Hi
I think I have now successfully setup Wireguard on my OpenWrt router as I am able to see my home ISP's WAN IP address when connecting with Wireguard via a 4G connection on my phone. If someone could please verify I’m doing this correctly that would be great.
Essentially I am aiming to setup up a few Wireguard instances in which they will serve different purposes. One will be connect through to Tor network, another one to connect to my guest LAN with limited traffic access and bandwidth, and finally the other instance will have higher bandwidth with access to the main LAN. In all cases, the VPN connections will be used to provide a secure tunnel through to my home internet when connecting from outside my home network especially on open and typically insecure wireless APs.
Below are the steps I have followed to setup and configure Wireguard:
I've created the following directories inside /etc/wireguard:
- configs
- peers
- servers
Each of these directories have a sub-directory for their corresponding network - guest, lan and tor. Within those directories contains a pair of public and private keys for each of the three networks. Within the root wireguard directory I also have pre-shared keys for each of the three networks. I have accomplished all of the above using the following commands:
WireGuard Generate Keys
# Create directories
mkdir -p /etc/wireguard/peers/guest
mkdir -p /etc/wireguard/peers/lan
mkdir -p /etc/wireguard/peers/tor
mkdir -p /etc/wireguard/servers/guest
mkdir -p /etc/wireguard/servers/lan
mkdir -p /etc/wireguard/servers/tor
umask 077 /etc/wireguard
# Create server keys
wg genkey | tee /etc/wireguard/servers/guest/guest_server_private.key | wg pubkey | tee /etc/wireguard/servers/guest/guest_server_public.key > /dev/null 2>&1
wg genkey | tee /etc/wireguard/servers/lan/lan_server_private.key | wg pubkey | tee /etc/wireguard/servers/lan/lan_server_public.key > /dev/null 2>&1
wg genkey | tee /etc/wireguard/servers/tor/tor_server_private.key | wg pubkey | tee /etc/wireguard/servers/tor/tor_server_public.key > /dev/null 2>&1
# Create peer keys
wg genkey | tee /etc/wireguard/peers/guest/guest_client_1_private.key | wg pubkey | tee /etc/wireguard/peers/guest/guest_client_1_public.key > /dev/null 2>&1
wg genkey | tee /etc/wireguard/peers/lan/lan_client_1_private.key | wg pubkey | tee /etc/wireguard/peers/lan/lan_client_1_public.key > /dev/null 2>&1
wg genkey, | tee /etc/wireguard/peers/tor/tor_client_1_private.key | úßwg pubkey | tee /etc/wireguard/peers/tor/tor_client_1_public.key > /dev/null 2>&1
# Create pre-shared keys
wg genpsk | tee /etc/wireguard/guest.psk > /dev/null 2>&1
wg genpsk | tee /etc/wireguard/lan.psk > /dev/null 2>&1
wg genpsk | tee /etc/wireguard/tor.psk > /dev/null 2>&1
Next I created the three Wireguard interfaces with LuCI and read the keys for the private/public keys found at /etc/wireguard with the cat command, pasted them into the corresponding fields and finally assigned firewall zones to the three pre-existing interfaces I have - guest, lan and tor.
This generates the following WireGuard configurations:
/etc/config/network
config interface 'wg_guest'
option proto 'wireguard'
option listen_port '51821'
list addresses '10.0.2.1/24'
option private_key '/etc/wireguard/servers/guest/guest_server_private.key'
config wireguard_wg_guest
option route_allowed_ips '1'
option persistent_keepalive '25'
option public_key '/etc/wireguard/peers/guest/guest_client_1_public.key'
option description 'Guest_1'
list allowed_ips '10.0.2.2/24'
config interface 'wg_lan'
option proto 'wireguard'
option listen_port '51820'
list addresses '10.0.1.1/24'
option private_key '/etc/wireguard/servers/lan/lan_server_private.key'
config wireguard_wg_lan
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '10.0.1.0/24'
option public_key '/etc/wireguard/peers/lan/lan_client_1_public.key'
option description 'LAN_1'
config interface 'wg_tor'
option proto 'wireguard'
option private_key '/etc/wireguard/servers/tor/tor_server_private.key'
option listen_port '51822'
option auto '0'
list addresses '10.0.3.1/24'
config wireguard_wg_tor
option route_allowed_ips '1'
option public_key '/etc/wireguard/peers/tor/tor_client_1_public.key'
option description 'Tor_1'
option persistent_keepalive '25'
list allowed_ips '10.0.3.0/24'
On the client side I ended up creating configuration files that could be easily imported into a smartphone app for example.
WireGuard Client Configurations
# Guest
[Interface]
PrivateKey = /etc/wireguard/peers/guest/guest_client_1_private.key
Address = 10.0.2.2/24
DNS = 10.0.2.1
[Peer]
PublicKey = /etc/wireguard/peers/guest/guest_server_public.key
Endpoint = my-custom-ddns.com:51821
AllowedIPs = 0.0.0.0/0, ::/0
# LAN
[Interface]
PrivateKey = /etc/wireguard/peers/lan/lan_client_1_private.key
Address = 10.0.1.2/24
DNS = 10.0.1.1
[Peer]
PublicKey = /etc/wireguard/peers/lan/lan_server_public.key
Endpoint = my-custom-ddns.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
# Tor
[Interface]
PrivateKey = /etc/wireguard/peers/tor/tor_client_1_private.key
Address = 10.0.3.2/24
DNS = 10.0.3.1
[Peer]
PublicKey = /etc/wireguard/servers/tor/tor_server_public.key
Endpoint = my-custom-ddns.com:51822
AllowedIPs = 0.0.0.0/0, ::/0
The important parameter I had to ensure was option forward 'ACCEPT' for the lan firewall zone. My VPN connection allowed me to connect to the web but couldn't connect to my OMV server.
/etc/config/firewall
config defaults
option drop_invalid '1'
option synflood_protect '1'
option input 'DROP'
option forward 'REJECT'
option output 'DROP'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan vpn vpn wg_lan'
option forward 'ACCEPT'
config zone
option name 'guest'
option output 'ACCEPT'
option network 'guest wg_guest'
option input 'REJECT'
option forward 'REJECT'
config zone
option output 'ACCEPT'
option syn_flood '1'
option conntrack '1'
option name 'tor'
option network 'tor'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config forwarding
option src 'guest'
option dest 'wan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option network 'wan wan6'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820-51822'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
/etc/config/network
...
config interface 'guest'
option ifname 'eth0.6'
option ipaddr '192.168.2.1'
option netmask '255.255.255.240'
option broadcast '192.168.2.15'
option proto 'static'
option type 'bridge'
option auto '0'
option igmp_snooping '1'
option stp '1'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ifname 'eth0.5'
option stp '1'
option ip6assign '64'
option igmp_snooping '1'
config interface 'tor'
option netmask '255.255.255.240'
option proto 'static'
option auto '0'
option ifname 'eth0.7'
option type 'bridge'
option ipaddr '172.16.0.0'
option broadcast '172.16.0.15'
...
Questions
-
Now my first question is under the WireGuard server's Peer tab, what should the IP actually be? Now from my understanding each peer that wants to connect to this interface (WG_LAN) would have it's own peer section, therefore you would enter a different, single IP address for each peer, correct?
-
If so, would I simply type an IP address within the 10.0.1.0/24 subnet such as 10.0.1.2/32 and then for the connection to work on the client-side this exact IP and CIDR would have to be used? The guides I have been following say to mask a single IP address using the /32 CIDR.
-
On the subject of CIDR, what happens if I don't mask all the IPs with /32 and instead set the IP address to 10.0.1.2/24 or 10.0.1.0/24? I can only assume this would work but the client would have to pick an IP address in the subnet range? Obviously the only problem I can think of here is if two clients both decided to use the same IP address such as 10.0.1.5 this would cause an IP conflict.
-
In what situation would I need to specify more than one IP address in these fields?
-
Is there any benefit from specifying the Endpoint Port on the Peer tab?
-
If two VPN clients connected through the same WG interface, how would each client access each others resources i.e a SMB share on their machine? Do I use the clients WireGuard IP address e.g?
- PC 1 = \10.0.1.2\foo
- PC 2 = \10.0.1.3 \bar
- I have a SoC PC running Debian and OpenMediaVault with some SMB shares on and is attached to my main LAN on the 192.168.1.0/24 subnet. I can connect to the SMB share via the server's IP address 192.168.1.17 and also it's full local domain name omv-server.lan. Initially I was unable to access the OMV server without the TLD .lan suffixed to the hostname. I played around with the some of the parameteres at /etc/config/dhcp and did get it working but I'm unsure what fixed it. Could anyone point out what might have prevented this in the first instance?
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option confdir '/tmp/dnsmasq.d'
option rebind_protection '1'
option rebind_localhost '1'
option boguspriv '0'
option localservice '1'
Lastly, I'm still new to IPv6 in general and I've sort of got it working on my router at least to be able to pass IPv6 tests. However, I would like to get IPv6 working for all of the VPN clients so that they can pass the IPv6 tests too. I will create a separate forum post on this.
Any help much appreciated