This example setup configures WireGuard with the VPN subnet of
10.0.10.1/24, and listening on port
1234 on server side. In order to set up the server and one client, you will need have or create the following:
The pre-shared key (PSK) is an optional security improvement as per the WireGuard protocol and should be a unique PSK per client for highest security.
For more information on how to get started with WireGuard, see the official Quick Start guide.
1) Install Wireguard on the client platform.
2) Generate the client's key-pair; how you do this will depend on the client platform which you are using. You'll also need to obtain or generate the server's public key and pre-shared key, if you've chosen to use one.
Set up the client with the following config, replacing the placeholders to suit your environment:
[Interface] PrivateKey = <Client private key> # Switch DNS server while connected. # Could be your internal DNS server, used on Omnia, or external DNS = <your_DNS_IP> # The addresses the client will bind to. Either IPv4 or IPv6. /31 and /32 are not supported. Address = 10.0.10.2/24 [Peer] PublicKey = <Server public key> # Optional key known to both client and server; improves security PresharedKey = <Pre-shared key from server for this client> # The IP range that we may send packets to for this peer. # 0.0.0.0/0 will route all traffic through VPN AllowedIPs = 0.0.0.0/0 # Address of the server Endpoint = <server IP>:<server port> # Send periodic keepalives to ensure connection stays up behind NAT. PersistentKeepalive = 25
Configuring WireGuard requires SSH access to your router in order to run the following commands.
WireGuard requires a number of OpenWrt packages to be installed.
opkg update opkg install luci-proto-wireguard luci-app-wireguard wireguard kmod-wireguard wireguard-tools
luci-app-wireguard adds a basic status UI into LuCI; it is recommended but not mandatory.
Firstly, generate a WireGuard key-pair for the server if you've not previously created one like so. Files don't need to be put anywhere specifically, you'll just need the actual public and private key values for insertion into
uci commands or into configuration files.
# If you don't have key-pair for the server, generate # server's key-pair and set it to only be readable # by the current user and group. mkdir /root/wg cd /root/wg umask 077 && wg genkey > privkey # Derive the public key from it cat privkey | wg pubkey > pubkey # Optionally, create a pre-shared key (PSK) for a client wg genpsk > presharedkey
Now that you have the server's key-pair, choose how you'd like to configure your WireGuard interface.
1) Set the server's network configuration:
# wg0 is the name of the wireguard interface, # replace it if you wish. uci set network.wg0="interface" uci set network.wg0.proto="wireguard" uci set network.wg0.private_key="<Server private key from privkey file>" # You may change this port to your liking, ports of popular # services get through more firewalls. Just remember it # for when you have to configure the firewall later. uci set network.wg0.listen_port="1234" uci add_list network.wg0.addresses='10.0.10.1/24'
2) Configure client list:
# Change all occurences of "wireguard_wg0" to something else # (like wireguard_wg1, wireguard_wg2 and so on) for # subsequent clients after the 1st uci add network wireguard_wg0 uci set network.@wireguard_wg0[-1].public_key="<your client's pubkey>" # Optionally, set the pre-shared key if one is being used uci set network.@wireguard_wg0[-1].preshared_key="<Pre-shared key for this client>" # Allow the client to forward traffic to any IP through the tunnel uci set network.@wireguard_wg0[-1].route_allowed_ips="1" uci add_list network.@wireguard_wg0[-1].allowed_ips="0.0.0.0/0" # Enable sending of keepalive packets so NAT routers # don't terminate the connection. WG recommends a value of 25. uci set network.@wireguard_wg0[-1].persistent_keepalive='25' # What you want your client to show up as in the UI uci set network.@wireguard_wg0[-1].description='<client name>'
3) Save the changes:
uci commit network /etc/init.d/network reload ifdown wg0 ifup wg0
4) Configure the Omnia firewall:
uci add firewall rule uci set firewall.@rule[-1].src="*" uci set firewall.@rule[-1].target="ACCEPT" uci set firewall.@rule[-1].proto="udp" uci set firewall.@rule[-1].dest_port="1234" uci set firewall.@rule[-1].name="Allow-Wireguard-Inbound" # Add the firewall zone uci add firewall zone uci set firewall.@zone[-1].name='wg' uci set firewall.@zone[-1].input='ACCEPT' uci set firewall.@zone[-1].forward='ACCEPT' uci set firewall.@zone[-1].output='ACCEPT' uci set firewall.@zone[-1].masq='1' # Add the WG interface to it uci set firewall.@zone[-1].network='wg0' # Forward WAN and LAN traffic to/from it uci add firewall forwarding uci set firewall.@forwarding[-1].src='wg' uci set firewall.@forwarding[-1].dest='wan' uci add firewall forwarding uci set firewall.@forwarding[-1].src='wg' uci set firewall.@forwarding[-1].dest='lan' uci add firewall forwarding uci set firewall.@forwarding[-1].src='lan' uci set firewall.@forwarding[-1].dest='wg' uci add firewall forwarding uci set firewall.@forwarding[-1].src='wan' uci set firewall.@forwarding[-1].dest='wg' uci commit firewall /etc/init.d/firewall restart
1) Set the server's network configuration by editing
/etc/config/network to include following parts, omitting the
preshared_key option if you've opted not to use a PSK:
config interface 'wg0' option proto 'wireguard' option private_key '<Server private key from privkey>' option listen_port '1234' list addresses '10.0.10.1/24' config wireguard_wg0 option public_key '<Client public key>' option preshared_key '<Optional, pre-shared key for this client>' option route_allowed_ips '1' list allowed_ips '10.0.10.0/24' option persistent_keepalive '25' option description 'client1'
2) Apply changes
/etc/init.d/network reload ifdown wg0 ifup wg0
3) Configure the Omnia firewall:
/etc/config/firewall to include following parts:
config zone option name 'wg' list network 'wg0' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' option masq '1' config forwarding option src 'wg' option dest 'wan' config forwarding option src 'wan' option dest 'wg' config forwarding option src 'lan' option dest 'wg' config forwarding option src 'wg' option dest 'lan' config rule option name 'Allow-Wireguard-Inbound' option target 'ACCEPT' option src '*' option proto 'udp' option dest_port '1234'
4) Apply changes
From your client, attempt a connection to your router. On the server side, run the following to inspect the current state of WireGuard:
You should see the configured interface and peers in your console. If not, try restarting your router and thoroughly checking your client and server configuration to ensure the right keys are in the correct location. Note that peers that have not connected yet will not be shown in output.
interface: wg0 public key: 4h2nW5QextnwvJnTSV2ePwEacUDWAav6LL8ZvZpG6aH= private key: (hidden) listening port: 1234 peer: 3K9BeVLsj3eXYPbTp53tQ4jypJKUukAjZqSCQykhDTb= preshared key: (hidden) endpoint: 18.104.22.168:45345 allowed ips: 10.0.10.0/24 latest handshake: 1 hour, 19 minutes, 23 seconds ago transfer: 43.96 MiB received, 51.89 MiB sent persistent keepalive: every 25 seconds
If you installed
luci-app-wireguard, you can also visit your router's LuCI interface and click on
Status, then click on
WireGuard Status to essentially the same information but without needing to SSH in.
You can also run
ifconfig to check the status of your WireGuard interface. If you've opted for another interface name aside from
wg0, replace it in the subsequent command:
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.0.10.1 P-t-P:10.0.10.1 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1 RX packets:55483 errors:30 dropped:0 overruns:0 frame:30 TX packets:68168 errors:4 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:46099332 (43.9 MiB) TX bytes:54420468 (51.8 MiB)