diff --git a/_posts/2024-02-24-Wireguard_on_openwrt_behind_isp_router.md b/_posts/2024-02-24-Wireguard_on_openwrt_behind_isp_router.md index 9153fb7b58133..fbf4cd4cce945 100644 --- a/_posts/2024-02-24-Wireguard_on_openwrt_behind_isp_router.md +++ b/_posts/2024-02-24-Wireguard_on_openwrt_behind_isp_router.md @@ -5,18 +5,18 @@ title: Wireguard VPN on openWRT router behind ISP router Used sources * https://forum.openwrt.org/t/wireguard-server-on-openwrt-router-behind-isp-router-firewall-config/189027/20 * https://openwrt.org/docs/guide-user/services/vpn/wireguard/basics - +* My own experience to get this working :) # Goal and introduction If I am away form home, for instance on holiday, I want to have access to my LAN, including all equipment attached to the LAN. -I was using Openvpn on openWRT for that. That was working. -But after upgrading openwrt I lost the configuration of openvpn, and I knew it was a big hassle to get it working again. +I was using OpenVPN on OpenWRT for that. That was working. +But after upgrading OpenWRt I lost the configuration of OpenVPN, and I knew it was a big hassle to get it working again. -I read somewhere that *wireguard* should be better and simpler. So I decided to give wireguard a try. +I read somewhere that *Wireguard* should be better and simpler. So I decided to give Wireguard a try. The configuraion appeared to be not that simple, at least not if you are not a network expert. -I tried for several days to get it working myself, but get stuck. So finally I asked for help in the openwrt forum. And there are a lot of experts willing to help, and I got in working within one day. +I tried for several days to get it working myself, but get stuck. So finally I asked for help in the OpenWRT forum. And there are a lot of experts willing to help, and I got in working within one day. This post describes what I have done. I hope it will be helpfull for others. @@ -28,9 +28,10 @@ Configuration * ISP router * 192.168.2.254 -* openwrt router +* OpenWRT router * 192.168.2.253 (WAN interface) * 192.168.1.1 (internally) + * 192.168.1.0/24 LAN network # How wireguard works @@ -61,24 +62,24 @@ Wireguard uses the public key to uniquely identify and route a client. This mean * `wg genkey | tee wg.key | wg pubkey > wg.pub` * Use the wg.key file to configure the WireGuard interface on this router. * Use the wg.pub file to configure peers that will connect to this router through the WireGuard VPN. - * restart network (can be done via luci-system-startup-initscript-network-restart), but easiest is via CLI `/etc/init.d/network restart' - * setting up network + * Restart network (can be done via luci-system-startup-initscript-network-restart), but easiest is via CLI `/etc/init.d/network restart' + * Setting up network * To create a new WireGuard interface go to LuCI Network Interfaces Add new interface... and select WireGuard VPN from the Protocol dropdown menu. * select the keys generated in step2 above * IP addresses: 10.0.0.1/32 (the IP address of the wireguard interface) - * monitoring status: either via luci-status-wireguard, or CLI `wg`. The wg command should give the wg interface, and all peers that have completed a succesfull handshake (exchange of private/public keys). + * Monitoring status: either via luci-status-wireguard, or CLI `wg`. The wg command should give the wg interface, and all peers that have completed a succesfull handshake (exchange of private/public keys). -* on ISP modem - * ensure that port 51820 is forwarded to Openwrt, or put Openwrt in the DMZ of your ISP router -* on openwrt +* On ISP modem + * Ensure that port 51820 (the default port used by Wireguard) is forwarded to OpenWRT, or put Openwrt in the DMZ of your ISP router +* On openwrt * luci-network-firewall, select tab traffic rules; add rule * name: wireguard * protocol: UDP (wg uses UDP) * source zone: WAN (packets originate from outside world) * source address: any IP (the IP of the client is not known) * source port: any (also not known) - * destination zone: Device (input); the packet should be handled by wg on openwrt - * destination address: add IP (not filled in) + * destination zone: Device (input); the packet should be handled by wg on OpenWRT + * destination address: (leave empty) * destination port: 51820 (we use this default port for wg) * action: accept * luci-network-firewall, tab 'general settings' @@ -139,26 +140,26 @@ config forwarding ## Client on IOS and Android I have done this on iphone (IOS 17.3) and Android (13). -* install the wireguard app -* on openwrt +* Install the Wireguard app +* On OpenWRT * goto luci-interfaces-wireguard and select tab 'peers'. * click on 'add peer' and fill in * name; * click 'generate new key pair', - * for Allowed IPs fill in '10.0.0.2/32'; this is the IP address of the client; **do not fill in here the IP-range of the subnet that you want to be able to reach from remote location; this address range need only be filled in on the client config (see below)** + * for Allowed IPs fill in '10.0.0.2/32'; this is the IP address of the client; **do not fill in here the IP-range of the subnet that you want to be able to reach from remote location; this address range needs only be filled in on the client config (see below)** * Route Allowed IPs: yes. - * endpoint host: the url of your home, or the **external** IP address of your ISP router (if not known, google 'find my ip address' + * endpoint host: the url of your home, or the **external** IP address of your ISP router (if not known, google 'what is my ip address' * endpoint port: 51820 - * keepalive: 25 + * keepalive: 25 (not necessary) * now it should be possible to click on 'generate configuration' QR-code -* on client +* On client * add new tunnel by clicking on '+' sign, and scan the QR code * edit the new tunnel to check the settings * set DNS to 9.9.9.9 * set AllowedIPs to 192.168.1.0/24 #the address range of the subnet that should be reachable via wg. If you want all traffic to be routed via wg, the fill in `0.0.0.0/0` for IPv4. - * set endpoint to `:51820` + * set endpoint to `:51820` -If you want to add more peers, then each peer must have a unique IP-address; So the next peer could have address `10.0.0.03/32`. After you added a new client following the above procedure, and assigning a unique IP-address, you have to restart the network `/etc/init.d/network restart`, then activate the connection at the client, and check on openwrt via `wg` whether you see the newly added client. +If you want to add more peers, then each peer must have a unique IP-address; So the next peer could have address `10.0.0.03/32`. After you added a new client following the above procedure, and assigning a unique IP-address, you **have to restart the network** `/etc/init.d/network restart`, then activate the connection at the client, and check on openwrt via `wg` whether you see the newly added client. **NB: you MUST restart the network (for instructions see above) after adding a new peer (client), otherwise the peer will not get a handshake!**