Basic Configuration
- Use a router with OpenWrt installed.
- Connect router’s WAN interface to main router LAN
$ opkg update
# Set firewall zone names
$ uci rename firewall.@zone[0]="lan"
$ uci rename firewall.@zone[1]="wan"
# Allow SSH connections from WAN
$ uci set firewall.wan="rule"
$ uci set firewall.wan.name="Allow-WAN-SSH"
$ uci set firewall.wan.src="wan"
$ uci set firewall.wan.dest_port="22"
$ uci set firewall.wan.proto="tcp"
$ uci set firewall.wan.target="ACCEPT"
# Allow HTTPS connections from WAN
$ uci set firewall.wan="rule"
$ uci set firewall.wan.name="Allow-WAN-HTTPS"
$ uci set firewall.wan.src="wan"
$ uci set firewall.wan.dest_port="443"
$ uci set firewall.wan.proto="tcp"
$ uci set firewall.wan.target="ACCEPT"
# Forward LAN traffic to WAN
$ uci set firewall.@forwarding[0]="forwarding"
$ uci set firewall.@forwarding[0].src="lan"
$ uci set firewall.@forwarding[0].dest="wan"
# Forward WAN traffic to LAN
$ uci set firewall.@forwarding[3]="forwarding"
$ uci set firewall.@forwarding[3].src="wan"
$ uci set firewall.@forwarding[3].dest="lan"
# Apply changes
$ uci commit firewall
$ /etc/init.d/firewall restart
WireGuard Configuration
# Install packages (includes wireguard-tools)
$ opkg install luci-app-wireguard
# Configuration parameters
$ WG_IF="wg0"
$ WG_PORT="51820"
$ WG_ADDR="10.36.2.0/24"
# Generate server key pair
$ mask=$(umask)
$ mkdir /etc/wireguard-keys
$ cd /etc/wireguard-keys
$ wg genkey | tee $WG_IF.priv | wg pubkey > $WG_IF.pub
$ WG_KEY=$(cat $WG_IF.priv)
$ umask $mask
# Configure WireGuard interface
$ uci -q delete network.${WG_IF}
$ uci set network.${WG_IF}="interface"
$ uci set network.${WG_IF}.proto="wireguard"
$ uci set network.${WG_IF}.private_key="${WG_KEY}"
$ uci set network.${WG_IF}.listen_port="${WG_PORT}"
$ uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
# Create WireGuard firewall
$ uci del_list firewall.lan.network="${WG_IF}"
$ uci add_list firewall.lan.network="${WG_IF}"
$ uci -q delete firewall.wg
# Allow WireGuard traffic to WireGuard interface
$ uci set firewall.wg="rule"
$ uci set firewall.wg.name="Allow-WireGuard"
$ uci set firewall.wg.src="wan"
$ uci set firewall.wg.dest_port="${WG_PORT}"
$ uci set firewall.wg.proto="udp"
$ uci set firewall.wg.target="ACCEPT"
# Accept all traffic on WireGuard interface
# FIXME: Probably don't need this
$ uci set firewall.@zone[2].name="${WG_IF}"
$ uci set firewall.@zone[2].network="${WG_IF}"
$ uci set firewall.@zone[2].input="ACCEPT"
$ uci set firewall.@zone[2].output="ACCEPT"
$ uci set firewall.@zone[2].forward="ACCEPT"
# FIXME: Which of these is actually necessary?
# How do I also allow forwarding to the WG interface? I had to set FORWARD policy
# to ACCEPT for it to work which seems wrong
# Forward traffic from WireGuard to LAN
$ uci set firewall.@forwarding[1]="forwarding"
$ uci set firewall.@forwarding[1].src="wg"
$ uci set firewall.@forwarding[1].dest="lan"
# Forward traffic from WireGuard to WAN
$ uci set firewall.@forwarding[2]="forwarding"
$ uci set firewall.@forwarding[2].src="wg"
$ uci set firewall.@forwarding[2].dest="wan"
# Apply firewall changes
$ uci commit firewall
$ /etc/init.d/firewall restart
# Add VPN peers
#
# Generate peer key pair and PSK
$ mask=$(umask)
$ cd /etc/wireguard-keys
$ wg genkey | tee <PEER>.priv | wg pubkey > <PEER>.pub
$ wg genpsk > <PEER>.psk
$ WG_PUB="$(cat <PEER>.pub)"
$ WG_PSK="$(cat <PEER>.psk)"
$ umask $mask
# Create peer configuration
$ uci -q delete network.<PEER>
$ uci set network.<PEER>="wireguard_${WG_IF}"
$ uci set network.<PEER>.public_key="${WG_PUB}"
$ uci set network.<PEER>.preshared_key="${WG_PSK}"
$ uci add_list network.<PEER>.allowed_ips="${WG_ADDR%.*}.<PEER #>/32"
# Apply network changes
$ uci commit network
$ /etc/init.d/network restart
DDNS Configuration
# Install packages
$ opkg install luci-app-ddns
# Configure Google DDNS
$ uci -q delete ddns.myddns_ipv4
$ uci set ddns.myddns_ipv4.service_name="google.com"
$ uci set ddns.myddns_ipv4.domain="<DDNS FQDN>"
$ uci set ddns.myddns_ipv4.lookup_host 'home.orionarts.io'
$ uci set ddns.myddns_ipv4.username="<USERNAME>"
$ uci set ddns.myddns_ipv4.password="<PASSWORD>"
$ uci set ddns.myddns_ipv4.interface="wan"
$ uci set ddns.myddns_ipv4.use_ipv6="0"
$ uci set ddns.myddns_ipv4.ip_source="web"
$ uci set ddns.myddns_ipv4.ip_url="http://checkip.amazonaws.com"
$ uci set ddns.myddns_ipv4.use_https="1"
$ uci set ddns.myddns_ipv4.cacert="/etc/ssl/certs"
$ uci set ddns.myddns_ipv4.enabled="1"
# Commit changes
$ uci commit ddns
$ /etc/init.d/ddns restart
option lookup_host 'home.orionarts.io'
Upstream Router Configuration
- Port forward 51820/udp to the downstream router’s WAN interface
- Add static routes:
| WireGuard network |
Downstream router’s WAN IP |
| Downstream router LAN |
Downstream router’s WAN IP |
Peer WireGuard Configuration
[Interface]
Address = <PEER_WG_IP>
PrivateKey = <PEER_PRIVATE_KEY>
DNS = <LOCAL_DNS_1>, <LOCAL_DNS_2>, 8.8.8.8, 1.1.1.1, <LOCAL_DOMAIN>
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
AllowedIPs = <WG_SUBNET>, <DOWNSTREAM_LAN>, <UPSTREAM_LAN>
Endpoint = <DDNS_HOSTNAME>:<WG_PORT>