docs/marvell/howto/wireguad_client.txt - T108 - Gitiles

 This how-to describes the method for setting up WireGuard client.
 ========================================
 Here we take 1803 (i.e. Falcon) as example.
 The WireGuard server tested in this paper was created on Ubuntu 16.04.7 LTS.

 1) make menuconfig and select "CONFIG_PACKAGE_wireguard-tools" and save your new configuration.
    make kernel_menuconfig and select "CONFIG_WIREGUARD" and save your new kernel configuration.
 And then rebuild：make -j8 V=99

 2) Key management
 	Generate and exchange keys between server and client.

 	# Generate keys
 	wg genkey | tee /tmp/wgserver.key | wg pubkey > /tmp/wgserver.pub
 	wg genkey | tee /tmp/wgclient.key | wg pubkey > /tmp/wgclient.pub

 	WG_KEY="$(cat /tmp/wgclient.key)"	# Client private key
 	WG_PUB="$(cat /tmp/wgserver.pub)"	# Server public key

 3) Firewall
 	Consider VPN network as public. Assign VPN interface to WAN zone to minimize firewall setup.

 	# Configure firewall
 	uci rename firewall.@zone[0]="lan"
 	uci rename firewall.@zone[1]="wan"
 	uci del_list firewall.wan.network="vpn"
 	uci add_list firewall.wan.network="vpn"
 	uci commit firewall
 	/etc/init.d/firewall restart


 4) Network
 	Configure VPN interface and peers.

 	# Configure network, WG_ADDR is the address of the WireGuard client,
 	# WG_KEY is the private key of the WireGuard client generated in 2)
 	uci -q delete network.vpn
 	uci set network.vpn="interface"
 	uci set network.vpn.proto="wireguard"
 	uci set network.vpn.private_key="${WG_KEY}"
 	uci add_list network.vpn.addresses="${WG_ADDR}"

 	# Add VPN peers, WG_PUB is the public key of the WireGuard server generated in Ubuntu 16.04.7 LTS.
 	# WG_SERV is the public IP address of the WireGuard server.
 	# WG_PORT is the wireguard udp port you use.
 	uci -q delete network.wgserver
 	uci set network.wgserver="wireguard_vpn
 	uci set network.wgserver.public_key="${WG_PUB}"
 	uci set network.wgserver.endpoint_host="${WG_SERV}"
 	uci set network.wgserver.endpoint_port="${WG_PORT}"
 	uci set network.wgserver.route_allowed_ips="1"
 	uci set network.wgserver.persistent_keepalive="25"
 	uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
 	uci commit network
 	/etc/init.d/network restart


 5) Testing
 	Add the public key and IP address of the WireGuard client to server to establish the VPN connection.
 	# WG_ADDR is the address of the WireGuard client
 	# CLIENT_PUBLIC_KEY is the public key of the WireGuard client generated in 2), you can query it by "cat /tmp/wgclient.pub".
 	sudo wg set wg0 peer "${CLIENT_PUBLIC_KEY}" allowed-ips "${WG_ADDR}"

 	Use ping or traceroute to verify your WireGuard client can be accessed to server.
	This how-to describes the method for setting up WireGuard client.
	========================================
	Here we take 1803 (i.e. Falcon) as example.
	The WireGuard server tested in this paper was created on Ubuntu 16.04.7 LTS.

	1) make menuconfig and select "CONFIG_PACKAGE_wireguard-tools" and save your new configuration.
	make kernel_menuconfig and select "CONFIG_WIREGUARD" and save your new kernel configuration.
	And then rebuild：make -j8 V=99

	2) Key management
	Generate and exchange keys between server and client.

	# Generate keys
	wg genkey \| tee /tmp/wgserver.key \| wg pubkey > /tmp/wgserver.pub
	wg genkey \| tee /tmp/wgclient.key \| wg pubkey > /tmp/wgclient.pub

	WG_KEY="$(cat /tmp/wgclient.key)" # Client private key
	WG_PUB="$(cat /tmp/wgserver.pub)" # Server public key

	3) Firewall
	Consider VPN network as public. Assign VPN interface to WAN zone to minimize firewall setup.

	# Configure firewall
	uci rename firewall.@zone[0]="lan"
	uci rename firewall.@zone[1]="wan"
	uci del_list firewall.wan.network="vpn"
	uci add_list firewall.wan.network="vpn"
	uci commit firewall
	/etc/init.d/firewall restart


	4) Network
	Configure VPN interface and peers.

	# Configure network, WG_ADDR is the address of the WireGuard client,
	# WG_KEY is the private key of the WireGuard client generated in 2)
	uci -q delete network.vpn
	uci set network.vpn="interface"
	uci set network.vpn.proto="wireguard"
	uci set network.vpn.private_key="${WG_KEY}"
	uci add_list network.vpn.addresses="${WG_ADDR}"

	# Add VPN peers, WG_PUB is the public key of the WireGuard server generated in Ubuntu 16.04.7 LTS.
	# WG_SERV is the public IP address of the WireGuard server.
	# WG_PORT is the wireguard udp port you use.
	uci -q delete network.wgserver
	uci set network.wgserver="wireguard_vpn
	uci set network.wgserver.public_key="${WG_PUB}"
	uci set network.wgserver.endpoint_host="${WG_SERV}"
	uci set network.wgserver.endpoint_port="${WG_PORT}"
	uci set network.wgserver.route_allowed_ips="1"
	uci set network.wgserver.persistent_keepalive="25"
	uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
	uci commit network
	/etc/init.d/network restart



	5) Testing
	Add the public key and IP address of the WireGuard client to server to establish the VPN connection.
	# WG_ADDR is the address of the WireGuard client
	# CLIENT_PUBLIC_KEY is the public key of the WireGuard client generated in 2), you can query it by "cat /tmp/wgclient.pub".
	sudo wg set wg0 peer "${CLIENT_PUBLIC_KEY}" allowed-ips "${WG_ADDR}"

	Use ping or traceroute to verify your WireGuard client can be accessed to server.