AmneziaWG on OpenWrt as server

jeff47 · October 27, 2024, 12:45pm

I guess technically Wireguard is "peer to peer", so maybe I'm using the server term incorrectly but anyway:

I have Wireguard installed on my OpenWrt router so that I can connect to my home network from my phone when on the road, and also to increase my security when not at home. However, at one location I am at, Wireguard and other VPNs are blocked by the firewall. Must be DPI of some sort, since I've tried shifting ports and servers without luck. Unfortunately it's a cellular dead zone, otherwise I'd just use that.

So I was hoping to use AmneziaWG, which claims to be able to get around this. There is a port to OpenWrt, and the configuration looks to be very similar to Wireguard. I've been going through the steps to set up a Wireguard interface (like this: https://bayas.dev/posts/wireguard-server-openwrt) only using the AmneziaWG interface.

The setup went as expected except:

it doesn't generate a config file for peers that I can find. The peers I created do appear in the status window, however, so I think they were created.
I can't connect... the iPhone app says I'm connected to the OpenWrt AmneziaWG peer but OpenWrt status window shows no connection, and I get no traffic.

I realize this is rather uncharted/unsupported territory, but thought I'd see if any clever individual has figured this out. I see a lot of tutorials for setting up AmneziaWG and other DPI-bypassing mechanisms as clients on OpenWrt, but my router is in the clear -- I need it to act as the VPN server.

egc · October 27, 2024, 12:50pm

If there is no config file you can copy the settings manually, not ideal but doable.

I trust your iphone is also using AmneziaWG otherwise it will not work.

Setup should be the same as for Wireguard but I have never used AmneziaWG
https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior
https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

jeff47 · October 27, 2024, 1:43pm

Aha, thank you! The troubleshooting tips down at the bottom helped me out a lot -- the commands for AmneziaVPN are amneziawp show and so on, and through that I was able to realize my manual conf file had the wrong publickey listed. As you said, copying the settings is not ideal.

qunvureze · October 27, 2024, 6:11pm

You can use AmneziaWG with (probably) vanilla Wireguard with the following params https://airvpn.org/forums/topic/59479-block-vpn-in-russia/page/2/?tab=comments#comment-237288. Apparently this can fool basic DPI.

Sid · October 28, 2024, 1:30am

Download the three .ipk files with the correct architecture for Amnezia WG from here https://github.com/Slava-Shchipunov/awg-openwrt

They will be
amneziawg-tools.ipk
kmod-amneziawg.ipk
luci-proto-amneziawg.ipk

Then set it up as you would like a normal WG server along with the obfuscation parameters as mentioned here

jeff47 · October 28, 2024, 1:36am

Thanks, the issue was that it wouldn't/doesn't create a peer conf file -- don't know if that was something specific about my install or what. When I created the conf file manually, I got mixed up on which key to put where.

Sid · October 28, 2024, 1:44am

Are you setting it up via ssh or luci?

mk24 · October 28, 2024, 2:27pm

Security best practice is to not use that sort of file. Generate the peer's private key locally on the peer and keep it secret there. Share only the public key to the server.

jeff47 · October 28, 2024, 2:57pm

I think the WG plugin displays one (as well as a QR code) that can be copied to the peer, but it doesn't save it to the host. That feature in the AmneziaWG Luci app didn't work, and I got confused when copying the different keys to the fields and messed one up.

system · November 7, 2024, 2:57pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.