Wireguard VPN
This setup uses subnet 10.14.0.0/24 and port 1234.
- Install wireguard, wireguard-tools and luci integration
opkg install luci-proto-wireguard luci-app-wireguard wireguard kmod-wireguard wireguard-tools - Generate keys
umask 077 && wg genkey > privkey cat privkey | wg pubkey > pubkey - Create wireguard network interface wg0 in /etc/config/network
config interface 'wg0' option proto 'wireguard' # the content of previously generated privkey (openwrt) option private_key '<OPENWRT PRIVATE KEY>' option listen_port '1234' list addresses '10.14.0.1/24' - Configure /etc/config/firewall
# create new firewall zone for vpn config zone option name 'vpn' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' option network 'wg0' # allow forwarding from vpn to wan (allow vpn clients to use internet) config forwarding option src 'vpn' option dest 'wan' # create port forwarding to openwrt device config redirect option dest_port '1234' option src 'wan' option name 'Wireguard' option src_dport '1234' option target 'DNAT' option dest_ip '192.168.1.1' list proto 'udp' option dest 'vpn' # Optional: Restrict internet access to specified vpn clients. Order matters! # allow specified vpn clients access to internet config rule option name 'Accept VPN Internet' option dest 'wan' option target 'ACCEPT' option src 'vpn' list src_ip '10.14.0.4/32' list proto 'all' # deny all other vpn clients access to internet config rule option dest 'wan' option target 'REJECT' option name 'Reject VPN Internet' option src 'vpn' list proto 'all'
- Install wireguard and wireguard tools on arch. See official docu for other distros.
sudo pacman -S wireguard-tools - Generate keys
umask 077 && wg genkey > privkey cat privkey | wg pubkey > pubkey - Create wireguard config wgHome.conf
[Interface] # Client IP Address = 10.14.0.2/24 DNS = 10.14.0.1 # the content of previously generated privkey (client) PrivateKey = <CLIENT PRIVATE KEY> [Peer] # the content of the previously generated pubkey (openwrt) PublicKey = <OPENWRT PUBLIC KEY> # If you want to route all traffic through wireguard tunnel use 0.0.0.0/0 instead AllowedIPs = 10.14.0.0/24 # e.g. somedomain.dyndns.org Endpoint = <PUBLIC IP>:1234 PersistentKeepalive = 25 - Create interface wg0
ip link add dev wg0 type wireguard - Apply configuration to interface wg0
wg setconf wg0 wgHome.conf
Step 4 & 5 can also be done via network manager:
Linux network manager import config
- Download and install wireguard from official site.
- Add empty tunnel
- Edit tunnel
[Interface] # Automatically generated private key (client) PrivateKey = <CLIENT PRIVATE KEY> # Client IP Address = 10.14.0.2/24 DNS = 10.14.0.1 [Peer] # the content of the previously generated pubkey (openwrt) PublicKey = <OPENWRT PUBLIC KEY> # If you want to route all traffic through wireguard tunnel use 0.0.0.0/0 instead AllowedIPs = 10.14.0.0/24 # e.g. somedomain.dyndns.org Endpoint = <PUBLIC IP>:1234 PersistentKeepalive = 25
- Install wireguard f-droid
- Create new tunnel
- Generate private/public keys
- Address: “10.14.0.2/24”
- DNS-Server: “10.14.0.1”
- Add peer
- Public key: “OPENWRT PUBLIC KEY”
- Persistent keepalive: “25”
- Endpoint: “PUBLIC_IP:1234”
- Allowed ips: “0.0.0.0/0, ::/0” //route everything through wireguard tunnel
Android wireguard configuration
- Configure /etc/config/network
config wireguard_wg0
option public_key '<CLIENT PUBLIC KEY>'
option description '<CLIENT DESCRIPTION>'
option persistent_keepalive '25'
option route_allowed_ips '1'
# client ip (here 10.14.0.2)
list allowed_ips '<CLIENT IP>/32'
- Restart interface wg0