This post briefly describes how to configure an OpenWrt router to function as a WireGuard VPN server. This enables me to have my phone always be securely connected to my home router, from wherever I am.
First, install the necessary WireGuard kernel module:
root # opkg update
root # opkg install kmod-wiregard
Generate a new private and public key pair for the server, and your first peer (e.g. your phone), and a pre-shared key for added post-quantum secrecy:
root # umask 077
root # wg genkey | tee wg0.key | wg pubkey > wg0.pub
root # wg genkey | tee my-phone.key | wg pubkey > my-phone.pub
root # wg genpsk > my-phone.psk
Next, configure a new WireGuard interface:
root # uci set network.wg0='interface'
root # uci set network.wg0.proto='wireguard'
root # uci set network.wg0.private_key="$(cat wg0.key)"
root # uci set network.wg0.listen_port='51820'
root # uci add_list network.wg0.addresses='192.168.88.1/24' # example private IPv4 subnet
root # uci add_list network.wg0.addresses='2a0b:abcd:1234:5678::1/64' # example public IPv6 subnet, if available
root # uci commit network
Assign the new WireGuard interface wg0 to your LAN zone, and open the port on your WAN zone (e.g. 51820/udp):
root # uci add_list firewall.lan.network='wg0'
root # uci set firewall.wg_rule='rule'
root # uci set firewall.wg_rule.name='Allow-WireGuard'
root # uci set firewall.wg_rule.src='wan'
root # uci set firewall.wg_rule.dest_port='51820'
root # uci set firewall.wg_rule.proto='udp'
root # uci set firewall.wg_rule.target='ACCEPT'
root # uci commit firewall
Now you can add a peer (e.g. your phone):
root # uci add network wireguard_wg0
root # uci set network.@wireguard_wg0[-1].description='my-phone'
root # uci set network.@wireguard_wg0[-1].public_key='($cat my-phone.pub)'
root # uci set network.@wireguard_wg0[-1].preshared_key='($cat my-phone.psk)'
root # uci set network.@wireguard_wg0[-1].private_key='($cat my-phone.key)'
root # uci add_list network.@wireguard_wg0[-1].allowed_ips='192.168.88.2/32'
root # uci add_list network.@wireguard_wg0[-1].allowed_ips='fd12:3456:789a::2/64'
root # uci add_list network.@wireguard_wg0[-1].allowed_ips='2a0b:abcd:1234:5678::2/64'
root # uci commit network
Reload / restart the network and firewall services:
root # /etc/init.d/network reload
root # /etc/init.d/firewall restart
Now you can add your previously added peer configuration to your device. You could manually type everything into your phone, or create a new configuration file, convert that to a QR code, and scan it directly via your phone:
root # cat <<EOF > my-phone.conf
[Interface]
PrivateKey = $(cat my-phone.key)
Address = 192.168.88.2/32, fd12:3456:789a::2/64, 2a0b:abcd:1234:5678::2/64
DNS = 9.9.9.9
[Peer]
PublicKey = $(cat my-phone.pub)
PresharedKey = $(cat my-phone.psk)
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = public.ip.of.server:51820
PersistentKeepalive = 25
EOF
|
Note
|
The above is using Quad9 as a DNS resolver.
You may change to something else, or even your local DNS resolver.
Also note that 0.0.0.0/0, ::/0 allows the device to connect to any IP address, both local and on the Internet.
|
Now you can generate a QR code using that new configuration file:
root # opkg install qrencode # in case not yet installed
root # qrencode -t ansiutf8 < my-phone.conf
|
Note
|
The above is a mock QR code. Don’t bother scanning it. |