OpenWRT WireGuard VPN Server Tutorial: Difference between revisions

From KB42
undoAdminKB42 (talk | contribs)
Bureaucrats, Interface administrators, Administrators
15,131 edits
VisualWikitext
Created page with "Introduction I recently figured out how to set up a WireGuard VPN on my Raspberry Pi 3 running OpenWRT and I decided to write an up-to-date guide on how to do it. It should work on any device running a recent-ish build of OpenWRT/LEDE, provided you have enough storage space for it. This will let you connect to your home network from anywhere, as well as route all your traffic through your home internet so you can avoid content filters at School/Work, as well as keeping..."
 
No edit summary
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
Introduction
=Introduction=


I recently figured out how to set up a WireGuard VPN on my Raspberry Pi 3 running OpenWRT and I decided to write an up-to-date guide on how to do it. It should work on any device running a recent-ish build of OpenWRT/LEDE, provided you have enough storage space for it.
I recently figured out how to set up a WireGuard VPN on my Raspberry Pi 3 running OpenWRT and I decided to write an up-to-date guide on how to do it. It should work on any device running a recent-ish build of OpenWRT/LEDE, provided you have enough storage space for it.
Line 8: Line 8:


Before you begin, I'll warn you that the process of setting up WireGuard may disconnect you from the internet a few times so make sure nobody else is using the internet before you start.
Before you begin, I'll warn you that the process of setting up WireGuard may disconnect you from the internet a few times so make sure nobody else is using the internet before you start.
Step 1: Installing the packages
 
==Step 1: Installing the packages==


SSH into your OpenWRT device and run the following:
SSH into your OpenWRT device and run the following:


<syntaxhighlight lang="bash">
opkg update
opkg update
opkg install luci-proto-wireguard luci-app-wireguard wireguard kmod-wireguard wireguard-tools
opkg install luci-proto-wireguard luci-app-wireguard wireguard kmod-wireguard wireguard-tools
reboot
reboot
</syntaxhighlight>


(protip: Windows 10 has built in SSH support if you don't have PuTTY installed. You can also use LuCI to install these packages by going to System>Software)
(protip: Windows 10 has built in SSH support if you don't have PuTTY installed. You can also use LuCI to install these packages by going to System>Software)
Step 2: Creating a firewall rule
 
==Step 2: Creating a firewall rule==


Go into LuCI and head to Network>Firewall>Port Forwards
Go into LuCI and head to Network>Firewall>Port Forwards


Create a new rule using the following input:
Create a new rule using the following input:
 
<syntaxhighlight lang="bash">
Name: WireGuard
Name: WireGuard
Protocol: UDP
Protocol: UDP
Line 30: Line 36:
Internal IP Address: <The IP address of your device, mine is 192.168.1.1>
Internal IP Address: <The IP address of your device, mine is 192.168.1.1>
Internal Port: 1234
Internal Port: 1234
</syntaxhighlight>
Click Add, then Save & Apply. This allows your VPN clients (Phone, Laptop etc) to connect to your OpenWRT device from the internet.


Click Add, then Save & Apply. This allows your VPN clients (Phone, Laptop etc) to connect to your OpenWRT device from the internet.
==Step 3: Generating the keys==
Step 3: Generating the keys


SSH into your OpenWRT device and run the following:
SSH into your OpenWRT device and run the following:


<syntaxhighlight lang="bash">
umask 077 && wg genkey > privkey
umask 077 && wg genkey > privkey
cat privkey | wg pubkey > pubkey
cat privkey | wg pubkey > pubkey
cat /root/pubkey
cat /root/pubkey
cat /root/privkey
cat /root/privkey
 
</syntaxhighlight>
This creates two files in the /root/ directory of your device, pubkey and privkey.
This creates two files in the /root/ directory of your device, pubkey and privkey.


You should email yourself the pubkey or transfer it securely to your phone somehow because you'll need it when setting up the VPN connection.
You should email yourself the pubkey or transfer it securely to your phone somehow because you'll need it when setting up the VPN connection.


Copy the private key to your clipboard because you'll need it for Step 4.  
Copy the private key to your clipboard because you'll need it for Step 4.
 
Step 4: Setting up the WireGuard interface
 
    Go into LuCI and head to Network>Interfaces>Add New Interface
 
    Set the name of the new interface as wg0
 
    Set the protocol to WireGuard VPN
 
    Click Submit
 
    Paste the private key you got from Step 3 into the Private Key field
 
    Set the listen port to 1234
 
    In the IP Addresses field, type 10.14.0.1/24
 
    Go to the Firewall Settings tab and assign the interface to your LAN zone if it's not automatically been assigned. This will enable you to access your LAN devices when you're connected to your VPN. If you want to keep your devices seperate, you can create another Firewall zone specifically for the WireGuard Interface.
 
    Click Save & Apply
 
Step 5: Setting up the VPN connection on an Android device
 
    Download the WireGuard app from the Play Store or F-Droid or whatever is your preferred source of apps
 
    Open the WireGuard app
 
    Tap the plus icon and go to "Create from scratch"
 
    Make up a name for your VPN connection
 
    Tap "Generate" to generate yourself a public and private key
 
    In the Addresses field, type 10.14.0.3/32
 
    Leave the Listen Port and MTU fields empty unless you need to change them for whatever reason


    In the DNS servers field, either type the address of your home DNS server or use a DNS server of your choice (e.g. 1.1.1.1)
== Step 4: Setting up the WireGuard interface ==


    Tap Add Peer
# Go into LuCI and head to Network>Interfaces>Add New Interface
# Set the name of the new interface as wg0
# Set the protocol to WireGuard VPN
# Click Submit
# Paste the private key you got from Step 3 into the Private Key field
# Set the listen port to 1234
# In the IP Addresses field, type 10.14.0.1/24


    Paste the Public Key from the /root/ directory of your OpenWRT device
Go to the Firewall Settings tab and assign the interface to your LAN zone if it's not automatically been assigned. This will enable you to access your LAN devices when you're connected to your VPN. If you want to keep your devices seperate, you can create another Firewall zone specifically for the WireGuard Interface.


    Leave the Pre-shared key field blank
Click Save & Apply


    In the Allowed IPs field, type 0.0.0.0/0,::0 (You should add ::0 even if you aren't using IPv6, as this stops your device from leaking data when connected to IPv6 enabled sites.)
==Step 5: Setting up the VPN connection on an Android device==


    In the Endpoint field, type the public (WAN) IP address or domain name of your OpenWRT device, followed by a colon and the port number. For example: 69.65.164.12:1234
# Download the WireGuard app from the Play Store or F-Droid or whatever is your preferred source of apps
# Open the WireGuard app
# Tap the plus icon and go to "Create from scratch"
# Make up a name for your VPN connection
# Tap "Generate" to generate yourself a public and private key
# In the Addresses field, type 10.14.0.3/32
# Leave the Listen Port and MTU fields empty unless you need to change them for whatever reason
# In the DNS servers field, either type the address of your home DNS server or use a DNS server of your choice (e.g. 1.1.1.1)
# Tap Add Peer
# Paste the Public Key from the /root/ directory of your OpenWRT device
# Leave the Pre-shared key field blank
# In the Allowed IPs field, type 0.0.0.0/0,::0 (You should add ::0 even if you aren't using IPv6, as this stops your device from leaking data when connected to IPv6 enabled sites.)
# In the Endpoint field, type the public (WAN) IP address or domain name of your OpenWRT device, followed by a colon and the port number. For example: 69.65.164.12:1234
# In the Persistent Keepalive field, type 25
# Save the connection


    In the Persistent Keepalive field, type 25
==Step 6: Adding your phone to the list of allowed peers==
 
    Save the connection
 
Step 6: Adding your phone to the list of allowed peers


Now you have to register your phone as a peer to your OpenWRT device. To do this:
Now you have to register your phone as a peer to your OpenWRT device. To do this:


    In the WireGuard app, copy your Public Key (The one you generated earlier) to the clipboard
# In the WireGuard app, copy your Public Key (The one you generated earlier) to the clipboard
# Go into LuCI and head to Network>Interfaces
# Click Edit on the WireGuard interface
# Go to the Peers section and add click Add
# Paste the Public Key from your phone into the Public Key field
# In the Allowed IPs field, type 10.14.0.3/32
# Check the Route Allowed IPs checkbox
# Leave the Endpoint Host and Endpoint Port fields blank
# In the Persistent Keepalive field, type 25
# Click Save & Apply
# Reboot the OpenWRT device, either through LuCI>System>Reboot or by typing reboot in SSH


    Go into LuCI and head to Network>Interfaces
==Step 7: Testing the VPN Connection==


    Click Edit on the WireGuard interface
Theoretically, everything should be finished now. To test this, go into the WireGuard app and enable the VPN connection. Then open a browser and if you have internet connectivity then it worked. :)


    Go to the Peers section and add click Add
(protip: The WireGuard app has it's own quick settings tile, so you can add it to your quick settings panel for ease of access)
 
    Paste the Public Key from your phone into the Public Key field
 
    In the Allowed IPs field, type 10.14.0.3/32
 
    Check the Route Allowed IPs checkbox
 
    Leave the Endpoint Host and Endpoint Port fields blank
 
    In the Persistent Keepalive field, type 25
 
    Click Save & Apply
 
    Reboot the OpenWRT device, either through LuCI>System>Reboot or by typing reboot in SSH


Step 7: Testing the VPN Connection


Theoretically, everything should be finished now. To test this, go into the WireGuard app and enable the VPN connection. Then open a browser and if you have internet connectivity then it worked. :)
{{article summary
 
| image =
(protip: The WireGuard app has it's own quick settings tile, so you can add it to your quick settings panel for ease of access)
| title = {{%PAGENAME%}}
| summary = Set up a WireGuard VPN on a Raspberry Pi 3/4 running OpenWRT. It should work on any device running a recent-ish build of OpenWRT/LEDE, provided you have enough storage space for it.
}}


[[Category:Technology]]
[[Category:Technology]]
[[Category:Software]]
[[Category:Computers]]
[[Category:Privacy]]
[[Category:VPN]]
[[Category:VPN]]
[[Category:Software]]

Latest revision as of 15:33, 14 February 2024

Introduction

[edit | edit source]

I recently figured out how to set up a WireGuard VPN on my Raspberry Pi 3 running OpenWRT and I decided to write an up-to-date guide on how to do it. It should work on any device running a recent-ish build of OpenWRT/LEDE, provided you have enough storage space for it.

This will let you connect to your home network from anywhere, as well as route all your traffic through your home internet so you can avoid content filters at School/Work, as well as keeping your traffic encrypted.

I don't use IPv6 on my network so you'll have to figure that stuff out for yourself.

Before you begin, I'll warn you that the process of setting up WireGuard may disconnect you from the internet a few times so make sure nobody else is using the internet before you start.

Step 1: Installing the packages

[edit | edit source]

SSH into your OpenWRT device and run the following: 

opkg update

opkg install luci-proto-wireguard luci-app-wireguard wireguard kmod-wireguard wireguard-tools

reboot

(protip: Windows 10 has built in SSH support if you don't have PuTTY installed. You can also use LuCI to install these packages by going to System>Software)

Step 2: Creating a firewall rule

[edit | edit source]

Go into LuCI and head to Network>Firewall>Port Forwards

Create a new rule using the following input: 

Name: WireGuard
Protocol: UDP
External Zone: WAN
External Port: 1234
Internal Zone: LAN
Internal IP Address: <The IP address of your device, mine is 192.168.1.1>
Internal Port: 1234

Click Add, then Save & Apply. This allows your VPN clients (Phone, Laptop etc) to connect to your OpenWRT device from the internet.

Step 3: Generating the keys

[edit | edit source]

SSH into your OpenWRT device and run the following: 

umask 077 && wg genkey > privkey
cat privkey | wg pubkey > pubkey
cat /root/pubkey
cat /root/privkey

This creates two files in the /root/ directory of your device, pubkey and privkey.

You should email yourself the pubkey or transfer it securely to your phone somehow because you'll need it when setting up the VPN connection.

Copy the private key to your clipboard because you'll need it for Step 4.

Step 4: Setting up the WireGuard interface

[edit | edit source]
  1. Go into LuCI and head to Network>Interfaces>Add New Interface
  2. Set the name of the new interface as wg0
  3. Set the protocol to WireGuard VPN
  4. Click Submit
  5. Paste the private key you got from Step 3 into the Private Key field
  6. Set the listen port to 1234
  7. In the IP Addresses field, type 10.14.0.1/24

Go to the Firewall Settings tab and assign the interface to your LAN zone if it's not automatically been assigned. This will enable you to access your LAN devices when you're connected to your VPN. If you want to keep your devices seperate, you can create another Firewall zone specifically for the WireGuard Interface.

Click Save & Apply

Step 5: Setting up the VPN connection on an Android device

[edit | edit source]
  1. Download the WireGuard app from the Play Store or F-Droid or whatever is your preferred source of apps
  2. Open the WireGuard app
  3. Tap the plus icon and go to "Create from scratch"
  4. Make up a name for your VPN connection
  5. Tap "Generate" to generate yourself a public and private key
  6. In the Addresses field, type 10.14.0.3/32
  7. Leave the Listen Port and MTU fields empty unless you need to change them for whatever reason
  8. In the DNS servers field, either type the address of your home DNS server or use a DNS server of your choice (e.g. 1.1.1.1)
  9. Tap Add Peer
  10. Paste the Public Key from the /root/ directory of your OpenWRT device
  11. Leave the Pre-shared key field blank
  12. In the Allowed IPs field, type 0.0.0.0/0,::0 (You should add ::0 even if you aren't using IPv6, as this stops your device from leaking data when connected to IPv6 enabled sites.)
  13. In the Endpoint field, type the public (WAN) IP address or domain name of your OpenWRT device, followed by a colon and the port number. For example: 69.65.164.12:1234
  14. In the Persistent Keepalive field, type 25
  15. Save the connection

Step 6: Adding your phone to the list of allowed peers

[edit | edit source]

Now you have to register your phone as a peer to your OpenWRT device. To do this:

  1. In the WireGuard app, copy your Public Key (The one you generated earlier) to the clipboard
  2. Go into LuCI and head to Network>Interfaces
  3. Click Edit on the WireGuard interface
  4. Go to the Peers section and add click Add
  5. Paste the Public Key from your phone into the Public Key field
  6. In the Allowed IPs field, type 10.14.0.3/32
  7. Check the Route Allowed IPs checkbox
  8. Leave the Endpoint Host and Endpoint Port fields blank
  9. In the Persistent Keepalive field, type 25
  10. Click Save & Apply
  11. Reboot the OpenWRT device, either through LuCI>System>Reboot or by typing reboot in SSH

Step 7: Testing the VPN Connection

[edit | edit source]

Theoretically, everything should be finished now. To test this, go into the WireGuard app and enable the VPN connection. Then open a browser and if you have internet connectivity then it worked. :)

(protip: The WireGuard app has it's own quick settings tile, so you can add it to your quick settings panel for ease of access)

Retrieved from "https://kb42.info/index.php?title=OpenWRT_WireGuard_VPN_Server_Tutorial&oldid=10956"