| This how-to describes the method for setting up WireGuard client. |
| ======================================== |
| Here we take 1803 (i.e. Falcon) as example. |
| The WireGuard server tested in this paper was created on Ubuntu 16.04.7 LTS. |
| |
| 1) make menuconfig and select "CONFIG_PACKAGE_wireguard-tools" and save your new configuration. |
| make kernel_menuconfig and select "CONFIG_WIREGUARD" and save your new kernel configuration. |
| And then rebuild:make -j8 V=99 |
| |
| 2) Key management |
| Generate and exchange keys between server and client. |
| |
| # Generate keys |
| wg genkey | tee /tmp/wgserver.key | wg pubkey > /tmp/wgserver.pub |
| wg genkey | tee /tmp/wgclient.key | wg pubkey > /tmp/wgclient.pub |
| |
| WG_KEY="$(cat /tmp/wgclient.key)" # Client private key |
| WG_PUB="$(cat /tmp/wgserver.pub)" # Server public key |
| |
| 3) Firewall |
| Consider VPN network as public. Assign VPN interface to WAN zone to minimize firewall setup. |
| |
| # Configure firewall |
| uci rename firewall.@zone[0]="lan" |
| uci rename firewall.@zone[1]="wan" |
| uci del_list firewall.wan.network="vpn" |
| uci add_list firewall.wan.network="vpn" |
| uci commit firewall |
| /etc/init.d/firewall restart |
| |
| |
| 4) Network |
| Configure VPN interface and peers. |
| |
| # Configure network, WG_ADDR is the address of the WireGuard client, |
| # WG_KEY is the private key of the WireGuard client generated in 2) |
| uci -q delete network.vpn |
| uci set network.vpn="interface" |
| uci set network.vpn.proto="wireguard" |
| uci set network.vpn.private_key="${WG_KEY}" |
| uci add_list network.vpn.addresses="${WG_ADDR}" |
| |
| # Add VPN peers, WG_PUB is the public key of the WireGuard server generated in Ubuntu 16.04.7 LTS. |
| # WG_SERV is the public IP address of the WireGuard server. |
| # WG_PORT is the wireguard udp port you use. |
| uci -q delete network.wgserver |
| uci set network.wgserver="wireguard_vpn |
| uci set network.wgserver.public_key="${WG_PUB}" |
| uci set network.wgserver.endpoint_host="${WG_SERV}" |
| uci set network.wgserver.endpoint_port="${WG_PORT}" |
| uci set network.wgserver.route_allowed_ips="1" |
| uci set network.wgserver.persistent_keepalive="25" |
| uci add_list network.wgserver.allowed_ips="0.0.0.0/0" |
| uci commit network |
| /etc/init.d/network restart |
| |
| |
| |
| 5) Testing |
| Add the public key and IP address of the WireGuard client to server to establish the VPN connection. |
| # WG_ADDR is the address of the WireGuard client |
| # CLIENT_PUBLIC_KEY is the public key of the WireGuard client generated in 2), you can query it by "cat /tmp/wgclient.pub". |
| sudo wg set wg0 peer "${CLIENT_PUBLIC_KEY}" allowed-ips "${WG_ADDR}" |
| |
| Use ping or traceroute to verify your WireGuard client can be accessed to server. |