Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:wireguard:server [2021/09/27 03:20] – [4. Network] vgaeteradocs:guide-user:services:vpn:wireguard:server [2023/09/27 14:16] – optimize links vgaetera
Line 1: Line 1:
 ====== WireGuard server ====== ====== WireGuard server ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 8: Line 8:
 ===== Goals ===== ===== Goals =====
   * Encrypt your internet connection to enforce security and privacy.   * Encrypt your internet connection to enforce security and privacy.
-    * Prevent data leak and traffic spoofing on the client side.+    * Prevent traffic leaks and spoofing on the client side.
   * Bypass regional restrictions using commercial providers.   * Bypass regional restrictions using commercial providers.
     * Escape client side content filters and internet censorship.     * Escape client side content filters and internet censorship.
Line 15: Line 15:
 ===== Command-line instructions ===== ===== Command-line instructions =====
 ==== 1. Preparation ==== ==== 1. Preparation ====
-Set up [[docs:guide-user:services:ddns:client|DDNS client]] if necessary. 
 Install the required packages. Install the required packages.
-Specify the VPN server configuration parameters.+Specify configuration parameters for VPN server.
  
 <code bash> <code bash>
Line 25: Line 24:
  
 # Configuration parameters # Configuration parameters
-WG_IF="vpn" +VPN_IF="vpn" 
-WG_PORT="51820" +VPN_PORT="51820" 
-WG_ADDR="192.168.9.1/24" +VPN_ADDR="192.168.9.1/24" 
-WG_ADDR6="fdf1:e8a1:8d3f:9::1/64"+VPN_ADDR6="fd00:9::1/64"
 </code> </code>
  
 ==== 2. Key management ==== ==== 2. Key management ====
-Generate and exchange keys between server and client.+Generate and exchange [[docs:guide-user:services:vpn:wireguard:basics#key_management|keys]] between client and server.
  
 <code bash> <code bash>
Line 42: Line 41:
  
 # Server private key # Server private key
-WG_KEY="$(cat wgserver.key)"+VPN_KEY="$(cat wgserver.key)"
  
 # Pre-shared key # Pre-shared key
-WG_PSK="$(cat wgclient.psk)"+VPN_PSK="$(cat wgclient.psk)"
  
 # Client public key # Client public key
-WG_PUB="$(cat wgclient.pub)"+VPN_PUB="$(cat wgclient.pub)"
 </code> </code>
  
Line 60: Line 59:
 uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[0]="lan"
 uci rename firewall.@zone[1]="wan" uci rename firewall.@zone[1]="wan"
-uci del_list firewall.lan.network="${WG_IF}" +uci del_list firewall.lan.network="${VPN_IF}" 
-uci add_list firewall.lan.network="${WG_IF}"+uci add_list firewall.lan.network="${VPN_IF}"
 uci -q delete firewall.wg uci -q delete firewall.wg
 uci set firewall.wg="rule" uci set firewall.wg="rule"
 uci set firewall.wg.name="Allow-WireGuard" uci set firewall.wg.name="Allow-WireGuard"
 uci set firewall.wg.src="wan" uci set firewall.wg.src="wan"
-uci set firewall.wg.dest_port="${WG_PORT}"+uci set firewall.wg.dest_port="${VPN_PORT}"
 uci set firewall.wg.proto="udp" uci set firewall.wg.proto="udp"
 uci set firewall.wg.target="ACCEPT" uci set firewall.wg.target="ACCEPT"
Line 78: Line 77:
 <code bash> <code bash>
 # Configure network # Configure network
-uci -q delete network.${WG_IF+uci -q delete network.${VPN_IF
-uci set network.${WG_IF}="interface" +uci set network.${VPN_IF}="interface" 
-uci set network.${WG_IF}.proto="wireguard" +uci set network.${VPN_IF}.proto="wireguard" 
-uci set network.${WG_IF}.private_key="${WG_KEY}" +uci set network.${VPN_IF}.private_key="${VPN_KEY}" 
-uci set network.${WG_IF}.listen_port="${WG_PORT}" +uci set network.${VPN_IF}.listen_port="${VPN_PORT}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR}" +uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"+uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
  
 # Add VPN peers # Add VPN peers
 uci -q delete network.wgclient uci -q delete network.wgclient
-uci set network.wgclient="wireguard_${WG_IF}" +uci set network.wgclient="wireguard_${VPN_IF}" 
-uci set network.wgclient.public_key="${WG_PUB}" +uci set network.wgclient.public_key="${VPN_PUB}" 
-uci set network.wgclient.preshared_key="${WG_PSK}" +uci set network.wgclient.preshared_key="${VPN_PSK}" 
-uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32" +uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32" 
-uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"+uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
 uci commit network uci commit network
 /etc/init.d/network restart /etc/init.d/network restart
Line 99: Line 98:
 ===== Testing ===== ===== Testing =====
 Establish the VPN connection. Establish the VPN connection.
-Use [[man>traceroute(8)|traceroute]] and [[man>traceroute6(8)|traceroute6]] to verify your client traffic is routed via the VPN gateway.+Verify your routing with [[man>traceroute(8)|traceroute]] and [[man>traceroute6(8)|traceroute6]].
  
 <code bash> <code bash>
Line 106: Line 105:
 </code> </code>
  
-Check your client public IP addresses+Check your IP and DNS provider
-  * [[https://ipleak.net/]] +  * [[https://ipleak.net/|ipleak.net]] 
-Make sure there is no DNS leak on the client side. +  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
-  * [[https://dnsleaktest.com/]] +
-Delegate a public IPv6 prefix to the VPN network to use IPv6 by default.+
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 125: Line 122:
 pgrep -f -a wg; wg show; wg showconf vpn pgrep -f -a wg; wg show; wg showconf vpn
 ip address show; ip route show table all ip address show; ip route show table all
-ip rule show; iptables-save -c +ip rule show; ip -6 rule show; nft list ruleset
-ip -6 rule show; ip6tables-save -c+
  
 # Persistent configuration # Persistent configuration
  • Last modified: 2023/10/29 02:22
  • by vgaetera