Dear OpenWrt Community,
First - I have a few bars to indulge myself and those in the know of the Old School :
Once again, back is the incredible rhyme animal
The uncannable D, Public Enemy Number One / Full Lyrics here for those who may wish to sing along : https://genius.com/Public-enemy-bring-the-noise-lyrics and Video here : https://www.youtube.com/watch?v=bsq91cqFhWI
Now after that intro - let's get down to business. There has been a lot of interest and buzz around WIREGUARD - the new VPN protocol which is now available across many platforms. I have written this tutorial with the goal of showing you how to set up TORGUARD WIREGUARD Client ( TORGUARD now supports WIREGUARD Servers ). The reasons for my putting this guide together is that I was unable to find a definitive tutorial in one place which simply explained how to set up WIREGUARD on OpenWrt. This setup is guaranteed to work if you follow the steps as detailed in this tutorial. The references I used are listed below in order of most to least useful and informative:
1 - https://doc.turris.cz/doc/en/public/wireguard 2 - https://steemit.com/cn/@curl/openwrt-lede-wireguard-vpn 3 - https://blog.birkhoff.me/Setting-up-a-WireGuard-server-on-OpenWRT/ ( Note : IGNORE THE FIREWALL INSTRUCTIONS ON THIS PAGE - I WILL DETAIL CORRECT SETUP LATER IN THIS TUTORIAL ).
1 - First you need to get your WIREGUARD configuration files from the TORGUARD website. To do so login your TORGUARD account then go to Tools ( along the top of Login Page ) from drop Down Menu click on Enable WIREGUARD Access. You will then be in your TorGuard Account Area.
You will see this message along the top : Below is a list of WireGuard VPN Servers, Please click enable in front of the servers you like to connect to, and use the returned keys shown to connect. Currently, TORGUARD offers WIREGUARD Servers in USA - New York ( quite actually situated in Clifton, New Jersey ), Asia - Singapore and Europe - UK. Click on your preferred Server - Enable WIREGUARD. This will result in a green box below the now grayed out box - which states now Disable WIREGUARD. Download Config file as the box allows you to do now that you have enabled your WIREGUARD Server. You will also see in the adjoining box the following :
Location VPN Server Keys Manage
USA - New York 1 159.xx.xxx.xx:xxx Server Public key: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
Your Private Key: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
Your Address: 10.xx.x.xxx/24
WARNING:
These credentials above are for demonstration purposes only - the keys are actually from DNS Privacy Test Servers and will not work if you attempt to set up WIREGUARD using these credentials. Now on to the actual setup which is in reality quite easy to do.
2 - There are two ways to set up TORGUARD WIREGUARD on OpenWrt - via uci and / or by the proper OpenWRT configuration files. Primarily, I relied on this aforementioned guide : https://doc.turris.cz/doc/en/public/wireguard and it illustrates using both methods.
A - Set up Via Uci - command line The only drawback to this method is there is no uci command to set the endpoint host and port - you will need to set these manually via Luci :
No matter if you choose to configure via Uci commands or OpenWRT configuration files you first need to install the necessary packages:
opkg update && opkg install kmod-wireguard luci-app-wireguard luci-proto-wireguard wireguard wireguard-tools
Via uci commands
1) Set the server's network configuration:
# wg0 is the name of the wireguard interface,
# replace it if you wish.
uci set network.wg0="interface"
uci set network.wg0.proto="wireguard"
uci set network.wg0.private_key="cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=" ## ( From the dummy file I listed above )
# You may change this port to your liking, ports of popular
# services get through more firewalls. Just remember it
# for when you have to configure the firewall later.
uci set network.wg0.listen_port="51820" ## ( This is the standard port for TORGUARD WIREGUARD )
uci add_list network.wg0.addresses='10.xx.x.xxx/24' ## ( Use your real address from downloaded TORGUARD WIREGUARD Config File )
2) Configure client list:
# Change all occurences of "wireguard_wg0" to something else
# (like wireguard_wg1, wireguard_wg2 and so on) for
# subsequent clients after the 1st
uci add network wireguard_wg0network wireguard_wg0 ## ( I suggest you leave this as is )
uci set network.@wireguard_wg0[-1].public_key="62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=" ## ( From the dummy file I listed above )
uci set network.@wireguard_wg0[-1].route_allowed_ips="1"
uci add_list network.@wireguard_wg0[-1].allowed_ips="0.0.0.0/0"
# Enable sending of keepalive packets so NAT routers
# don't terminate the connection. WG recommends a value of 25.
uci set network.@wireguard_wg0[-1].persistent_keepalive='25'
# What you want your client to show up as in the UI
uci set network.@wireguard_wg0[-1].description='WG'
Save the changes:
uci commit network
/etc/init.d/network reload
ifdown wg0
ifup wg0
Now - as I stated above this method does not add the endpoint host and port. To this - in Luci go to Network > Interfaces > Then EDIT Interface WG0 > Under Peers > in the Endpoint Host enter 159.xx.xxx.xx:xxx ( the WIREGUARD Server address ) and beneath enter 443 ( the the WIREGUARD Server Port ). Then click on Save & Apply. Also, I have found that using the DNS Server included in the downloaded Config file is very important. In the case of TORGUARD WIREGUARD the server is - 104.223.91.210 ( their main all around DNS Server ) - see how to configure it on the WIREGUARD Interface below in section B : the Via configuration files section of this tutorial.
Thanks to the very useful and insightful assistance from my knowledgeable, kind and patient colleagues lleachii and trendy along with the heads up from vgaetera ( all from the OpenWRT Forum ) I was able to finally get the WIREGUARD FireWall rules properly configured. I have removed the UCI command line section ( A ) for setting up the WIREGUARD Firewall rules entirely. If anyone can send to me the proper uci commands to set up the firewall which directly correspond to the rules in section B - Via configuration files ( aka the /etc/config/firewall file ) listed below; I will post them in this tutorial at that time. However, please know that your TORGUARD WIREGUARD will be most secure and function as it designed if you follow the instructions in Section B - Via configuration files - then Step 3) Configure the OpenWRT firewall: - that is all you need to do.
B - Via configuration files
Now, I saved the best for last. Quite frankly TORGUARD WIREGUARD is very very easily set up Via configuration files. Here is how to do this in two simple steps:
- Set the server's network configuration by editing /etc/config/network to include following parts, omitting the preshared_key option if you've opted not to use a PSK:
From the dummy files above: Go to the the very bottom of this file and add the following :
Open the file: nano /etc/config/network
config interface 'wg0'
option proto 'wireguard'
option private_key 'cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA='
option listen_port '51820'
list addresses '10.xx.x.xxx/24'
option peerdns '0'
list dns '104.223.91.210'
list dns '104.223.91.194'
config wireguard_wg0
option public_key '62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4='
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '25'
option description 'WG'
option endpoint_host '159.xx.xxx.xxx'
option endpoint_port '443'
Save and Exit
Then issue from command line Step 2 below:
2) Apply changes
/etc/init.d/network reload
ifdown wg0
ifup wg0
3) Configure the OpenWRT firewall for your TORGUARD WIREGUARD Client:
Special Thanks to trendy ( from the OpenWRT Forum ) for helping me with this elegant solution
The most simple, effective and efficient method to set up your firewall
for TORGUARD WIREGUARD this is to add the 'wg0' network
to the wan zone in the /etc/config/firewall configuration file
Edit /etc/config/firewall file and add the 'wg0' network as follows:
Open the file: nano /etc/config/firewall
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wg0' ## This is the line you need to add - and you are done
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
Save and Exit
Then issue from command line Step 4 below:
4) Apply changes
/etc/init.d/firewall restart
reboot & exit
All you need to do is reboot the router. The correct DNS Server along with the endpoint host and port are already added using this method. By the way, NORDVPN is now offering WIREGUARD in Beta testing. Contact them via their e-mail support and they will send you your credentials. The most important piece of this set up are the firewall rules. Just configure your /etc/config/network file with your NORDVPN WIREGUARD Config Options and this will work just as well.
Testing your configuration
From your client, attempt a connection to your router. On the server side, run the following to inspect the current state of WireGuard: from the command line run entry : wg show
You should see the configured interface and peers in your console. If not, try restarting your router and thoroughly checking your client and server configuration to ensure the right keys are in the correct location. Note that peers that have not connected yet will not be shown in output. Outpoint will vary according to your keys.
interface: wg0
public key: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
private key: (hidden)
listening port: 1234
peer: 3K9BeVLsj3eXYPbTp53tQ4jypJKUukAjZqSCQykhDTb=
endpoint: 190.180.170.160:45345
allowed ips: 10.0.10.0/24
latest handshake: 1 hour, 19 minutes, 23 seconds ago
transfer: 43.96 MiB received, 51.89 MiB sent
persistent keepalive: every 25 seconds
If you installed luci-app-wireguard, you can also visit your router's LuCI interface and click on Status, then click on WireGuard Status to essentially the same information but without needing to SSH in. You can also run ifconfig to check the status of your WireGuard interface. If you've opted for another interface name aside from wg0, replace it in the subsequent command: ifconfig wg0
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.10.1 P-t-P:10.0.10.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:55483 errors:30 dropped:0 overruns:0 frame:30
TX packets:68168 errors:4 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:46099332 (43.9 MiB) TX bytes:54420468 (51.8 MiB)
Alert : Houston We Have A Problem
In Remembrance and Celebration Apollo 11's 50th Anniversary - we also have a solution for that particular problem. I have found that WireGuard connection does not reboot on start up consistently. I discovered, appropriated, and modified a solution for TorGuard WireGuard here:
https://mullvad.net/en/guides/running-wireguard-router/ - go to section near bottom entitled " Add A Watchdog " Note: Complete this step ONLY AFTER ! you have confirmed that the router is working properly.
1- Use SSH to log in to the router and add the file wg-watchdog.sh (provided below) in /root. The TorGuard wg-watchdog.sh file below :
A - Create file - # touch /root/wg-watchdog.sh Open file with nano - # nano /root/wg-watchdog.sh - and enter contents below :
#!/bin/sh
# ping TorGuard dns that can only be reached via the VPN tunnel
# if no contact, reboot!
tries=0
while [[ $tries -lt 5 ]]
do
if /bin/ping -c 1 104.223.91.210
then
echo "wg works"
exit 0
fi
echo "wg fail"
tries=$((tries+1))
done
echo "wg faild 5 times - rebooting"
reboot
Save and Exit then make it executable - # chmod +x /root/wg-watchdog.sh
2 - Afterward, add the following entry in System >> Scheduled Tasks ( aka Cron ) in LuCI: */10 * * * * /root/wg-watchdog.sh
and restart cron - # /etc/init.d/cron restart
This solution is GUARANTEED to work exquisitely and beautifully - the TorGuard WireGuard Connection restarts after reboots and most significantly, even after powering down router and then powering it up again.
Peace and God's Grace To All
FYI : I set this up along with DNS-OVER-TLS on OpenWrt/LEDE FEATURING UNBOUND GETDNS and STUBBY see here : ( From The DNS Privacy Project ) DNS-OVER-TLS on OpenWrt/LEDE FEATURING UNBOUND GETDNS and STUBBY
and DNS LEAK TESTS returns the DNS Privacy Test Servers which I chose in my Stubby DNS Privacy Daemon Config file. However, I continued to use the TORRGUARD DNS Server for the WIREGUARD Interface ( WG0 ). Everything works well. If anyone can impart to me exactly how DNS functions within the WIREGUARD Tunnel ; I will be most appreciative.