Hello Team,
Firstly I would like to apologize if the information may have been somewhere, but honestly, I have been struggling to find such in the past ... number of days.
Nevertheless..
So the overall target is that I may be able to forward all traffic from my mobile phone (on Android) thru a VPN channel and to go out of my home router that has OpenWRT 21.02.1 and WireGuard (more details down below). Also, to be able to reach my home network devices from within the VPN with internal addresses (e.g. to avoid having to share the traffic from my local LAN camera to WAN).
What I have done so far:
- Installed OpenWRT on the router (Cisco WRT610N v1)
- Setup the router as follows:
- Set daily router reboot at 4:30am using a Chron job
- WAN connection: PPPoE
- LAN router address: 192.168.1.1
- Set the Wireless configs
Afterwards I started on my aim with WireGuard:
- Installed WireGuard by following the below steps:
-
SSH into the router via:
ssh root@192.168.1.1
-
Refresh the packages ready to be updated:
opkg update
-
Start installing in dependencies order:
opkg install zlib
opkg install libnl-tiny libelf1 libcap
opkg install kmod-udptunnel4 kmod-udptunnel6 libmnl0 ip-full
opkg install kmod-wireguard luci-proto-wireguard wireguard-tools libqrencode
opkg install luci-app-wireguard qrencode
opkg install luci-i18n-wireguard-en
- Reboot the router from System > Reboot
- Voila!
-
Checked Status > WireGuard
-
Created a dummy network interface that uses the WireGuard
-
Checked again Status > WireGuard and saw that all data is present in the page - QR code, Configuration section (with Public key and Port) and Peer (with Public key, Latest Handshake, Data Received and Data Transmitted)
-
Then I followed the OpenWRT Wiki's WireGuard server guide from here
Note: Only exception is that I did not use the below row as I do not intend to use IPv6 at all:
uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"
-
Sequence of all exact commands will be shared either at the bottom of the current message, or within the first comment of the thread
-
Note: After step #3, upon Firewall restart I received a warning that the interface device has not been found, hence I continued and after fully configuring the network interface, then restarted again the firewall - at that time, no warning for missing WireGuard interface was returned
-
Downloaded WireGuard app on my Xiaomi RedMi Note 9 Pro (OS: MIUI 12.5.6; Android version: 11 RKQ1.200826.002)
-
On the phone, inside of WireGuard app, using the + button, I did initiate a creation of a new entry for a VPN connection, then used the "Scan from QR code" option as I have the QR code gererated in my Status > WireGuard. After scanning, it asked me to enter a name for the entry and saved it as is. Then I realized additional few fields are to be configured:
- Addresses - this is where I entered the static Public IPv4 address of my router (upon save it was automatically converted to ipv4_address/32)
- Listen port - I added the port that I have used during the configuration of Wireguard in step #6 above (Port: 51820)
With all of the above, upon changing the toggle in the mobile app, it seems that a VPN tunnel is being established, but I do not see that in the GUI of OpenWRT anywhere. As well, when trying to browse or even to ping the router from the phone, it simply does not go.
Would you kindly assist me to achieve my overall target, please?
==============================================================
Sequence of commands used for WireGuard server configuration:
- Preparation - Configure the parameters
WG_IF="WireGuard_VPN"
WG_PORT="51820"
WG_ADDR="192.168.1.1/24"
WG_ADDR6="fe80::b9d3:2c9f:3e20:8618/128"
- Key management
-
On the router, go to dedicated directory (you may need to create it first):
cd /tmp/VPN
-
Generate the keys
umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
wg genpsk > wgclient.psk
# Server private key
WG_KEY="$(cat wgserver.key)"
# Pre-shared key
WG_PSK="$(cat wgclient.psk)"
# Client public key
WG_PUB="$(cat wgclient.pub)"
- (for long term storage purposes) On the PC, go to a designated directory for storing the keys and copy them from the router:
cd C:\Users\anton.to\Downloads
scp root@192.168.1.1:/tmp/VPN/* .
root@192.168.1.1's password:
wgclient.key 100% 45 14.6KB/s 00:00
wgclient.psk 100% 45 16.7KB/s 00:00
wgclient.pub 100% 45 21.9KB/s 00:00
wgserver.key 100% 45 21.7KB/s 00:00
wgserver.pub 100% 45 14.7KB/s 00:00
- Configure the router's firewall:
- Note: A warning that "WireGuard_VPN" device has not been found might be printed out upon Firewall restart
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${WG_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
- Configure the router's network interfaces
- Create a network device:
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci set network.${WG_IF}.listen_port="${WG_PORT}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
- Add VPN peers
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${WG_IF}"
uci set network.wgclient.public_key="${WG_PUB}"
uci set network.wgclient.preshared_key="${WG_PSK}"
uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.140/29"
uci commit network
/etc/init.d/network restart
- Restart Firewall once again
/etc/init.d/firewall restart