Dear OpenWrt Community,
First - I have a few bars to indulge myself and those in the know of the Old School :
Once again, back is the incredible rhyme animal
The uncannable D, Public Enemy Number One / Full Lyrics here for those who may wish to sing along : https://genius.com/Public-enemy-bring-the-noise-lyrics and Video here : https://www.youtube.com/watch?v=bsq91cqFhWI and
Yes, the rhythm, the rebel
D the enemy, telling you to hear it
Hard—my calling card
Recorded and ordered—supporter of Chesimard
Now after that intro - let's get down to business. There has been a lot of interest and buzz around WIREGUARD - the new VPN protocol which is now available across many platforms. I have written this tutorial with the goal of showing you how to set up NORDVPN WIREGUARD Client ( NORDVPN now supports BETA WIREGUARD Servers ). The reasons for my putting this guide together is that I was unable to find a definitive tutorial in one place which simply explained how to set up WIREGUARD on OpenWrt. This setup is guaranteed to work if you follow the steps as detailed in this tutorial. The references I used are listed below in order of most to least useful and informative:
1 - https://doc.turris.cz/doc/en/public/wireguard 2 - https://steemit.com/cn/@curl/openwrt-lede-wireguard-vpn 3 - https://blog.birkhoff.me/Setting-up-a-WireGuard-server-on-OpenWRT/ ( Note : IGNORE THE FIREWALL INSTRUCTIONS ON THIS PAGE - I WILL DETAIL CORRECT SETUP LATER IN THIS TUTORIAL ).
1 - First you need to get your NORDVPN WIREGUARD configuration files. Contact them via their e-mail support and they will send you your credentials. NORDVPN currently offers only only two WIREGUARD Servers - one in New York and one in the UK. The configuration file is similar to this below:
Address = 10.x.x.xxx/32
DNS = 1xx.1xx.xxx.x
PrivateKey = 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
PublicKey = cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
AllowedIPs = 0.0.0.0/0
Endpoint = 1xx.1xx.xxx.x:51820
PersistentKeepalive = 25
These credentials above are for demonstration purposes only - the keys are actually from DNS Privacy Test Servers and will not work if you attempt to set up NORDVPN WIREGUARD using these credentials. Now on to the actual setup which is in reality quite easy to do.
2 - There are two ways to set up NORDVPN WIREGUARD on OpenWrt - via uci and / or by the proper OpenWRT configuration files. Primarily, I relied on this aforementioned guide : https://doc.turris.cz/doc/en/public/wireguard and it illustrates using both methods.
A - Set up Via Uci - command line The only drawback to this method is there is no uci command to set the endpoint host and port - you will need to set these manually via Luci :
No matter if you choose to configure via Uci commands or OpenWRT configuration files you first need to install the necessary packages:
opkg update && opkg install kmod-wireguard luci-app-wireguard luci-proto-wireguard wireguard wireguard-tools
A - Via uci commands
1) Set the server's network configuration: # wg0 is the name of the wireguard interface, # replace it if you wish. uci set network.wg0="interface" uci set network.wg0.proto="wireguard" uci set network.wg0.private_key="62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=" ## ( From the dummy file I listed above ) # You may change this port to your liking, ports of popular # services get through more firewalls. Just remember it # for when you have to configure the firewall later . ## uci set network.wg0.listen_port="xxxxx" ## ( Do not set this as NORDVPN WIREGUARD Servers use *random* Listen Port ) uci add_list network.wg0.addresses='10.x.x.xxx/32' ## ( Use your real address from downloaded NORDVPN WIREGUARD Config File ) 2) Configure client list: # Change all occurences of "wireguard_wg0" to something else # (like wireguard_wg1, wireguard_wg2 and so on) for # subsequent clients after the 1st uci add network wireguard_wg0 ## ( I suggest you leave this as is ) uci set network.@wireguard_wg0[-1].public_key="cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=" ## ( From the dummy file I listed above ) # Allow the client to forward traffic to any IP through the tunnel uci set network.@wireguard_wg0[-1].route_allowed_ips="1" uci add_list network.@wireguard_wg0[-1].allowed_ips="0.0.0.0/0" # Enable sending of keepalive packets so NAT routers # don't terminate the connection. WG recommends a value of 25. uci set network.@wireguard_wg0[-1].persistent_keepalive='25' # What you want your client to show up as in the UI uci set network.@wireguard_wg0[-1].description='WG' 3) Save the changes: uci commit network /etc/init.d/network reload ifdown wg0 ifup wg0
Now - as I stated above this method does not add the endpoint host and port. To this - in Luci go to Network > Interfaces > Then EDIT Interface WG0 > Under Peers > in the Endpoint Host enter 1xx.1xx.xxx.x: ( the endpoint NORDVPN WIREGUARD Server address ) and beneath enter 51820 ( the the endpoint NORDVPN WIREGUARD Server Port ). Then click on Save & Apply. Also, I have found that using the DNS Server included in the downloaded Config file is very important. In the case of NORDVPN WIREGUARD DNS Server is different from their main DNS Servers ) - see how to configure the proper DNS Server on the NORDVPN WIREGUARD Interface below in section B : the Via configuration files section of this tutorial.
Thanks to the very useful and insightful assistance from my knowledgeable, kind and patient colleagues lleachii and trendy along with the heads up from vgaetera ( all from the OpenWRT Forum ) I was able to finally get the WIREGUARD FireWall rules properly configured. I have removed the UCI command line section ( A ) for setting up the WIREGUARD Firewall rules entirely. If anyone can send to me the proper uci commands to set up the firewall which directly correspond to the rules in section B - Via configuration files ( aka the /etc/config/firewall file ) listed below; I will post them in this tutorial at that time. However, please know that your NORDVPN WIREGUARD will be most secure and function as it designed if you follow the instructions in section B - Via configuration files - then Step 3) Configure the OpenWRT firewall: - that is all you need to do.
B - Via configuration files
Now, I saved the best for last. Quite frankly NORDVPN WIREGUARD is very very easily set up Via configuration files. Here is how to do this in two simple steps:
1) Set the server's network configuration by editing /etc/config/network to include following parts, omitting the preshared_key option if you've opted not to use a PSK: From the dummy files above: Go to the the very bottom of this file and add the following : Open the file: nano /etc/config/network config interface 'wg0' option proto 'wireguard' option private_key '62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=' list addresses '1x.x.x.xxx/32' option dns '1xx.1xx.xxx.x' config wireguard_wg0 option public_key 'cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=' option route_allowed_ips '1' list allowed_ips '0.0.0.0/0' option persistent_keepalive '25' option description 'WG' option endpoint_host '1xx.xxx.xxx.x' option endpoint_port '51820' Save and Exit Then issue from command line Step 2 below: 2) Apply changes /etc/init.d/network reload ifdown wg0 ifup wg0
3) Configure the OpenWRT firewall for your NORDVPN WIRGUARD Client: Special Thanks to trendy ( from the OpenWRT Forum ) for helping me with this elegant solution The most simple, effective and efficient method to set up your firewall for NORDVPN WIREGUARD this is to add the 'wg0' network to the wan zone in the /etc/config/firewall configuration file Edit /etc/config/firewall file and add the 'wg0' network as follows: Open the file: nano /etc/config/firewall config zone option name 'wan' list network 'wan' list network 'wan6' list network 'wg0' ## This is the line you need to add - and you are done option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' Save and Exit Then issue from command line Step 4 below: 4) Apply changes /etc/init.d/firewall restart reboot & exit
All you need to do is reboot the router. The correct DNS Server along with the endpoint host and port are already added using this method.
By the way, NORDVPN is now offering WIREGUARD in Beta testing. Contact them via their e-mail support and they will send you your credentials. The most important piece of this set up are the firewall rules. Just configure your /etc/config/network file with your NORDVPN WIREGUARD Config Options and this will work just as well.
Testing your configuration
From your client, attempt a connection to your router. On the server side, run the following to inspect the current state of WireGuard: from the command line run entry : wg show
You should see the configured interface and peers in your console. If not, try restarting your router and thoroughly checking your client and server configuration to ensure the right keys are in the correct location. Note that peers that have not connected yet will not be shown in output. Outpoint will vary according to your keys.
public key: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
private key: (hidden)
listening port: 1234
allowed ips: 10.0.10.0/24
latest handshake: 1 hour, 19 minutes, 23 seconds ago
transfer: 43.96 MiB received, 51.89 MiB sent
persistent keepalive: every 25 seconds
If you installed luci-app-wireguard, you can also visit your router's LuCI interface and click on Status, then click on WireGuard Status to essentially the same information but without needing to SSH in. You can also run ifconfig to check the status of your WireGuard interface. If you've opted for another interface name aside from wg0, replace it in the subsequent command: ifconfig wg0
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.10.1 P-t-P:10.0.10.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:55483 errors:30 dropped:0 overruns:0 frame:30
TX packets:68168 errors:4 dropped:0 overruns:0 carrier:0
RX bytes:46099332 (43.9 MiB) TX bytes:54420468 (51.8 MiB)
Peace and God's Grace To All
FYI : I set this up along with DNS-OVER-TLS on OpenWrt/LEDE FEATURING UNBOUND GETDNS and STUBBY see here : ( From The DNS Privacy Project ) DNS-OVER-TLS on OpenWrt/LEDE FEATURING UNBOUND GETDNS and STUBBY
and DNS LEAK TESTS returns the DNS Privacy Test Servers which I chose in my Stubby DNS Privacy Daemon Config file. However, I continued to use the NORDVPN WIREGUARD DNS Server for the WIREGUARD Interface ( WG0 ). Everything works well. If anyone can impart to me exactly how DNS functions within the WIREGUARD Tunnel ; I will be most appreciative.