Finally VPN: Openwrt Wireguard
The principle of a virtual private network (VPN) was clear to me, but I was unable to set it up with the existing techniques on our OpenWrt router . This was probably not due to the software I wanted to use at the time, but to my limited understanding of the rather complex subject matter.
WireGuard
Here comes the new VPN protocol WireGuardlook around the corner. It makes it almost child's play (compared to OpenVPN or IPsec) to allow two systems to communicate securely with each other via a tunnel.
The basis is very simple: encrypted data is transferred from peer to peer and vice versa over one UDP port. Both partners are equal. IP addresses and DNS server are specified in the configuration. Finally, every system has a key pair (public and private), with which all data is encrypted. The system itself knows its own private key and the public key of the counterparty.
Server (OpenWrt)
Below are the steps I went through to make the local network (LAN) accessible from outside on a router with OpenWrt (behind a provider modem with NAT) via WireGuard.
opkg update && opkg install luci-app-wireguard qrencode;
wg genkey | tee privatekey.txt | wg pubkey > publickey.txt;
First, the package lists are updated and the necessary software is installed. After that, the command generates wg genkeya private key. This is (temporarily) stored and immediately passed on wg pubkey to generate the public key. This is also stored temporarily.
Note: the new protocol will only be loaded after a reboot of the router.
Interface
Create a new interface via Network→ Interfaces→ Add new interface. Enter a name, for example wg0. For protocol, choose WireGuard VPN. Confirm with Create interface.
Log in via SSH or sFTP and open the file with the private key. Copy and paste the key into the field Private Key. Choose a port number well above 1024 and fill that in Listen Port, for example 51920. Choose an IP range for the new VPN, and give the router for example 192.168.42.1/24.
On the tab, link Firewall Settingsthe new interface to the zone LAN. We'll come back later for populating the tab Peers.
firewall
Log in via SSH and add a new line to the firewall with the following commands, allowing outside traffic on the chosen UDP port:
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-Wireguard-Inbound"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].target="ACCEPT"
uci set firewall.@rule[-1].proto="udp"
uci set firewall.@rule[-1].dest_port="51920"
uci commit firewall
/etc/init.d/firewall restart
peers
In order to add conversation partners (peers), an own settings file will be created for each system, with its own IP address and its own key pair. For example, such a configuration looks like this:
[Interface]
Address = 192.168.42.2/32
DNS = 192.168.1.1
ListenPort = 51920
PrivateKey = <CLIENT-PRIVATE-KEY>
[Peer]
AllowedIPs = 192.168.42.0/24, 192.168.1.0/24
Endpoint = <PUBLIC-IP-ADDRESS-OR-DYNDNS-HOSTNAME>:51920
PublicKey = <SERVER-PUBLIC-KEY>
The piece [Interface]describes the client itself: its IP address in the VPN, its configured DNS server, the chosen UDP port and its private key as a base64 encoded string. You can have this generated by wg genkey.
The section [Peer]in our case describes the VPN server with OpenWrt. The allowed IP ranges are those of the VPN and LAN, respectively. Endpointis the IP address or (dynamic) domain name with port number on which the router can be reached from outside. Finally, the public key of the router follows.
In OpenWrt, go back to Peersthe WireGuard interface tab . Optionally, enter a description ( Description) of the client. Paste the client's public key into the field Public Key. Enter Allowed IPsthe IP address of the client, for example 192.168.42.2/32. Check the box Route Allowed IPsand enter Persistent Keep Alive a value of 25. Click on Saveand the first pear is a fact.
Client (Android)
The official app from the WireGuard developers is on the Play Store to download. With this you can set up a connection from scratch, but also read an existing configuration from a file. wg0.confFor example, place the file via USB into Android's Download folder. This is followed by a click on the large Plus button. Choose Importeren uit bestand. After that, the VPN connection can be switched on and off at the touch of a finger.
Client (Debian)
On my Debian system, provisioning was a bit more complicated, as the new WireGuard protocol is not yet allowed in the stableOS variant. With the commands below, the unstablerepository is added and the software installed from it.
$ echo "deb http://deb.debian.org/debian/ unstable main" | \
sudo tee /etc/apt/sources.list.d/unstable-wireguard.list;
$ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | \
sudo tee /etc/apt/preferences.d/limit-unstable;
$ sudo apt update && sudo apt install wireguard resolveconf;
Create the configuration file wg0.confas described above and preferably place it in the folder /etc/wireguard. Then you can dig the tunnel with these commands and close it again after use:
$ sudo wg-quick up wg0;
$ sudo wg-quick down wg0;
Conclusion
Thanks to the great efforts of the WireGuard developers and the people who write about it in the media ( link 1, link 2, link 3
) I finally managed to set up a secure and user-friendly VPN. It took a while, but it was well worth it!