User Tools

Site Tools


This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:public:wireguard [2019/01/16 13:36]
davidjb [Wireguard setup] Cleanup and formatting
en:public:wireguard [2019/03/20 16:05] (current)
davidjb [Testing your configuration] Add details about luci-app-wireguard
Line 1: Line 1:
 ====== WireGuard setup ====== ====== WireGuard setup ======
-This example setup configures WireGuard with the VPN subnet of ''​​24'',​ and listening on port ''​1234''​ on server side.+This example setup configures ​[[https://​|WireGuard]] with the VPN subnet of ''​​24'',​ and listening on port ''​1234''​ on server side.  In order to set up the server and one client, you will need have or create the following:
-==== Client side ==== 
-**1)** [[https://​​install/​|Install Wireguard]] on client platform. 
-**2)** Generate client'​s key-par. You could also generate server'​s key-pair in advance (or you can complete it later, when you will have also server'​s key-pair). For setting server and one client, you will need 
-  * Client public key 
   * Client private key   * Client private key
-  * Server ​public key+  * Client ​public key (can be generated from client private key)
   * Server private key   * Server private key
 +  * Server public key (can be generated from server private key)
 +  * [Optional] Pre-shared key per client
 +The pre-shared key (PSK) is an optional security improvement as per the [[https://​​protocol/​|WireGuard protocol]] and should be a unique PSK per client for highest security.
 +For more information on how to get started with WireGuard, see the official [[https://​​quickstart/​|Quick Start guide]]. ​
 +===== Client side =====
 +==== Setup ====
 +**1)** [[https://​​install/​|Install Wireguard]] on the client platform.
 +**2)** Generate the client'​s key-pair; how you do this will depend on the client platform which you are using. ​ You'll also need to obtain or generate the [[#​server_side|server'​s public key]] and pre-shared key, if you've chosen to use one.
 +==== Configuration ====
-**3)** This is config for client:+Set up the client ​with the following config, replacing the placeholders to suit your environment:
 <file bash wg0.conf>​ <file bash wg0.conf>​
Line 22: Line 32:
 DNS = <​your_DNS_IP> ​ DNS = <​your_DNS_IP> ​
-# The addresses ​to bind to. Either IPv4 or IPv6. /31 and /32 are not supported.+# The addresses ​the client will bind to. Either IPv4 or IPv6. /31 and /32 are not supported.
 Address =​24 Address =​24
 [Peer] [Peer]
 PublicKey = <Server public key> PublicKey = <Server public key>
 +# Optional key known to both client and server; improves security
 +PresharedKey = <​Pre-shared key from server for this client>
 # The IP range that we may send packets to for this peer.  # The IP range that we may send packets to for this peer. 
Line 39: Line 51:
 </​file>​ </​file>​
 +===== Server side =====
-==== Server side - installation ​====+Configuring WireGuard requires SSH access to your router in order to run the following commands. 
 +==== Installation ​==== 
 +WireGuard requires a number of OpenWrt packages to be installed.  ​
 <​code>​ <​code>​
Line 47: Line 64:
 </​code>​ </​code>​
-==== Setup through UCI ==== +''​luci-app-wireguard''​ adds a basic status UI into LuCI; it is recommended but not mandatory. 
-You can configure wireguard through ssh commandline+==== Setup ==== 
 +Firstly, generate a WireGuard key-pair for the server if you've not previously created one like so.  Files don't need to be put anywhere specifically,​ you'll just need the actual public and private key values for insertion into ''​uci''​ commands or into configuration files.
-**1)** Omnia - Network 
-Server configuration 
 <file bash> <file bash>
-# If you dont have key-pair for the server, generate ​+# If you don'​t ​have key-pair for the server, generate ​
 # server'​s key-pair and set it to only be readable ​ # server'​s key-pair and set it to only be readable ​
 # by the current user and group. # by the current user and group.
Line 63: Line 80:
 cat privkey | wg pubkey > pubkey cat privkey | wg pubkey > pubkey
 +# Optionally, create a pre-shared key (PSK) for a client
 +wg genpsk > presharedkey
 +Now that you have the server'​s key-pair, choose how you'd like to configure your WireGuard interface.
 +=== Via uci commands ===
 +**1)** Set the server'​s network configuration:​
 +<file bash>
 # wg0 is the name of the wireguard interface, ​ # wg0 is the name of the wireguard interface, ​
 # replace it if you wish. # replace it if you wish.
 uci set network.wg0="​interface"​ uci set network.wg0="​interface"​
 uci set network.wg0.proto="​wireguard"​ uci set network.wg0.proto="​wireguard"​
-uci set network.wg0.private_key="<​Server private key>"​+uci set network.wg0.private_key="<​Server private key from privkey file>"
 # You may change this port to your liking, ports of popular ​ # You may change this port to your liking, ports of popular ​
Line 76: Line 104:
 </​file>​ </​file>​
-Client ​list is also part of server configuration+**2)** Configure client ​list
 <file bash> <file bash>
 # Change all occurences of "​wireguard_wg0"​ to something else  # Change all occurences of "​wireguard_wg0"​ to something else 
Line 83: Line 112:
 uci add network wireguard_wg0 uci add network wireguard_wg0
 uci set network.@wireguard_wg0[-1].public_key="<​your client'​s pubkey>"​ uci set network.@wireguard_wg0[-1].public_key="<​your client'​s pubkey>"​
 +# Optionally, set the pre-shared key if one is being used
 +uci set network.@wireguard_wg0[-1].preshared_key="<​Pre-shared key for this client>"​
 # Allow the client to forward traffic to any IP through the tunnel # Allow the client to forward traffic to any IP through the tunnel
Line 96: Line 128:
 </​file>​ </​file>​
-<​code>​ +**3)** ​Save the changes
-Save the changes+ 
 +<file bash>
 uci commit network uci commit network
 /​etc/​init.d/​network reload /​etc/​init.d/​network reload
Line 103: Line 136:
 ifdown wg0 ifdown wg0
 ifup wg0 ifup wg0
 +**4)** Configure the Omnia firewall:
-**2)** Omnia - Firewall 
 <file bash> <file bash>
 uci add firewall rule uci add firewall rule
Line 143: Line 177:
 </​file>​ </​file>​
-==== Setup through ​configuration files ===+=== Via configuration files ===
-Or you can configure wireguard through config files+
-**1)** ​Omnia - Network +**1)** ​Set the server'​s network configuration by editing ​''/​etc/​config/​network''​ to include following parts, omitting the ''​preshared_key''​ option if you've opted not to use a PSK:
-   +
-Edit ''/​etc/​config/​network''​ to include following parts:+
   ​   ​
 <file bash /​etc/​config/​network>​ <file bash /​etc/​config/​network>​
 config interface '​wg0'​ config interface '​wg0'​
  option proto '​wireguard'​  option proto '​wireguard'​
- option private_key '<​Server private key>'​+ option private_key '<​Server private key from privkey>'
  option listen_port '​1234'​  option listen_port '​1234'​
  list addresses '​​24'​  list addresses '​​24'​
Line 159: Line 190:
 config wireguard_wg0 config wireguard_wg0
  option public_key '<​Client public key>'​  option public_key '<​Client public key>'​
 +        option preshared_key '<​Optional,​ pre-shared key for this client>'​
  option route_allowed_ips '​1'​  option route_allowed_ips '​1'​
  list allowed_ips '​​24'​  list allowed_ips '​​24'​
  option persistent_keepalive '​25'​  option persistent_keepalive '​25'​
- option description '​client1' ​+        ​option description '​client1' ​
 </​file>  ​ </​file>  ​
-Apply changes +**2)** ​Apply changes 
 +<file bash>
 /​etc/​init.d/​network reload /​etc/​init.d/​network reload
 ifdown wg0 ifdown wg0
 ifup wg0 ifup wg0
-**2)** Omnia - Firewall+**3)** Configure the Omnia firewall:
   ​   ​
 Edit ''/​etc/​config/​firewall''​ to include following parts: Edit ''/​etc/​config/​firewall''​ to include following parts:
Line 209: Line 242:
 </​file>  ​ </​file>  ​
-Apply changes+**4)** ​Apply changes 
 <​code>​ <​code>​
 /​etc/​init.d/​firewall restart /​etc/​init.d/​firewall restart
 </​code>​ </​code>​
-==== Test configuration ==== +===== Testing your configuration ​===== 
-On the server side:+ 
 +From your client, attempt a connection to your router.  ​On the server side, run the following to inspect the current state of WireGuard: 
 <​code>​ <​code>​
 wg show wg show
 </​code>​ </​code>​
-You should see configured interface and peer in console. If not, try restart ​your router.+You should see the configured interface and peers in your console. If not, try restarting ​your router ​and thoroughly checking your client and server configuration to ensure the right keys are in the correct location. ​ Note that peers that have not connected yet will not be shown in output. 
 <file bash> <file bash>
 interface: wg0 interface: wg0
Line 228: Line 265:
 peer: 3K9BeVLsj3eXYPbTp53tQ4jypJKUukAjZqSCQykhDTb= peer: 3K9BeVLsj3eXYPbTp53tQ4jypJKUukAjZqSCQykhDTb=
 +  preshared key: (hidden)
   endpoint:​45345   endpoint:​45345
   allowed ips:​24   allowed ips:​24
Line 234: Line 272:
   persistent keepalive: every 25 seconds   persistent keepalive: every 25 seconds
 </​file>​ </​file>​
 +If you installed ''​luci-app-wireguard'',​ you can also visit your router'​s LuCI interface and click on ''​Status'',​ then click on ''​WireGuard Status''​ to essentially the same information but without needing to SSH in.
 +You can also run ''​ifconfig''​ to check the status of your WireGuard interface. ​ If you've opted for another interface name aside from ''​wg0'',​ replace it in the subsequent command:
 <​code>​ <​code>​
-ifconfig+ifconfig ​wg0
 </​code>​ </​code>​
Line 248: Line 290:
           RX bytes:​46099332 (43.9 MiB)  TX bytes:​54420468 (51.8 MiB)           RX bytes:​46099332 (43.9 MiB)  TX bytes:​54420468 (51.8 MiB)
 </​file>  ​ </​file>  ​
-==== References ==== +===== References ====
-https://​​post/​wireguard-server-on-openwrt-router/​ + 
-https://​​t/​update-wireguard-package-and-related-tools/​6798 +  * https://​ 
-https://​​t/​wireguard-setup/​6991/​7 +  ​* ​https://​​post/​wireguard-server-on-openwrt-router/​ 
-https://​​t/​wireguard-vpn-integration-in-luci/​1251/​18 +  ​* ​https://​​t/​update-wireguard-package-and-related-tools/​6798 
-https://​​posts/​how-to-configure-wireguard/​ +  ​* ​https://​​t/​wireguard-setup/​6991/​7 
-https://​​blog/​2017/​luci-proto-wireguard/​+  ​* ​https://​​t/​wireguard-vpn-integration-in-luci/​1251/​18 
 +  ​* ​https://​​posts/​how-to-configure-wireguard/​ 
 +  ​* ​https://​​blog/​2017/​luci-proto-wireguard/​