[Solved] Wireguard as a VPN "server"

I'm trying to build a VPN server on my Lede router, using Wireguard. I know that there is no "server" and "clients" on wireguard, just peers, and I have a few questions:

  1. How IP addresses are managed? router (let's name it peer 1 on wireguard) normally has a dhcp wan address, which can change, and my notebook (peer 2) will have an unknown IP address depending where I connect it. Looking at this guide: https://danrl.com/blog/2017/luci-proto-wireguard/ we need an IP address for the wireguard interface (can I use the router DynDNS hostname?) and for peers is an endpoint host totally unkown before connecting, can I use some kind of wildcard here?
  2. Firewall: it's recommended to set up a separated zone or include the new wireguard interface on LAN zone?

Thanks in advance

I have been trying to digest the above as well as the Wiregaurd site and was wondering the same.
https://www.wireguard.com/

Seems ok for a peer to peer set up but also not clear on how to do a Road Warrior setup

Exactly, it looks more like a fixed site to site VPN

1 Like

I literally set this up yesterday to see how easy it could be:

  1. IPs are managed by the kernels on either side. Therefore, you must use the correct CIDR prefix on the interfaces on both ends. (e.g. for a 2-peer configuration, you must use at least a /31 or /30 at the router-side of your traffic, the "client-end" can use the other available /32 in that subnet).
  2. I found a need to setup a different zone. The rules are different between networks, etc.; but this is solely your choice, considering the trust of the network on the "far end."
  • VERY IMPORTANT - to use the connection as a VPN Internet connection, the CLIENT must allow IPs 0.0.0.0/0 or the following two routes combined (in order to override the since default 0/0): 0.0.0.0/1 and 128.0.0.0/1. For this reason alone, you may wish to use a different firewall zone.
  • Once configured, they behave like a unicast IP tunnel
  • If your remote end is the server, ensure you set up IP forwarding and masquerade
  • The LEDE device is already a router, so you would setup everything as a normal 2nd WAN
  • On LEDE, you would add the interface to a Firewall Zone, add masquerading, etc.
  • On a road warrior setup, you configure the peer in LEDE not to have an endpoint IP, with the LEDE having no endpoint IP, your client device can dynamically connect to your LEDE router as it roams. See: https://www.wireguard.com/#built-in-roaming

Hope this helps.

5 Likes

Sorry for the delay @lleachii, thanks a lot for your help, it works great!

1 Like

Excellent. Consider editing the thread's title to note it as "Solved."

1 Like

Can you share the configuration for both the server and client? wireguard, iptables, etc )

I can create a lan to lan configuration with no problems, but I wasn't able to do a rogue-warrior config.

Server (Ubuntu):

#SETUP TUNNEL
sudo ip link add dev wg0 type wireguard
sudo ip address add dev wg0 192.168.245.1/30
**#NEXT LINE HAS NO PEER HOST/PORT, IT'S CONFIGURED FOR ROAMING**
sudo wg set wg0 listen-port 48888 private-key <DIRECTORY_TO_PRIVATE KEY> peer <PEERS_PUBLIC_KEY> allowed-ips 192.168.245.2/32
sudo ip link set up dev wg0

#TO SETUP ROUTING AND NAT FOR PEER
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -s 192.168.245.2 -j MASQUERADE

/etc/config/network

config interface 'test_wireguard'                 
        option proto 'wireguard'                                                
        option listen_port '49999'                                              
        list addresses '192.168.245.2/32'         
        option private_key '<SERVERS_PRIV_KEY_HERE>'       
                                                                                
config wireguard_test_wireguard                   
        option public_key '<PEERS_PUB_KEY_HERE>'        
        list allowed_ips '0.0.0.0/0'                                            
        option endpoint_host '<ENDPOINT_HOSTANME_OR_IP>'    
        option endpoint_port '48888'
#YOU MAY NEED TO ADD ROUTES AS WELL

/etc/config/firewall

config rule                                                        
        option target 'ACCEPT'                                       
        option src 'wan'                                           
        option proto 'udp'                                         
        option name 'Wireguard_VPN'                                  
        option family 'ipv4'                                                    
        option dest_port '49999' 

The only difference on a mobile config is that you don't specify the peer's IP/host/port on the server.

Also see: https://www.wireguard.com/#simple-network-interface

2 Likes

Thank you very much for all the pointers in this thread. I've managed to get this up and running :slight_smile:
I am planning to write an extensive guide on how to use a roaming Wireguard setup on the Wiki. I do have a few questions that can hopefully be answered before I start writing one, because I am not 100% happy with the current setup at the moment.

The first thing I am not happy about is the fact that I have to specify an IP address for each individual client. Would it be possible to fetch an IP address from a DHCP server on the router, so that I don't have to specify an IP manually on all of my clients (And make sure they all have a unique one)?

The second thing I don't really like is the fact that I have to add peers on the router as well. Would it be possible to use Wireguard in which the public key is sent from the client to the server by encrypting it with the server's public key? In that sense, the server's public key should remain confidential as well, since having that would allow anyone to connect to the VPN. As an extra layer of security a preshared key could be applied as well.

This way, I can connect to the VPN with a new client, without have access to the VPN in the first place to add this new peer to the list. This would increase the versatility of the setup in my opinion.

I doesn't make sense to me. You should create another key pair, lets call it the admin key pair. Sign the request containing the public key of the client with the private key of the admin. The server can then verify the signature by using the public key of the admin. Of course this all needs to happen out of band using a rest request or similar.

Yes, and the out of band is the thing I do not like. I have to manually add clients' public keys to the server or set-up a REST API in order to do so. I would prefer if I could from any device anywhere from the world as long as I have the server's public key and the preshared key.

Also, do you happen to know whether it is possible to use DHCP to fetch an IP address instead of having to use static IPs defined in the config files of Wireguard?

Actually I think it may be possible to do dynamic address assignment in-band by using IPv6 link-local IP addresses. IP6 Link-local addresses uses the subnet fe80::/64, and are usually based on the MAC address. But I guess it should be possible to instead derive the 64 bit interface identity from the public key. IPv6 link-local addresses are used by DHCPv6 which means it may work. A DHCPv6 server uses the address ff02::1:2 in addition to the link-local address derived from its public key, but it shouldn't be a problem since. IPv4 is another matter.

I don't think DHCPv4 is possible since the client uses address 0.0.0.0, which means only one wireguard peer would be possible.

Edit: I have verified that DHCPv6 including prefix delegation can be made to work with wireguard. But I don't know useful it is. For example It's harder to write an android app using DHCPv6 than a REST API.

Hi, can you please tell me where I find guide?
Thanks

I haven't found the time yet to write this guide. It's definitely still on my to-do list.

1 Like

I would also really appreciate if you wrote a guide. There are a lot of things I would like to know how to do properly, such as in which firewall zone to place the WireGuard interface.

I tried everything but I can not configure a vpn road warrior with android, surely I'm wrong in the firewall configuration :sob:
Can someone post a working configuration?
Thank you

My configuration above does work:

See Post # 7

Been working since October, 2017.

Perhaps, you should post your config, instead.

Also, the OP was able to get his Wireguard working. Perhaps you should create new thread, as this one has been marked as [SOLVED].

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.