[SOLVED]Suggested VPN solution from android to OpenWrt

Hi all, Can anyone recommend or suggest a good tutorial for a VPN that will allow me to connect to my local network when away from home on my Android device please?
I've had a quick look around and strongswan keeps coming up but i can't seem to find a simple tutorial to follow.
Thanks for reading

Wireguard might be a good option. Uncle Google throws-up a few good tutorials; e.g:

https://www.stavros.io/posts/how-to-configure-wireguard/
https://casept.github.io/post/wireguard-server-on-openwrt-router/

2 Likes

+1 for wireguard.

I am looking for similar solution, but I would like to work it in Windows too (as a client, connecting from your windows PC to home lan).

Easy of use is importan for me, and I prefer if it works out of the box (I mean without installing apps in windows or andoid) as me and my family would need to access sporadically from devices that we don not own.

I have PPTP working (not under openwrt) but it is not secure, so I will drop it as soon as possible.

I have thought of L2TP as you can use it out of the box in android and windows.
And you can use a password and not using files with key pairs that yo need to protect and have with you.
But it seems to be complicated to install it in openWRT and I don't know it it is fully implemented.

OpenVPN is great I have tried it, but not so easy to use under windows, and you need the config file with you (which you have to protect in order to nobody have access to it).

When you need access from a device that is not yours, you probably don't have the config file and cannot do complex installations.

Does Wireguard work in windows too? May you configure it to get access just with a secret password?

The WireGuard client for Windows is in alpha, currently:
https://www.wireguard.com/install/

I'd recommend doing a bit of reading around the protocol: it's not password-based.

Yes you are right.

Windows is on the road, and it seems that it would be included in the windows distribution, which will be great (as another VPN method).

It is based in a 256bit base4 private/public key.

That is a problem as you have to have them at hand in a file in order to be able to connect, but almost all modern VPN seem to follow the same path.

It seems quite simple to install both in server and client, by means of the corresponding keys or a config file (great when you have it at hand).

I am trying it, I have installed it in openwrt, an android mobile and a windows machine.

I am a bit stacked with the private key.

I have thought it would be possible to generate any 256bit base64 encoded key (one using for example a 256 bit hash from a keyword and then encoded with base64) but it seems you have to use a wg command to generate the private key.
I don't know exactly why if it asks you for a private key when you create the interface, it does not let you use whaterver 256bit key you want, if it is using it as a hash to generate the publick key.

And if it has to be generated by the wireguard program itself, why does the luci interface ask for a key and does not provide the option to generate it?

Indeed. SSH into your router and do:

umask 077
wg genkey | tee privatekey | wg pubkey > publickey
1 Like

Yes, that is what I have read, but I don't understand why luci interface does not provide the option to generate it without ssh into the router (that is what the interface is for).
Probably the forgot that detail.

It should give the optiion to generate it (generating prrivate key and public) and export thee config file (ideally generate a QR code too) in order to simplify use from the mobile or desktop client.

The mobile app does it, you can generate a zip, and you can import a zip with conf files.
You may use QR codes too.

That would simplify the admin task of creating tunnel connections and accept peers.

Thanks. The links supplied certainly helped and I found a good one of https://blog.birkhoff.me/Setting-up-a-WireGuard-server-on-OpenWRT/
I am now up and running but face another dilemma which is that it only seems to work when connected to the LAN once i setup NORDVPN up
I very much would like to keep NordVPN on and at the same time connect outside using Wireguard but I can only seem to connect outside of LAN if i remove NordVPN.
Is there a way i can do this please?

Sorry, I'm not entirely clear on what you're asking. It sounds like you're running your router as an OpenVPN client.

In which case, I suspect what's happening is that your OpenVPN connection is your default route. So, if you connect to your LAN over Wireguard, the responses are going back out over the OpenVPN connection rather than through the Wireguard tunnel.

I've got a similar set-up: my router is set up as a Wireguard Client and Server. I solved this using some Policy-Based rules. My configs are posted here; I guess the pertinent bits are in /etc/config/vpr-policy-routing and option append_local_rules '! -d 192.168.0.0/16' in particular.

That's how I solved it (assuming I've understood you correctly). You may be able to do something similar. Equally, there are folk on the forum far more knowledgable than me who may provide an alternate, perhaps simpler, solution.

There's also another client from TunSafe https://tunsafe.com/download

The LuCi web GUI does that. Have you installed luci-app-wireguard?

Make the correct static route.

1 Like

mmmm …
Yes I have installed luci-app-wireguard, under version 18.06.02 of openwrt (currente stable releas, I think) but there is no option for generating the key (it just asks for the private key, you have to enter it in a text box) and it does not generate any QR or config file.

I have not found it anywhere in the interface.

May be you are using a more advance luci interface? The current snapshot?
May I install it under the stable version of openWRT? How?

AAAAH yes, my apologies. I am.

I'm not sure the 2 are compatible, there's other threads discussing the changing-out of LuCI.

1 Like

Any way good news if they are implementing that for next version, thank you.

May you provide a link to the threads where they are discussing about luci wireguard app?

The interface to connect right now is not very easy to use, if you have to configure keys and anything in the mobile or pc client. I cannot provide it for my kids o wife to use easily.

If the router provides you with a QR and/or config key you can send them by email, it would be easier to use.

The problem I see is that you have to configure each PC/mobile you are going to use in advance, giving them a different an fix IP (link IP).
There is no such a thing as a DHCP or authomatic IP dispatched to the device.

If you have few devices, it is not such important. But you have to configure each device you want to link in the router providing its public key. So you cannot use a device sporadically, a device that you don't know in advance.

May be in future releases they implement a way to do that (using some kind of authoritation to probe you have rights to connect that device).

Thank you in advance.

I think you may need to understand how OpenWrt development syscles work. Since it's in Snapshot, it will be in the next release.

I never said there was one. Feel free to search.

That's what it does.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.