Switch between wireguard profiles in OpenWrt

spindoctor · November 4, 2019, 7:35am

Is there an easy way to switch between wireguard profiles in OpenWRT?

Like to switch easily between these profiles below without editing /etc/config/network.

Profile [1]

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list addresses '10.64.178.44'
	option listen_port '51820'

config wireguard_wg0
	option public_key 'Rzh64qPcg8W8klJq0H4EZdVCH7iaPuQ9falc99GTgRA='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host '103.231.88.2'
	option endpoint_port '51820'
	option persistent_keepalive '25'

Profile [2]

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list addresses '10.64.178.44'
	option listen_port '51820'

config wireguard_wg0
	option public_key 'TMOEAxpcv5xz+PvcvqP0Iy4+px+hrCJUJHGcy45DVQI='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host '185.200.118.100'
	option endpoint_port '51820'
	option persistent_keepalive '25'

Cheers.

psherman · November 4, 2019, 8:02am

Create interface wg1 for the second config. You can start/stop each interface independently and you can set each to start automatically on boot or just bring it up manually.

spindoctor · November 4, 2019, 8:18am

Yeah that would work, but prefer to reuse same interface as I add more profiles.

My GL.inet travel router has this ability. Would like to replicate it on my home router.

lleachii · November 4, 2019, 1:39pm

Not sure if it's possible, as this would make 2 peers that can reach the whole Internet...

Both peers use 0.0.0.0/0 as allowed IPs, this would first need to be fixed. That gets messy as using 2 routes (i.e. 0.0.0.0/1 and 128.0.0.0/1) makes a more specific route to the Internet. The problem is, the sum of both routes nontheless == 0.0.0.0/0. I'm not certain if that setting would be valid on the same Wireguard Interface.

Test it.

See: https://www.wireguard.com/#cryptokey-routing

What ability, to flip VPNs?

You can you policy-based routing to "flip" VPNs - leaving all up, but not routing to them by default (aside for your policy if you want a VPN up by default).

I would think the easiest way without extra work - would be to make 2 WG Interfaces, and enable/disable "Route Allowed IPs" as you select the preferred VPN.

spindoctor · November 5, 2019, 2:26am

Yes. The travel router adds a file wireguard under /etc/config

The active peer is the one on top labelled enabled.
*Note: The travel router adds a listening port to each profile and peer id.

[/etc/config/wireguard]

config proxy
	option enable '1'
	option main_server 'Mullvad-LondonUK'
	option host '185.200.118.100'

config peers 'wg_peer_4760'
	option name 'Mullvad-LondonUK'
	option address '10.64.178.44/32'
	option listen_port '10187'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option dns '193.138.218.74'
	option end_point '185.200.118.100:51820'
	option public_key 'TMOEAxpcv5xz+PvcvqP0Iy4+px+hrCJUJHGcy45DVQI='
	option allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'

config peers 'wg_peer_5647'
	option name 'Vancouver-Canada'
	option address '10.64.178.44/32'
	option listen_port '30876'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option dns '193.138.218.74'
	option end_point '107.181.189.206:51820'
	option public_key 'quPBSdtRAfoUVkbRWvjXF5d5cYwhURobppSVd5Uz3xA='
	option allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'

No actual interface is created except for a device reference to 'wg0' in /etc/config/firewall

[/etc/config/firewall]

config zone 'wireguard'
	option name 'wireguard'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option device 'wg0' <================
	option network ' '
	option input 'ACCEPT'

Using OpenVPN LuCi app made flipping VPN's easy. And using the same interface as well.

jeff · November 5, 2019, 2:48am

Perhaps script the equivalent UCI changes and a reload of the network.

If you want to get fancy, you could even bind it to a key/switch action.

bobafetthotmail · November 5, 2019, 8:09am

GL.inet is nice enough to provide the packages they use on github here https://github.com/gl-inet/glinet

Choose any folder for device architecture and look for gl-wg-xxxxxxx.ipk for the client and gl-wg-server-xxxxxx.ipk for the server.

If your home router has the same architecture as the folders in that github (check the OpenWrt table of hardware in the wiki) AND it is running OpenWrt 18.06 you can try installing the packages of the right architecture manually from there.

You can also open the packages and extract the logic you want, and then you can try copying that manually on your router.

The function you want is done by a shell script in /etc/init.d folder plus some config files so it's just a text file with human-readable Linux shell code, nothing fancy.
Afaik gl.inet are not changing wireguard binary so it should still work the same with OpenWrt's wireguard packages.

Download the package to your PC and open them with an archiving application that can understand common Linux compressed files like tar.gzip. Try with Peazip if you don't have any such application https://www.peazip.org/

you will find data.tar.gz files inside. Extract them and you will get the folders and scripts these packages add.