Today I finally came around to replace my OPNsense VM with an old EdgeRouter X. Don’t misunderstand me, OPNsense is absolutely great, but I reboot or rebuild my VM host way too often for it to be feasible anymore.
Anyways, back to Wireguard: On OPNsense I ran OpenVPN which, while it worked great, was annoying to configure, especially with certificates and different clients like Android and iOS. Also, openVPN isn’t that easy on the CPU, which the relatively inexpensive EdgeRouter does not excel at.
This guide is mostly for me to remember how to set it up again, hope you’re getting some use out of this too.
The EdgeRouter-series is
.deb-based, which makes the installation pretty straightforward:
- Enable SSH (Web UI > System > SSH Server > Enable) and log in into your EdgeRouter.
Download the installation package from https://github.com/Lochnair/vyatta-wireguard/releases and either transfer it to the router (via SCP) or just download it directly onto it. The official forum post by the Wireguard creator zx2c4 can be found at https://community.ui.com/questions/Release-WireGuard-for-EdgeRouter/3765d2a4-1952-4629-948a-3ac9d9c22311. This is just to verify that the EdgeRouter packages are more-or-less official. If you are using an ERX you will need the E50-package, also the new v2.0 version has worked fine for me. Remember to check for newer versions!
ubnt@erx: wget https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20191219-2/wireguard-v2.0-e50-0.0.20191219-2.deb
ubnt@erx: sudo dpkg -i /path/to/wireguard-v2.0-e50-0.0.20191219-2.deb
On your workstation, create public and private keys for your server:
merlin@desktop: wg genkey | tee server_priv | wg pubkey > server_pub
Also, create key pairs for every client you want to connect with:
merlin@desktop: wg genkey | tee phone_priv | wg pubkey > phone_pub merlin@desktop: wg genkey | tee notebook_priv | wg pubkey > notebook_pub merlin@desktop: wg genkey | tee tablet_priv | wg pubkey > tablet_pub
On the EdgeRouter, edit the config tree:
interfaces > wireguard:
- Add wg0 (or any other device name)
interfaces > wireguard > wg0:
address: Enter an address on an unused subnet. We will use
private_key: Copy/Pase the generated private key for the server.
listen-port: The port to listen on for connections. Default:
interfaces > wireguard > wg0 > peer:
- Add the public key of every client you want to connect with.
interfaces > wireguard > wg0 > peer > $CLIENT1PUBLICKEY:
allowed-ips: Add an unique IP address from the wg0 subnet. Following our example:
description: Add a description if you don’t want to remember which public key is which.
persistent-keepalive: Enter a value like
25if you want to routinely send “still-alive” packages.
Also on the EdgeRouter, under Firewall/NAT > Firewall Policies, add a new ruleset for allowing incoming wireguard connections:
- Interface: wg0; Direction: local -Configuration:
- Allow UDP, Port
51820on interface wan
- Allow UDP, Port
After that you may want to configure routing so that connections coming from the wg0-interface may or may not access other subnets/vlans/hosts/… on your network. Also, remember to unblock the wireguard port in any other routers/firewalls you may have.
On your host, create a config file for each client:
merlin@des# cat phone.conf [Interface] PrivateKey = CLIENT1PRIVATEKEY Address = 192.168.21.2/24 # Optional: DNS = 192.168.21.1 # If you are using an internal DNS server, remember to allow it from the new interface [Peer] PublicKey = SERVERPUBLICKEY # Remember to change the port if using a custom one Endpoint = your.domain.tld:51820 # If you want to route all traffic through the VPN, use this: AllowedIPs = 0.0.0.0/0, ::/0 # Otherwise, enter only the IP ranges inside your target network: # AllowedIPs = 192.168.20.0/24
If you quickly and securely want to move the config to your Android/iOS device you can run
qrencode -t ansiutf8 < phone.conf and scan the code with the wireguard app on your phone.
If all worked well, you now should be able to connect to your home network from anywhere!