Wireguard home server

route66 · October 8, 2024, 7:35pm

Hi

I would like to add to my home router a Wireguard home server. The initial goal is to allow connecting my phone to it (as a client) from Internet using the Wireguard tunnel, and then routing the phone's traffic as a normal lan traffic into the wild. AGH is used as a DNS server on the router.

How do I go about setting this up on the router? Shall I re-use the existing interface with its generated keys (used with the commercial VPN provider peer) or I need to set up another interface? If another interface - will I be able to re-use for one more Wireguard tunnel from e.g. a travel router?

My currents script to set up the existing Wireguard:

# /etc/config/network

# 1. Configure network interface
uci delete network.wg
uci set network.wg='interface'
uci set network.wg.proto='wireguard'
uci set network.wg.private_key='________________________'
uci add_list network.wg.addresses='aa.bb.cc.dd/__'
uci set network.wg.force_link='1'

# 2. Add VPN peer (VPN server)
uci delete network.wgpeer
uci set network.wgpeer='wireguard_wg'
uci set network.wgpeer.public_key='___________________'
uci set network.wgpeer.description='___________'
uci add_list network.wgpeer.allowed_ips='0.0.0.0/0'
uci set network.wgpeer.route_allowed_ips='1'
uci set network.wgpeer.endpoint_host='aa.bb.cc.dd'
uci set network.wgpeer.endpoint_port='51820'

# 3. Route vpn interface to wg interface (PBR with netifd)
uci set network.lan.ip4table='1'
uci set network.guest.ip4table='2'
uci set network.iot.ip4table='3'
uci set network.vpn.ip4table='4'
uci set network.wg.ip4table='5'

uci delete network.vpn_wg
uci set network.vpn_wg='rule'
uci set network.vpn_wg.in='vpn'
uci set network.vpn_wg.lookup='5'
uci set network.vpn_wg.priority='30000'

# 4. Allow WG internal DNS to prevent DNS leaks
uci delete network.dns_wg
uci set network.dns_wg='rule'
uci set network.dns_wg.dest='aa.bb.cc.dd/__'
uci set network.dns_wg.lookup='5'
uci set network.dns_wg.priority='30000'

# 5. Commit and restart
uci commit network
service network restart

# /etc/config/firewall

# 6. Create 'wgZone' firewall zone
uci delete firewall.wgZone
uci set firewall.wgZone='zone'
uci set firewall.wgZone.name='wgZone'
uci set firewall.wgZone.input='DROP'
uci set firewall.wgZone.output='ACCEPT'
uci set firewall.wgZone.forward='DROP'
uci set firewall.wgZone.masq='1'
uci set firewall.wgZone.mtu_fix='1'
uci add_list firewall.wgZone.network='wg'

# Forwarding from vpn zone to wg zone
uci delete firewall.vpn_wg
uci set firewall.vpn_wg='forwarding'
uci set firewall.vpn_wg.src='vpnZone'
uci set firewall.vpn_wg.dest='wgZone'

# 5. Commit and restart
uci commit firewall
service firewall restart

Thank you.

psherman · October 8, 2024, 8:02pm

Setup a new interface. If you're still using the commercial VPN provider, you will also need policy based routing.

https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior

https://openwrt.org/docs/guide-user/network/routing/pbr

mk24 · October 8, 2024, 8:56pm

Check that your ISP gives you a public IP address, which is essential to support incoming connections. The wan device IP shown by ip addr show (or IPv4 Upstream on the main status Luci page) must match what is reported when you visit a 'what's my IP' test site.

route66 · October 9, 2024, 4:13am

Thanks for the suggestion. I was sure my provider gives me a static IP (this was the promise at least ), but it's not the case.