Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:wireguard:server [2023/01/14 14:40] – [Testing] unify vgaeteradocs:guide-user:services:vpn:wireguard:server [2023/09/27 14:16] – optimize links vgaetera
Line 1: Line 1:
 ====== WireGuard server ====== ====== WireGuard server ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 16: Line 16:
 ==== 1. Preparation ==== ==== 1. Preparation ====
 Install the required packages. Install the required packages.
-Specify the VPN server configuration parameters.+Specify configuration parameters for VPN server.
  
 <code bash> <code bash>
Line 24: Line 24:
  
 # Configuration parameters # Configuration parameters
-WG_IF="vpn" +VPN_IF="vpn" 
-WG_PORT="51820" +VPN_PORT="51820" 
-WG_ADDR="192.168.9.1/24" +VPN_ADDR="192.168.9.1/24" 
-WG_ADDR6="fdf1:e8a1:8d3f:9::1/64"+VPN_ADDR6="fd00:9::1/64"
 </code> </code>
  
 ==== 2. Key management ==== ==== 2. Key management ====
-Generate and exchange keys between server and client.+Generate and exchange [[docs:guide-user:services:vpn:wireguard:basics#key_management|keys]] between client and server.
  
 <code bash> <code bash>
Line 41: Line 41:
  
 # Server private key # Server private key
-WG_KEY="$(cat wgserver.key)"+VPN_KEY="$(cat wgserver.key)"
  
 # Pre-shared key # Pre-shared key
-WG_PSK="$(cat wgclient.psk)"+VPN_PSK="$(cat wgclient.psk)"
  
 # Client public key # Client public key
-WG_PUB="$(cat wgclient.pub)"+VPN_PUB="$(cat wgclient.pub)"
 </code> </code>
  
Line 59: Line 59:
 uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[0]="lan"
 uci rename firewall.@zone[1]="wan" uci rename firewall.@zone[1]="wan"
-uci del_list firewall.lan.network="${WG_IF}" +uci del_list firewall.lan.network="${VPN_IF}" 
-uci add_list firewall.lan.network="${WG_IF}"+uci add_list firewall.lan.network="${VPN_IF}"
 uci -q delete firewall.wg uci -q delete firewall.wg
 uci set firewall.wg="rule" uci set firewall.wg="rule"
 uci set firewall.wg.name="Allow-WireGuard" uci set firewall.wg.name="Allow-WireGuard"
 uci set firewall.wg.src="wan" uci set firewall.wg.src="wan"
-uci set firewall.wg.dest_port="${WG_PORT}"+uci set firewall.wg.dest_port="${VPN_PORT}"
 uci set firewall.wg.proto="udp" uci set firewall.wg.proto="udp"
 uci set firewall.wg.target="ACCEPT" uci set firewall.wg.target="ACCEPT"
Line 77: Line 77:
 <code bash> <code bash>
 # Configure network # Configure network
-uci -q delete network.${WG_IF+uci -q delete network.${VPN_IF
-uci set network.${WG_IF}="interface" +uci set network.${VPN_IF}="interface" 
-uci set network.${WG_IF}.proto="wireguard" +uci set network.${VPN_IF}.proto="wireguard" 
-uci set network.${WG_IF}.private_key="${WG_KEY}" +uci set network.${VPN_IF}.private_key="${VPN_KEY}" 
-uci set network.${WG_IF}.listen_port="${WG_PORT}" +uci set network.${VPN_IF}.listen_port="${VPN_PORT}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR}" +uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}" 
-uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"+uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
  
 # Add VPN peers # Add VPN peers
 uci -q delete network.wgclient uci -q delete network.wgclient
-uci set network.wgclient="wireguard_${WG_IF}" +uci set network.wgclient="wireguard_${VPN_IF}" 
-uci set network.wgclient.public_key="${WG_PUB}" +uci set network.wgclient.public_key="${VPN_PUB}" 
-uci set network.wgclient.preshared_key="${WG_PSK}" +uci set network.wgclient.preshared_key="${VPN_PSK}" 
-uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32" +uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32" 
-uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"+uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
 uci commit network uci commit network
 /etc/init.d/network restart /etc/init.d/network restart
Line 98: Line 98:
 ===== Testing ===== ===== Testing =====
 Establish the VPN connection. Establish the VPN connection.
-Use [[man>traceroute(8)|traceroute]] and [[man>traceroute6(8)|traceroute6]] to verify your client traffic is routed via the VPN gateway.+Verify your routing with [[man>traceroute(8)|traceroute]] and [[man>traceroute6(8)|traceroute6]].
  
 <code bash> <code bash>
Line 105: Line 105:
 </code> </code>
  
-Check your public IP addresses and DNS leaks+Check your IP and DNS provider
-  * [[https://ipleak.net/]] +  * [[https://ipleak.net/|ipleak.net]] 
-  * [[https://dnsleaktest.com/]]+  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
  • Last modified: 2023/10/29 02:22
  • by vgaetera