Cсылки:
|
1 2 3 4 5 6 |
https://openwrt.org/docs/guide-user/services/vpn/wireguard/server https://openwrt.org/docs/guide-user/services/vpn/wireguard/client https://wiki.shulepov.com/software/openwrt/wireguard https://github.com/IgorKha/wireguard-mikrotik https://habr.com/ru/post/594877/ https://interface31.ru/tech_it/2022/04/nastroyka-wireguard-vpn-na-routerah-mikrotik.html |
Server wireguard openwrt:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
0. Редактируем firewall vim /etc/config/firewall ------------------------ config zone option name wan list network 'wan' option input ACCEPT ------------------------ 1. Редактируем интерфейсы vim /etc/config/network ----------------------- config interface 'loopback' option device 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config interface 'wan' option device 'eth0' option proto 'dhcp' ----------------------- 2. Устанавливаем пакеты: opkg update opkg install wireguard-tools opkg install luci-i18n-wireguard-ru opkg install luci-i18n-base-ru reboot 3. Создаем каталог и генерируем ключи для сервера и клиента wg: cd /root && mkdir wgkeys && cd wgkeys wg genkey | tee wgserver.key | wg pubkey > wgserver.pub wg genkey | tee wgclient.key | wg pubkey > wgclient.pub wg genpsk > wgclient.psk 4. Загружаем переменные (Вставляем в консоль переменные): WG_IF="vpn" WG_PORT="51820" WG_ADDR="192.168.9.1/24" WG_ADDR6="fdf1:e8a1:8d3f:9::1/64" WG_KEY="$(cat wgserver.key)" WG_PSK="$(cat wgclient.psk)" WG_PUB="$(cat wgclient.pub)" 5. Настраиваем firewall # Configure firewall uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[1]="wan" uci del_list firewall.lan.network="${WG_IF}" uci add_list firewall.lan.network="${WG_IF}" uci -q delete firewall.wg uci set firewall.wg="rule" uci set firewall.wg.name="Allow-WireGuard" uci set firewall.wg.src="wan" uci set firewall.wg.dest_port="${WG_PORT}" uci set firewall.wg.proto="udp" uci set firewall.wg.target="ACCEPT" uci commit firewall /etc/init.d/firewall restart 6. Настраиваем интерфейс wg: # Configure network uci -q delete network.${WG_IF} uci set network.${WG_IF}="interface" uci set network.${WG_IF}.proto="wireguard" uci set network.${WG_IF}.private_key="${WG_KEY}" uci set network.${WG_IF}.listen_port="${WG_PORT}" uci add_list network.${WG_IF}.addresses="${WG_ADDR}" uci add_list network.${WG_IF}.addresses="${WG_ADDR6}" # Add VPN peers uci -q delete network.wgclient uci set network.wgclient="wireguard_${WG_IF}" uci set network.wgclient.public_key="${WG_PUB}" uci set network.wgclient.preshared_key="${WG_PSK}" uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32" uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128" uci commit network /etc/init.d/network restart 7. загрузим ключи на клиент: |
Client wireguard openwrt:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
0. Редактируем firewall vim /etc/config/firewall ------------------------ config zone option name wan list network 'wan' option input ACCEPT ------------------------ 1. Редактируем интерфейсы vim /etc/config/network ----------------------- config interface 'loopback' option device 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config interface 'wan' option device 'eth0' option proto 'dhcp' ----------------------- 2. Загружаем переменные (Вставляем в консоль переменные): # Configuration parameters WG_IF="vpn" WG_SERV="IP_ADDRESS_SERVER_WG" WG_PORT="51820" WG_ADDR="192.168.9.2/24" WG_ADDR6="fdf1:e8a1:8d3f:9::2/64" WG_KEY="$(cat wgclient.key)" WG_PSK="$(cat wgclient.psk)" WG_PUB="$(cat wgserver.pub)" 3. Переходим в каталог с ключами: /root/wgkeys 4. Настраиваем firewall для wg0: # Configure firewall uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[1]="wan" uci del_list firewall.wan.network="${WG_IF}" uci add_list firewall.wan.network="${WG_IF}" uci commit firewall /etc/init.d/firewall restart 5. Настраиваем интерфейс wg0: # Configure network uci -q delete network.${WG_IF} uci set network.${WG_IF}="interface" uci set network.${WG_IF}.proto="wireguard" uci set network.${WG_IF}.private_key="${WG_KEY}" uci add_list network.${WG_IF}.addresses="${WG_ADDR}" uci add_list network.${WG_IF}.addresses="${WG_ADDR6}" # Add VPN peers uci -q delete network.wgserver uci set network.wgserver="wireguard_${WG_IF}" uci set network.wgserver.public_key="${WG_PUB}" uci set network.wgserver.preshared_key="${WG_PSK}" uci set network.wgserver.endpoint_host="${WG_SERV}" uci set network.wgserver.endpoint_port="${WG_PORT}" uci set network.wgserver.route_allowed_ips="1" uci set network.wgserver.persistent_keepalive="25" uci add_list network.wgserver.allowed_ips="0.0.0.0/0" uci add_list network.wgserver.allowed_ips="::/0" uci commit network /etc/init.d/network restart |
Troubleshooting:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# Restart services /etc/init.d/log restart; /etc/init.d/network restart; sleep 10 # Log and status logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$" # Runtime configuration pgrep -f -a wg; wg show; wg showconf vpn ip address show; ip route show table all ip rule show; iptables-save -c ip -6 rule show; ip6tables-save -c # Persistent configuration uci show network; uci show firewall; crontab -l |