For those interested in my mixture howto setup WireGuard VPN server on openwrt with an Android client
1) install packages via software o r opkg
open de configuration page of your router in a browser:
Log in the Luci interface with your root account and password.
Goto system-->software and click on âupdate listsâ
after the list is loaded click on âdismissâ
Enter âwireguardâ in the Filter field and press âenterâ
Install:
wireguard
wireguard-tools
kmod-wireguard
luci-app-wireguard
or via OPKG
Install packages
opkg update
opkg install wireguard
1a) configure variables
access router via ssh or putty
ssh root@192.168.8.1
use same root credentials to login router
copy next lines on commandline :
WG_IF="wg0"
WG_PORT="51820"
WG_ADDR="192.168.9.1/24"
WG_ADDR6="fdf1:e8a1:8d3f:9::1/64"
2) Gener ate security keys
copy next lines on commandline :
cd /etc / config
umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genpsk > wg.psk
WG_KEY="$(cat wgserver.key)"
WG_PSK="$(cat wg.psk)"
WG_PUB="$(cat wgclient.pub)"
remark:
wg.psk = Pre-Shared-key
wgserver.key = Private server Key
wgclient.pub = Public Key from client
3) Set FireWall
copy next lines on commandline :
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.lan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${WG_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
3a) port forwarder wireguard
In Luci webinterface goto :
Network->Firewall->Port Forwards
Name: WireGuard
Protocol: UDP
External Zone: WAN
External Port: 51820
Internal Zone: LAN
Internal IP Address: <The IP address of your device, mine is 192.168.8.1>
Internal Port: 51820
save & apply
4) Install interface and Peer
copy next lines on commandline :
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci set network.${WG_IF}.listen_port="${WG_PORT}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
and
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${WG_IF}"
uci set network.wgclient.public_key="${WG_PUB}"
uci set network.wgclient.preshared_key="${WG_PSK}"
uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32"
uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"
uci commit network
/etc/init.d/network restart
5) Install WireGuard on Android
Install wireguard frpm play store
Open wireguard app and tap on â+â to âcreate from scratchâ
a) Name your VPN connection
b) in the addresses field enter an ipaddress pa : 192.168.8.2/32
ofcourse in the same ip-range as you used in 1a.
But keep the /32
c) In DNS field you can enter your own DNS or a public one, 192.168.8.1 or 1.1.1.1 or 8.8.8.8
d) Click on âAdd Peerâ
e) paste the public server key (wgserver.pub) generated in the public key field of the Peer.
f) remove the pre-shared key
g) Set âpersistent keepaliveâ on 25
h) Enter the DDNS address of your router WITH portnumber pa:
ârouter001.duckdns.org:51820â
i) Enter â0.0.0.0/0,::0â in the âAllowed IPsâ field.
j) click on âsaveâ in the upper right corner.
6) Add phone to list of allowed peers.
a) open the wireguard app on your phone.
b) copy the Public Key from âInterfaceâ to clipboard
c) open Luci in a webbrowser and go to
NetworkâInterfaces
Click on Edit
Click on tab Peers and click on âAddâ
d) Paste the public key from your phone into the Public key field in Luci.
e) Enter â192.168.9.2/32â into Allowed Ips field.
f) check âRoute Allowed Ipsâ
g) Leave Endpoint host and port empty
h) Enter â25â in âPersistent Keep Aliveâ field
Save and Save & Apply
Reboot router.
PS: Please let me know if I made an error somewhere.
PS2: I used Lastpass notes to exchange the keys