WireGuard Setting

The future of VPN technology

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.

From firmware V2.27, you can install wireguard easily using opkg.

You need to ssh to the router and do the following.

Install Wireguard

# opkg update
# opkg install wireguard

Configuration

You can install Wireguard either as Server or client.

To configure the mini router as Wireguard server or client, you need to do the following.

1. Generate Key

First you need to generate the privatekey and publickey. The following commands will generate two files for the key.

# wg genkey > privatekey
# wg pubkey < privatekey > publickey

2. Network Configuration

You need to edit /etc/config/network to configure client or server. Please use vi or "winscp" to edit these files.

You need to generate private key and public key in both Server side and Client side.

To configure Wireguard Server, add the following content to the end of /etc/config/network.

Note: Be sure to replace the private_key and public_key using the real content.

config interface 'wg0'                 
    option proto 'wireguard'                                                
    option listen_port '55555'                                              
    list addresses '10.0.0.1/32'         
    option private_key '......'  # The private key generated by itself just now    

config wireguard_wg0
    option public_key '......' # Client's public key
    option route_allowed_ips '1'
    list allowed_ips '10.0.0.0/24'

To configure Wireguard Client, apply the following content to /etc/config/network.

config interface 'wg0'                 
    option proto 'wireguard'                                                
    option listen_port '55555'                                              
    list addresses '10.0.0.2/32'         
    option private_key '......'  # The private key generated by itself just now        

config wireguard_wg0
    option public_key '......' # Server's public key
    option route_allowed_ips '1'
    list allowed_ips '0.0.0.0/0'
    option endpoint_host '......' # Server's public ip address
    option endpoint_port '55555'
    option persistent_keepalive '25'

3. Firewall Configuration

Appending the following stuff to firewall configuration /etc/config/firewall.

config rule                 
    option target 'ACCEPT'
    option src 'wan'      
    option proto 'udp'     
    option name 'Wireguard_VPN'
    option family 'ipv4'
    option dest_port '55555'

config zone                  
    option name 'wg-vpn'
    option input 'ACCEPT'  
    option forward 'ACCEPT'
    option output 'ACCEPT'
    option masq '1'  
    option device 'wg0'

config forwarding 'wg_wan'   
    option src 'wg-vpn'
    option dest 'wan'      

config forwarding 'wg_lan'
    option src 'wg-vpn'
    option dest 'lan'

config forwarding        
    option src 'lan'
    option dest 'wg-vpn'

4. Restart Network

Finally, restart network and firewall, or just reboot your router.

/etc/init.d/network restart
/etc/init.d/firewall restart