| - | uci set network.${WG_IF}=" | + | uci set network.${VPN_IF}=" |
| - | uci set network.${WG_IF}.proto=" | + | uci set network.${VPN_IF}.proto=" |
| - | uci set network.${WG_IF}.private_key=" | + | uci set network.${VPN_IF}.private_key=" |
| - | uci set network.${WG_IF}.listen_port=" | + | uci set network.${VPN_IF}.listen_port=" |
| - | uci add_list network.${WG_IF}.addresses=" | + | uci add_list network.${VPN_IF}.addresses=" |
| - | uci add_list network.${WG_IF}.addresses=" | + | uci add_list network.${VPN_IF}.addresses=" |
| # Add VPN peers | # Add VPN peers | ||
| uci -q delete network.wgclient | uci -q delete network.wgclient | ||
| - | uci set network.wgclient=" | + | uci set network.wgclient=" |
| - | uci set network.wgclient.public_key=" | + | uci set network.wgclient.public_key=" |
| - | uci set network.wgclient.preshared_key=" | + | uci set network.wgclient.preshared_key=" |
| - | uci add_list network.wgclient.allowed_ips=" | + | uci add_list network.wgclient.allowed_ips=" |
| - | uci add_list network.wgclient.allowed_ips=" | + | uci add_list network.wgclient.allowed_ips=" |
| uci commit network | uci commit network | ||
| / | / | ||
| Line 97: | Line 98: | ||
| ===== Testing ===== | ===== Testing ===== | ||
| Establish the VPN connection. | Establish the VPN connection. | ||
| - | Verify your client traffic is routed via VPN gateway. | + | Verify your routing with [[man> |
| <code bash> | <code bash> | ||
| Line 104: | Line 105: | ||
| </ | </ | ||
| - | Check your client public | + | Check your IP and DNS provider. |
| - | * [[https:// | + | * [[https:// |
| - | Make sure there is no DNS leak on the client side. | + | * [[https://www.dnsleaktest.com/ |
| - | * [[https:// | + | |
| - | Delegate a public IPv6 prefix to VPN6 network to use IPv6 by default. | + | |
| - | * [[https:// | + | |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 124: | Line 122: | ||
| pgrep -f -a wg; wg show; wg showconf vpn | pgrep -f -a wg; wg show; wg showconf vpn | ||
| ip address show; ip route show table all | ip address show; ip route show table all | ||
| - | ip rule show; ip -6 rule show; iptables-save; | + | ip rule show; ip -6 rule show; nft list ruleset |
| # Persistent configuration | # Persistent configuration | ||
| - | uci show network; uci show firewall | + | uci show network; uci show firewall; crontab |
| - | grep -v -e " | + | |
| </ | </ | ||