Skip to content

Quick 'n dirty Wireguard tutorial

Jump to bottom
Daniel Engberg edited this page Nov 4, 2018 · 1 revision

This is quick tutorial on how to setup Wireguard between two or more OpenWrt devices

  • Assumes that server and client(s) uses separate /24 class networks ie 192.168.10.0/24 and 192.168.11.0/24
  • That there are no clashing network ranges on WAN for each device
  • Both devices have ntp enabled and working

Notes:
A pair of keys (private and public) are needed for each device
wg genkey | tee privatekey | wg pubkey > publickey

For simplicity the layout uses 10.0.100.0/24 where the host address (last .0) corresponds to the network address of the local network on the device (ie 192.168.XXX.0/24) for the VPN.
Example: 192.168.10.0/24 --> 10.0.100.10/24

Setup on the "server"

Allow any traffic on (trusted) interface wg0 /etc/firewall.user

# Allow any traffic on (trusted) interface wg*
iptables -I INPUT -i wg+ -j ACCEPT
iptables -I FORWARD -i wg+ -j ACCEPT
iptables -I OUTPUT -o wg+ -j ACCEPT
iptables -I FORWARD -o wg+ -j ACCEPT

Add wireguard interface /etc/config/network

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '9999'
	list addresses '10.0.100.10/24'
	option private_key 'SRV-PRIVATE-KEY'

Add client2 /etc/config/network

config wireguard_wg0
	option public_key 'CLIENT-PUBLIC-KEY'
	list allowed_ips '192.168.11.0/24'
	option persistent_keepalive '25'

Add route to client network /etc/config/network

config route
	option interface 'wg0'
	option target '192.168.11.0'
	option netmask '255.255.255.0'
	option gateway '10.0.100.11'

Open port 9999 (UDP) on server /etc/config/firewall

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '9999'
	option name 'WireGuard'

Setup on the "client"

Allow any traffic on (trusted) interface wg0 /etc/firewall.user

# Allow any traffic on (trusted) interface wg*
iptables -I INPUT -i wg+ -j ACCEPT
iptables -I FORWARD -i wg+ -j ACCEPT
iptables -I OUTPUT -o wg+ -j ACCEPT
iptables -I FORWARD -o wg+ -j ACCEPT

Add wireguard interface /etc/config/network

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'CLIENT-PRIVATE-KEY'
	list addresses '10.0.100.11/24'

Add server /etc/config/network

config wireguard_wg0
	option public_key 'SRV-PUBLIC-KEY'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'wireguard.node.basement.foo'
	option endpoint_port '9999'
	option persistent_keepalive '25'

Add route to server network /etc/config/network

config route
	option interface 'wg0'
	option netmask '255.255.255.0'
	option gateway '10.0.100.10'
	option target '192.168.10.0/24'

Adding more clients

Additional setup on the "server"

Add client2 /etc/config/network

config wireguard_wg0
	option public_key 'CLIENT2-PUBLIC-KEY'
	list allowed_ips '192.168.12.0/24'
	option persistent_keepalive '25'

Add route to client2 network /etc/config/network

config route
	option interface 'wg0'
	option target '192.168.12.0'
	option netmask '255.255.255.0'
	option gateway '10.0.100.12'

Setup and additional setup on client

Same as the example above except that option private_key needs to be CLIENT2-PRIVATE-KEY and list addresses needs to updated correspondingly (.12). Optional, if you want to be able to access client(1) network from client2 you just need to add routes on each device. Note the change on option target as it isn't the same.

Add route to client2 network on client(1) /etc/config/network

config route
	option interface 'wg0'
	option target '192.168.12.0'
	option netmask '255.255.255.0'
	option gateway '10.0.100.10'

Add route to client(1) network on client2 /etc/config/network

config route
	option interface 'wg0'
	option target '192.168.11.0'
	option netmask '255.255.255.0'
	option gateway '10.0.100.10'
Clone this wiki locally