This example setup configures WireGuard with the VPN subnet of 10.0.10.0/24
, and listening on port 1234
on server side. In order to set up the server and one client, you will need have or create the following:
The pre-shared key (PSK) is an optional security improvement as per the WireGuard protocol and should be a unique PSK per client for highest security.
For more information on how to get started with WireGuard, see the official Quick Start guide.
1) Install Wireguard on the client platform.
If the Turris Omnis is configured to be used as a client to establish a tunnel to a peer Wireguard server, Wireguard will be installed from OpenWRT repositories using the command:
opkg install wireguard-tools
2) Generate the client's key-pair; how you do this will depend on the client platform which you are using. You'll also need to obtain or generate the server's public key and pre-shared key, if you've chosen to use one.
Set up the client with the following config, replacing the placeholders to suit your environment:
[Interface] PrivateKey = <Client private key> # Switch DNS server while connected. # Could be your internal DNS server, used on Omnia, or external DNS = <your_server_subnet_IP> # to avoid DNS leaks # The addresses the client will bind to. Either IPv4 or IPv6. # Make sure to specify individual IPs for remote peers that don't # relay traffic and only act as simple clients (/32). Address = 10.0.10.1/32 [Peer] PublicKey = <Server public key> # Optional key known to both client and server; improves security PresharedKey = <Pre-shared key from server for this client> # The IP range that we may send packets to for this peer. # 0.0.0.0/0 will route all traffic through VPN AllowedIPs = 0.0.0.0/0 # Address of the server Endpoint = <server IP>:<server port> # Send periodic keepalives to ensure connection stays up behind NAT. PersistentKeepalive = 25
Configuring WireGuard requires SSH access to your router in order to run the following commands.
WireGuard requires a number of OpenWrt packages to be installed.
opkg update opkg install luci-proto-wireguard luci-app-wireguard kmod-wireguard wireguard-tools
luci-app-wireguard
adds a basic status UI into LuCI; it is recommended but not mandatory.
Firstly, generate a WireGuard key-pair for the server if you've not previously created one like so. Files don't need to be put anywhere specifically, you'll just need the actual public and private key values for insertion into uci
commands or into configuration files.
# If you don't have key-pair for the server, generate # server's key-pair and set it to only be readable # by the current user and group. mkdir /root/wg cd /root/wg umask 077 && wg genkey > privkey # Derive the public key from it cat privkey | wg pubkey > pubkey # Optionally, create a pre-shared key (PSK) for a client wg genpsk > presharedkey
Now that you have the server's key-pair, choose how you'd like to configure your WireGuard interface.
1) Set the server's network configuration:
# wg0 is the name of the wireguard interface, # replace it if you wish. uci set network.wg0="interface" uci set network.wg0.proto="wireguard" uci set network.wg0.private_key="<Server private key from privkey file>" # You may change this port to your liking, ports of popular # services get through more firewalls. Just remember it # for when you have to configure the firewall later. uci set network.wg0.listen_port="1234" # Make sure to specify a CIDR range for the entire VPN subnet # when defining the remote peer acting as the bounce server (/24) uci add_list network.wg0.addresses='10.0.10.0/24'
2) Configure client list:
# repeat these steps for all subsequent clients # (stick to the wireguard_wg0 name unless you want to create separate wireguard networks) uci add network wireguard_wg0 uci set network.@wireguard_wg0[-1].public_key="<your client's pubkey>" # Optionally, set the pre-shared key if one is being used uci set network.@wireguard_wg0[-1].preshared_key="<Pre-shared key for this client>" # Allow the client to forward traffic to any IP through the tunnel uci set network.@wireguard_wg0[-1].route_allowed_ips="1" uci add_list network.@wireguard_wg0[-1].allowed_ips="10.0.10.1/32" # Enable sending of keepalive packets so NAT routers # don't terminate the connection. WG recommends a value of 25. # DO NOT send keepalives from both sides, it is the clients task # uci set network.@wireguard_wg0[-1].persistent_keepalive='25' # What you want your client to show up as in the UI uci set network.@wireguard_wg0[-1].description='<client name>'
3) Save the changes:
uci commit network /etc/init.d/network reload ifdown wg0 ifup wg0
4) Configure the Omnia firewall:
rule=$(uci add firewall rule) uci set firewall.$rule.src="*" uci set firewall.$rule.target="ACCEPT" uci set firewall.$rule.proto="udp" uci set firewall.$rule.dest_port="1234" uci set firewall.$rule.name="Allow-Wireguard-Inbound" # Add the firewall zone zone=$(uci add firewall zone) uci set firewall.$zone.name='wg' uci set firewall.$zone.input='ACCEPT' uci set firewall.$zone.forward='ACCEPT' uci set firewall.$zone.output='ACCEPT' uci set firewall.$zone.masq='1' # Add the WG interface to it uci set firewall.$zone.network='wg0' # Forward WAN and LAN traffic to/from it fwd=$(uci add firewall forwarding) uci set firewall.$fwd.src='wg' uci set firewall.$fwd.dest='wan' fwd=$(uci add firewall forwarding) uci set firewall.$fwd.src='wg' uci set firewall.$fwd.dest='lan' fwd=$(uci add firewall forwarding) uci set firewall.$fwd.src='lan' uci set firewall.$fwd.dest='wg' fwd=$(uci add firewall forwarding) uci set firewall.$fwd.src='wan' uci set firewall.$fwd.dest='wg' uci commit firewall /etc/init.d/firewall restart
1) Set the server's network configuration by editing /etc/config/network
to include following parts, omitting the preshared_key
option if you've opted not to use a PSK:
config interface 'wg0' option proto 'wireguard' option private_key '<Server private key from privkey>' option listen_port '1234' list addresses '10.0.10.0/24' config wireguard_wg0 option public_key '<Client public key>' option preshared_key '<Optional, pre-shared key for this client>' option route_allowed_ips '1' list allowed_ips '10.0.10.1/32' option description 'client1' config wireguard_wg0 option public_key '<Client public key>' option preshared_key '<Optional, pre-shared key for this client>' option route_allowed_ips '1' list allowed_ips '10.0.10.2/32' option description 'client2'
2) Apply changes
/etc/init.d/network reload ifdown wg0 ifup wg0
3) Configure the Omnia firewall:
Edit /etc/config/firewall
to include following parts:
config zone option name 'wg' list network 'wg0' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' option masq '1' config forwarding option src 'wg' option dest 'wan' config forwarding option src 'wan' option dest 'wg' config forwarding option src 'lan' option dest 'wg' config forwarding option src 'wg' option dest 'lan' config rule option name 'Allow-Wireguard-Inbound' option target 'ACCEPT' option src '*' option proto 'udp' option dest_port '1234'
4) Apply changes
/etc/init.d/firewall restart
From your client, attempt a connection to your router. On the server side, run the following to inspect the current state of WireGuard:
wg show
You should see the configured interface and peers in your console. If not, try restarting your router and thoroughly checking your client and server configuration to ensure the right keys are in the correct location. Note that peers that have not connected yet will not be shown in output.
interface: wg0 public key: 4h2nW5QextnwvJnTSV2ePwEacUDWAav6LL8ZvZpG6aH= private key: (hidden) listening port: 1234 peer: 3K9BeVLsj3eXYPbTp53tQ4jypJKUukAjZqSCQykhDTb= preshared key: (hidden) endpoint: 190.180.170.160:45345 allowed ips: 10.0.10.1/32 latest handshake: 1 hour, 19 minutes, 23 seconds ago transfer: 43.96 MiB received, 51.89 MiB sent persistent keepalive: every 25 seconds
If you installed luci-app-wireguard
, you can also visit your router's LuCI interface and click on Status
, then click on WireGuard Status
to essentially the same information but without needing to SSH in.
You can also run ifconfig
to check the status of your WireGuard interface. If you've opted for another interface name aside from wg0
, replace it in the subsequent command:
ifconfig wg0
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.0.10.1 P-t-P:10.0.10.1 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1 RX packets:55483 errors:30 dropped:0 overruns:0 frame:30 TX packets:68168 errors:4 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:46099332 (43.9 MiB) TX bytes:54420468 (51.8 MiB)