Cсылки:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/server https://openwrt.org/docs/guide-user/services/vpn/wireguard/client https://wiki.shulepov.com/software/openwrt/wireguard https://github.com/IgorKha/wireguard-mikrotik https://habr.com/ru/post/594877/ https://interface31.ru/tech_it/2022/04/nastroyka-wireguard-vpn-na-routerah-mikrotik.html
Server wireguard openwrt:
0. Редактируем firewall
vim /etc/config/firewall
------------------------
config zone
option name wan
list network 'wan'
option input ACCEPT
------------------------
1. Редактируем интерфейсы
vim /etc/config/network
-----------------------
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
-----------------------
2. Устанавливаем пакеты:
opkg update
opkg install wireguard-tools
opkg install luci-i18n-wireguard-ru
opkg install luci-i18n-base-ru
reboot
3. Создаем каталог и генерируем ключи для сервера и клиента wg:
cd /root && mkdir wgkeys && cd wgkeys
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
wg genpsk > wgclient.psk
4. Загружаем переменные (Вставляем в консоль переменные):
WG_IF="vpn"
WG_PORT="51820"
WG_ADDR="192.168.9.1/24"
WG_ADDR6="fdf1:e8a1:8d3f:9::1/64"
WG_KEY="$(cat wgserver.key)"
WG_PSK="$(cat wgclient.psk)"
WG_PUB="$(cat wgclient.pub)"
5. Настраиваем firewall
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${WG_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
6. Настраиваем интерфейс wg:
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci set network.${WG_IF}.listen_port="${WG_PORT}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
# Add VPN peers
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${WG_IF}"
uci set network.wgclient.public_key="${WG_PUB}"
uci set network.wgclient.preshared_key="${WG_PSK}"
uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32"
uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"
uci commit network
/etc/init.d/network restart
7. загрузим ключи на клиент:
Client wireguard openwrt:
0. Редактируем firewall
vim /etc/config/firewall
------------------------
config zone
option name wan
list network 'wan'
option input ACCEPT
------------------------
1. Редактируем интерфейсы
vim /etc/config/network
-----------------------
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
-----------------------
2. Загружаем переменные (Вставляем в консоль переменные):
# Configuration parameters
WG_IF="vpn"
WG_SERV="IP_ADDRESS_SERVER_WG"
WG_PORT="51820"
WG_ADDR="192.168.9.2/24"
WG_ADDR6="fdf1:e8a1:8d3f:9::2/64"
WG_KEY="$(cat wgclient.key)"
WG_PSK="$(cat wgclient.psk)"
WG_PUB="$(cat wgserver.pub)"
3. Переходим в каталог с ключами:
/root/wgkeys
4. Настраиваем firewall для wg0:
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
5. Настраиваем интерфейс wg0:
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key="${WG_PSK}"
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart
Troubleshooting:
# Restart services /etc/init.d/log restart; /etc/init.d/network restart; sleep 10 # Log and status logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$" # Runtime configuration pgrep -f -a wg; wg show; wg showconf vpn ip address show; ip route show table all ip rule show; iptables-save -c ip -6 rule show; ip6tables-save -c # Persistent configuration uci show network; uci show firewall; crontab -l