Show pagesourceOld revisionsBacklinksBack to top × Table of Contents WireGuard server Introduction 目标 Command-line instructions 1. Preparation 2. Key management 3. Firewall 4. Network 测试 Troubleshooting This page is not fully translated, yet. Please help completing the translation. (remove this paragraph once the translation is finished) WireGuard server This article relies on the following: Accessing web interface / command-line interface Managing configs / packages / services / logs Introduction This how-to describes the method for setting up WireGuard server on OpenWrt. Follow WireGuard client for client setup and WireGuard extras for additional tuning. 目标 加密您的互联网连接以加强安全和隐私。 防止客户端的数据泄露和流量欺骗。 使用商业vpn服务绕过区域限制。 规避客户端内容过滤和互联网审查。 更方便地远程访问您的局域网服务(无需端口转发)。 Command-line instructions 1. Preparation Install the required packages. Specify the VPN server configuration parameters. # Install packages opkg update opkg install wireguard-tools # Configuration parameters WG_IF="vpn" WG_PORT="51820" WG_ADDR="192.168.9.1/24" WG_ADDR6="fd00:9::1/64" 2. Key management Generate and exchange keys between server and client. # Generate keys umask go= wg genkey | tee wgserver.key | wg pubkey > wgserver.pub wg genkey | tee wgclient.key | wg pubkey > wgclient.pub wg genpsk > wgclient.psk # Server private key WG_KEY="$(cat wgserver.key)" # Pre-shared key WG_PSK="$(cat wgclient.psk)" # Client public key WG_PUB="$(cat wgclient.pub)" 3. Firewall Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone. # Configure firewall uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[1]="wan" uci del_list firewall.lan.network="${WG_IF}" uci add_list firewall.lan.network="${WG_IF}" uci -q delete firewall.wg uci set firewall.wg="rule" uci set firewall.wg.name="Allow-WireGuard" uci set firewall.wg.src="wan" uci set firewall.wg.dest_port="${WG_PORT}" uci set firewall.wg.proto="udp" uci set firewall.wg.target="ACCEPT" uci commit firewall /etc/init.d/firewall restart 4. Network Configure VPN interface and peers. # Configure network uci -q delete network.${WG_IF} uci set network.${WG_IF}="interface" uci set network.${WG_IF}.proto="wireguard" uci set network.${WG_IF}.private_key="${WG_KEY}" uci set network.${WG_IF}.listen_port="${WG_PORT}" uci add_list network.${WG_IF}.addresses="${WG_ADDR}" uci add_list network.${WG_IF}.addresses="${WG_ADDR6}" # Add VPN peers uci -q delete network.wgclient uci set network.wgclient="wireguard_${WG_IF}" uci set network.wgclient.public_key="${WG_PUB}" uci set network.wgclient.preshared_key="${WG_PSK}" uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32" uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128" uci commit network /etc/init.d/network restart 测试 建立 VPN 连接。 使用 traceroute 和 traceroute6 命令确认流量是否通过VPN网关. traceroute openwrt.org traceroute6 openwrt.org 检查客户端IP地址. ipleak.net 请确保客户端没有DNS泄露(DNS leak)发生。 dnsleaktest.com 如果使用IPv6,需将公共IPv6前缀委派给VPN网络作为默认配置。 Troubleshooting Collect and analyze the following information. # Restart services /etc/init.d/log restart; /etc/init.d/network restart; sleep 10 # Log and status logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$" # Runtime configuration pgrep -f -a wg; wg show; wg showconf vpn ip address show; ip route show table all ip rule show; ip -6 rule show; nft list ruleset # Persistent configuration uci show network; uci show firewall; crontab -l This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2023/09/09 06:58by vgaetera