User Tools

Site Tools

This documentation is no longer maintained by the Turris team (although it can be used by the community to share content). The current official documentation is at docs.turris.cz.

WireGuard setup

This example setup configures WireGuard with the VPN subnet of 10.0.10.0/24, and listening on port 1234 on server side. In order to set up the server and one client, you will need have or create the following:

  • Client private key
  • Client public key (can be generated from client private key)
  • Server private key
  • Server public key (can be generated from server private key)
  • [Optional] Pre-shared key per client

The pre-shared key (PSK) is an optional security improvement as per the WireGuard protocol and should be a unique PSK per client for highest security.

For more information on how to get started with WireGuard, see the official Quick Start guide.

Client side

Setup

1) Install Wireguard on the client platform.

If the Turris Omnis is configured to be used as a client to establish a tunnel to a peer Wireguard server, Wireguard will be installed from OpenWRT repositories using the command:

opkg install wireguard-tools

2) Generate the client's key-pair; how you do this will depend on the client platform which you are using. You'll also need to obtain or generate the server's public key and pre-shared key, if you've chosen to use one.

Configuration

Set up the client with the following config, replacing the placeholders to suit your environment:

wg0.conf
[Interface]
PrivateKey = <Client private key>
# Switch DNS server while connected. 
# Could be your internal DNS server, used on Omnia, or external
DNS = <your_server_subnet_IP> # to avoid DNS leaks
 
# The addresses the client will bind to. Either IPv4 or IPv6. 
# Make sure to specify individual IPs for remote peers that don't 
# relay traffic and only act as simple clients (/32).
Address = 10.0.10.1/32
 
[Peer]
PublicKey = <Server public key>
# Optional key known to both client and server; improves security
PresharedKey = <Pre-shared key from server for this client>
 
# The IP range that we may send packets to for this peer. 
# 0.0.0.0/0 will route all traffic through VPN
AllowedIPs = 0.0.0.0/0
 
# Address of the server
Endpoint = <server IP>:<server port>
 
# Send periodic keepalives to ensure connection stays up behind NAT.
PersistentKeepalive = 25

Server side

Configuring WireGuard requires SSH access to your router in order to run the following commands.

Installation

WireGuard requires a number of OpenWrt packages to be installed.

opkg update
opkg install luci-proto-wireguard luci-app-wireguard kmod-wireguard wireguard-tools

luci-app-wireguard adds a basic status UI into LuCI; it is recommended but not mandatory.

Setup

Firstly, generate a WireGuard key-pair for the server if you've not previously created one like so. Files don't need to be put anywhere specifically, you'll just need the actual public and private key values for insertion into uci commands or into configuration files.

# If you don't have key-pair for the server, generate 
# server's key-pair and set it to only be readable 
# by the current user and group.
mkdir /root/wg
cd /root/wg
umask 077 && wg genkey > privkey
 
# Derive the public key from it
cat privkey | wg pubkey > pubkey
 
# Optionally, create a pre-shared key (PSK) for a client
wg genpsk > presharedkey

Now that you have the server's key-pair, choose how you'd like to configure your WireGuard interface.

Via uci commands

1) Set the server's network configuration:

# wg0 is the name of the wireguard interface, 
# replace it if you wish.
uci set network.wg0="interface"
uci set network.wg0.proto="wireguard"
uci set network.wg0.private_key="<Server private key from privkey file>"
 
# You may change this port to your liking, ports of popular 
# services get through more firewalls. Just remember it
# for when you have to configure the firewall later.
uci set network.wg0.listen_port="1234"
# Make sure to specify a CIDR range for the entire VPN subnet 
# when defining the remote peer acting as the bounce server (/24)
uci add_list network.wg0.addresses='10.0.10.0/24'

2) Configure client list:

# repeat these steps for all subsequent clients
# (stick to the wireguard_wg0 name unless you want to create separate wireguard networks)
uci add network wireguard_wg0
uci set network.@wireguard_wg0[-1].public_key="<your client's pubkey>"
 
# Optionally, set the pre-shared key if one is being used
uci set network.@wireguard_wg0[-1].preshared_key="<Pre-shared key for this client>"
 
# Allow the client to forward traffic to any IP through the tunnel
uci set network.@wireguard_wg0[-1].route_allowed_ips="1"
uci add_list network.@wireguard_wg0[-1].allowed_ips="10.0.10.1/32"
 
# Enable sending of keepalive packets so NAT routers 
# don't terminate the connection. WG recommends a value of 25.
# DO NOT send keepalives from both sides, it is the clients task
# uci set network.@wireguard_wg0[-1].persistent_keepalive='25'
 
# What you want your client to show up as in the UI
uci set network.@wireguard_wg0[-1].description='<client name>'

3) Save the changes:

uci commit network
/etc/init.d/network reload
 
ifdown wg0
ifup wg0

4) Configure the Omnia firewall:

rule=$(uci add firewall rule)
uci set firewall.$rule.src="*"
uci set firewall.$rule.target="ACCEPT"
uci set firewall.$rule.proto="udp"
uci set firewall.$rule.dest_port="1234"
uci set firewall.$rule.name="Allow-Wireguard-Inbound"
 
# Add the firewall zone
zone=$(uci add firewall zone)
uci set firewall.$zone.name='wg'
uci set firewall.$zone.input='ACCEPT'
uci set firewall.$zone.forward='ACCEPT'
uci set firewall.$zone.output='ACCEPT'
uci set firewall.$zone.masq='1'
 
# Add the WG interface to it
uci set firewall.$zone.network='wg0'
 
# Forward WAN and LAN traffic to/from it
fwd=$(uci add firewall forwarding)
uci set firewall.$fwd.src='wg'
uci set firewall.$fwd.dest='wan'
 
fwd=$(uci add firewall forwarding)
uci set firewall.$fwd.src='wg'
uci set firewall.$fwd.dest='lan'
 
fwd=$(uci add firewall forwarding)
uci set firewall.$fwd.src='lan'
uci set firewall.$fwd.dest='wg'
 
fwd=$(uci add firewall forwarding)
uci set firewall.$fwd.src='wan'
uci set firewall.$fwd.dest='wg'
 
uci commit firewall
/etc/init.d/firewall restart

Via configuration files

1) Set the server's network configuration by editing /etc/config/network to include following parts, omitting the preshared_key option if you've opted not to use a PSK:

/etc/config/network
config interface 'wg0'
	option proto 'wireguard'
	option private_key '<Server private key from privkey>'
	option listen_port '1234'
	list addresses '10.0.10.0/24'
 
config wireguard_wg0
	option public_key '<Client public key>'
        option preshared_key '<Optional, pre-shared key for this client>'
	option route_allowed_ips '1'
	list allowed_ips '10.0.10.1/32'
        option description 'client1' 
 
config wireguard_wg0
	option public_key '<Client public key>'
        option preshared_key '<Optional, pre-shared key for this client>'
	option route_allowed_ips '1'
	list allowed_ips '10.0.10.2/32'
        option description 'client2' 

2) Apply changes

/etc/init.d/network reload
ifdown wg0
ifup wg0

3) Configure the Omnia firewall:

Edit /etc/config/firewall to include following parts:

/etc/config/firewall
config zone
	option name 'wg'
	list network 'wg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1' 
 
config forwarding
	option src 'wg'
	option dest 'wan'
 
config forwarding
	option src 'wan'
	option dest 'wg'
 
config forwarding
	option src 'lan'
	option dest 'wg'
 
config forwarding
	option src 'wg'
	option dest 'lan' 
 
config rule
	option name 'Allow-Wireguard-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'udp'
	option dest_port '1234'

4) Apply changes

/etc/init.d/firewall restart

Testing your configuration

From your client, attempt a connection to your router. On the server side, run the following to inspect the current state of WireGuard:

wg show

You should see the configured interface and peers in your console. If not, try restarting your router and thoroughly checking your client and server configuration to ensure the right keys are in the correct location. Note that peers that have not connected yet will not be shown in output.

interface: wg0
  public key: 4h2nW5QextnwvJnTSV2ePwEacUDWAav6LL8ZvZpG6aH=
  private key: (hidden)
  listening port: 1234
 
peer: 3K9BeVLsj3eXYPbTp53tQ4jypJKUukAjZqSCQykhDTb=
  preshared key: (hidden)
  endpoint: 190.180.170.160:45345
  allowed ips: 10.0.10.1/32
  latest handshake: 1 hour, 19 minutes, 23 seconds ago
  transfer: 43.96 MiB received, 51.89 MiB sent
  persistent keepalive: every 25 seconds

If you installed luci-app-wireguard, you can also visit your router's LuCI interface and click on Status, then click on WireGuard Status to essentially the same information but without needing to SSH in.

You can also run ifconfig to check the status of your WireGuard interface. If you've opted for another interface name aside from wg0, replace it in the subsequent command:

ifconfig wg0
wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.0.10.1  P-t-P:10.0.10.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:55483 errors:30 dropped:0 overruns:0 frame:30
          TX packets:68168 errors:4 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:46099332 (43.9 MiB)  TX bytes:54420468 (51.8 MiB)

References