Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:wireguard:server [2021/05/02 03:06] – [Testing] vgaeteradocs:guide-user:services:vpn:wireguard:server [2023/09/27 14:16] – optimize links vgaetera
Line 1: Line 1:
 ====== WireGuard server ====== ====== WireGuard server ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 8: Line 8:
 ===== Goals ===== ===== Goals =====
   * Encrypt your internet connection to enforce security and privacy.   * Encrypt your internet connection to enforce security and privacy.
-    * Prevent data leak and traffic spoofing on the client side.+    * Prevent traffic leaks and spoofing on the client side.
   * Bypass regional restrictions using commercial providers.   * Bypass regional restrictions using commercial providers.
     * Escape client side content filters and internet censorship.     * Escape client side content filters and internet censorship.
   * Access your LAN services remotely without port forwarding.   * Access your LAN services remotely without port forwarding.
  
-===== Command-line interface =====+===== Command-line instructions =====
 ==== 1. Preparation ==== ==== 1. Preparation ====
-Set up [[docs:guide-user:services:ddns:client|DDNS client]] if required. +Install the required packages
-Install the packages and specify the VPN server configuration parameters.+Specify configuration parameters for VPN server.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install wireguard+opkg install wireguard-tools
  
 # Configuration parameters # Configuration parameters
-WG_IF="vpn" +VPN_IF="vpn" 
-WG_PORT="51820" +VPN_PORT="51820" 
-WG_ADDR="192.168.9.1/24" +VPN_ADDR="192.168.9.1/24" 
-WG_ADDR6="fdf1:e8a1:8d3f:9::1/64"+VPN_ADDR6="fd00:9::1/64"
 </code> </code>
  
 ==== 2. Key management ==== ==== 2. Key management ====
-Generate server keys. +Generate and exchange [[docs:guide-user:services:vpn:wireguard:basics#key_management|keys]] between client and server.
-[[docs:guide-user:services:vpn:wireguard:basics#key_management|Exchange]] the keys between the server and the client using [[docs:guide-user:troubleshooting:backup_restore|file transfer]] or copy-paste.+
  
 <code bash> <code bash>
Line 38: Line 37:
 umask go= umask go=
 wg genkey | tee wgserver.key | wg pubkey > wgserver.pub wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
 +wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
 +wg genpsk > wgclient.psk
  
 # Server private key # Server private key
-WG_KEY="$(cat wgserver.key)"+VPN_KEY="$(cat wgserver.key)"
  
 # Pre-shared key # Pre-shared key
-WG_PSK="$(cat wgclient.psk)"+VPN_PSK="$(cat wgclient.psk)"
  
 # Client public key # Client public key
-WG_PUB="$(cat wgclient.pub)"+VPN_PUB="$(cat wgclient.pub)"
 </code> </code>
  
 ==== 3. Firewall ==== ==== 3. Firewall ====
-Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup.+Consider VPN network as private
 +Assign VPN interface to LAN zone to minimize firewall setup.
 Allow access to VPN server from WAN zone. Allow access to VPN server from WAN zone.
  
Line 57: Line 59:
 uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[0]="lan"
 uci rename firewall.@zone[1]="wan" uci rename firewall.@zone[1]="wan"
-uci del_list firewall.lan.network="${WG_IF}" +uci del_list firewall.lan.network="${VPN_IF}" 
-uci add_list firewall.lan.network="${WG_IF}"+uci add_list firewall.lan.network="${VPN_IF}"
 uci -q delete firewall.wg uci -q delete firewall.wg
 uci set firewall.wg="rule" uci set firewall.wg="rule"
 uci set firewall.wg.name="Allow-WireGuard" uci set firewall.wg.name="Allow-WireGuard"
 uci set firewall.wg.src="wan" uci set firewall.wg.src="wan"
-uci set firewall.wg.dest_port="${WG_PORT}"+uci set firewall.wg.dest_port="${VPN_PORT}"
 uci set firewall.wg.proto="udp" uci set firewall.wg.proto="udp"
 uci set firewall.wg.target="ACCEPT" uci set firewall.wg.target="ACCEPT"
Line 71: Line 73:
  
 ==== 4. Network ==== ==== 4. Network ====
-Set up VPN interface and peers.+Configure VPN interface and peers.
  
 <code bash> <code bash>
 # Configure network # Configure network
-uci -q delete network.${WG_IF+uci -q delete network.${VPN_IF
-uci set network.${WG_IF}="interface" +uci set network.${VPN_IF}="interface" 
-uci set network.${WG_IF}.proto="wireguard" +uci set network.${VPN_IF}.proto="wireguard" 
-uci set network.${WG_IF}.private_key="${WG_KEY}" +uci set network.${VPN_IF}.private_key="${VPN_KEY}" 
-uci set network.${WG_IF}.listen_port="${WG_PORT}" +uci set network.${VPN_IF}.listen_port="${VPN_PORT}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR}" +uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"+uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
  
 # Add VPN peers # Add VPN peers
 uci -q delete network.wgclient uci -q delete network.wgclient
-uci set network.wgclient="wireguard_${WG_IF}" +uci set network.wgclient="wireguard_${VPN_IF}" 
-uci set network.wgclient.public_key="${WG_PUB}" +uci set network.wgclient.public_key="${VPN_PUB}" 
-uci set network.wgclient.preshared_key="${WG_PSK}" +uci set network.wgclient.preshared_key="${VPN_PSK}" 
-uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32" +uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32" 
-uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"+uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
 uci commit network uci commit network
 /etc/init.d/network restart /etc/init.d/network restart
Line 96: Line 98:
 ===== Testing ===== ===== Testing =====
 Establish the VPN connection. Establish the VPN connection.
-Use [[man>traceroute(8)|traceroute]] and [[man>traceroute6(8)|traceroute6]] to verify your client traffic is routed via the VPN gateway.+Verify your routing with [[man>traceroute(8)|traceroute]] and [[man>traceroute6(8)|traceroute6]].
  
 <code bash> <code bash>
Line 103: Line 105:
 </code> </code>
  
-Check your client public IP addresses+Check your IP and DNS provider
-  * [[https://ipleak.net/]] +  * [[https://ipleak.net/|ipleak.net]] 
-Make sure there is no DNS leak on the client side. +  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
-  * [[https://dnsleaktest.com/]] +
-Delegate a public IPv6 prefix to the VPN network to use IPv6 by default.+
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 122: Line 122:
 pgrep -f -a wg; wg show; wg showconf vpn pgrep -f -a wg; wg show; wg showconf vpn
 ip address show; ip route show table all ip address show; ip route show table all
-ip rule show; ip -6 rule show; iptables-save; ip6tables-save+ip rule show; ip -6 rule show; nft list ruleset
  
 # Persistent configuration # Persistent configuration
  • Last modified: 2023/10/29 02:22
  • by vgaetera