| b.liu | e958203 | 2025-04-17 19:18:16 +0800 | [diff] [blame] | 1 | This how-to describes the method for setting up WireGuard client. |
| 2 | ======================================== |
| 3 | Here we take 1803 (i.e. Falcon) as example. |
| 4 | The WireGuard server tested in this paper was created on Ubuntu 16.04.7 LTS. |
| 5 | |
| 6 | 1) make menuconfig and select "CONFIG_PACKAGE_wireguard-tools" and save your new configuration. |
| 7 | make kernel_menuconfig and select "CONFIG_WIREGUARD" and save your new kernel configuration. |
| 8 | And then rebuild:make -j8 V=99 |
| 9 | |
| 10 | 2) Key management |
| 11 | Generate and exchange keys between server and client. |
| 12 | |
| 13 | # Generate keys |
| 14 | wg genkey | tee /tmp/wgserver.key | wg pubkey > /tmp/wgserver.pub |
| 15 | wg genkey | tee /tmp/wgclient.key | wg pubkey > /tmp/wgclient.pub |
| 16 | |
| 17 | WG_KEY="$(cat /tmp/wgclient.key)" # Client private key |
| 18 | WG_PUB="$(cat /tmp/wgserver.pub)" # Server public key |
| 19 | |
| 20 | 3) Firewall |
| 21 | Consider VPN network as public. Assign VPN interface to WAN zone to minimize firewall setup. |
| 22 | |
| 23 | # Configure firewall |
| 24 | uci rename firewall.@zone[0]="lan" |
| 25 | uci rename firewall.@zone[1]="wan" |
| 26 | uci del_list firewall.wan.network="vpn" |
| 27 | uci add_list firewall.wan.network="vpn" |
| 28 | uci commit firewall |
| 29 | /etc/init.d/firewall restart |
| 30 | |
| 31 | |
| 32 | 4) Network |
| 33 | Configure VPN interface and peers. |
| 34 | |
| 35 | # Configure network, WG_ADDR is the address of the WireGuard client, |
| 36 | # WG_KEY is the private key of the WireGuard client generated in 2) |
| 37 | uci -q delete network.vpn |
| 38 | uci set network.vpn="interface" |
| 39 | uci set network.vpn.proto="wireguard" |
| 40 | uci set network.vpn.private_key="${WG_KEY}" |
| 41 | uci add_list network.vpn.addresses="${WG_ADDR}" |
| 42 | |
| 43 | # Add VPN peers, WG_PUB is the public key of the WireGuard server generated in Ubuntu 16.04.7 LTS. |
| 44 | # WG_SERV is the public IP address of the WireGuard server. |
| 45 | # WG_PORT is the wireguard udp port you use. |
| 46 | uci -q delete network.wgserver |
| 47 | uci set network.wgserver="wireguard_vpn |
| 48 | uci set network.wgserver.public_key="${WG_PUB}" |
| 49 | uci set network.wgserver.endpoint_host="${WG_SERV}" |
| 50 | uci set network.wgserver.endpoint_port="${WG_PORT}" |
| 51 | uci set network.wgserver.route_allowed_ips="1" |
| 52 | uci set network.wgserver.persistent_keepalive="25" |
| 53 | uci add_list network.wgserver.allowed_ips="0.0.0.0/0" |
| 54 | uci commit network |
| 55 | /etc/init.d/network restart |
| 56 | |
| 57 | |
| 58 | |
| 59 | 5) Testing |
| 60 | Add the public key and IP address of the WireGuard client to server to establish the VPN connection. |
| 61 | # WG_ADDR is the address of the WireGuard client |
| 62 | # CLIENT_PUBLIC_KEY is the public key of the WireGuard client generated in 2), you can query it by "cat /tmp/wgclient.pub". |
| 63 | sudo wg set wg0 peer "${CLIENT_PUBLIC_KEY}" allowed-ips "${WG_ADDR}" |
| 64 | |
| 65 | Use ping or traceroute to verify your WireGuard client can be accessed to server. |