This translation is older than the original page and might be outdated. See what has changed.

FIXME This page is not fully translated, yet. Please help completing the translation.
(remove this paragraph once the translation is finished)

WireGuard server

  • 加密您的互联网连接以加强安全和隐私。
    • 防止客户端的数据泄露和流量欺骗。
  • 使用商业vpn服务绕过区域限制。
    • 规避客户端内容过滤和互联网审查。
  • 更方便地远程访问您的局域网服务(无需端口转发)。

Install the required packages. Specify the VPN server configuration parameters.

# Install packages
opkg update
opkg install wireguard-tools
 
# Configuration parameters
WG_IF="vpn"
WG_PORT="51820"
WG_ADDR="192.168.9.1/24"
WG_ADDR6="fd00:9::1/64"

Generate and exchange keys between server and client.

# Generate keys
umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
wg genpsk > wgclient.psk
 
# Server private key
WG_KEY="$(cat wgserver.key)"
 
# Pre-shared key
WG_PSK="$(cat wgclient.psk)"
 
# Client public key
WG_PUB="$(cat wgclient.pub)"

Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone.

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${WG_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Configure VPN interface and peers.

# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci set network.${WG_IF}.listen_port="${WG_PORT}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
 
# Add VPN peers
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${WG_IF}"
uci set network.wgclient.public_key="${WG_PUB}"
uci set network.wgclient.preshared_key="${WG_PSK}"
uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32"
uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"
uci commit network
/etc/init.d/network restart

建立 VPN 连接。 使用 traceroutetraceroute6 命令确认流量是否通过VPN网关.

traceroute openwrt.org
traceroute6 openwrt.org

检查客户端IP地址.

请确保客户端没有DNS泄露(DNS leak)发生。

如果使用IPv6,需将公共IPv6前缀委派给VPN网络作为默认配置。

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/network restart; sleep 10
 
# Log and status
logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"
 
# Runtime configuration
pgrep -f -a wg; wg show; wg showconf vpn
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset
 
# Persistent configuration
uci show network; uci show firewall; crontab -l
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/09/09 10:58
  • by vgaetera