{"id":2086,"date":"2022-10-28T19:55:52","date_gmt":"2022-10-28T23:55:52","guid":{"rendered":"https:\/\/lowtek.ca\/roo\/?p=2086"},"modified":"2022-10-30T10:45:44","modified_gmt":"2022-10-30T14:45:44","slug":"openwrt-as-a-wireguard-client","status":"publish","type":"post","link":"https:\/\/lowtek.ca\/roo\/2022\/openwrt-as-a-wireguard-client\/","title":{"rendered":"OpenWRT as a wireguard client"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Previously I’ve written about running wireguard as a self hosted VPN<\/a>. In this post I’ll cover how to connect a remote site back to your wireguard installation allowing that remote site to reach machines on your local (private) network. This is really no different than configuring a wireguard client on your phone or laptop, but by doing this on the router you build a network path that anyone on the remote network can use.<\/p>\n

I should probably mention that there are other articles that cover a site-to-site<\/a> configuration, where you have two wireguard enabled routers that extend your network across an internet link. While this is super cool, it wasn’t what I wanted for this use case. I would be remiss in not mentioning tailscale<\/a> as an alternative if you want a site-to-site setup, it allows for the easy creation of a virtual network (mesh) between all of your devices.<\/p>\n

In my case my IoT<\/a> devices can all talk to my MQTT<\/a> installation, and that communication not only allows the gathering of data from the devices, but offers a path to controlling the devices as well. What this means is that an IoT device at the remote site, if it can see the MQTT broker I host on my home server – will be controllable from my home network. Thus setting up a one way wireguard ‘client’ link is all I need.<\/p>\n

I will assume that the publicly visible wireguard setup is based on the linuxserver.io\/wireguard<\/a> container. You’ll want to add a new peer configuration for the remote site. This should generate a peer_remote.conf<\/code> file that should look something like:<\/p>\n

[Interface]\r\nAddress = 10.13.13.4\r\nPrivateKey = SECRETPRIVKEY=\r\nListenPort = 51820\r\nDNS = 10.0.0.8\r\n\r\n[Peer]\r\nPublicKey = SECRETPUBKEY=\r\nPresharedKey = SECRETPRESHARE=\r\nEndpoint = mydomain.com:51820\r\nAllowedIPs = 0.0.0.0\/0, ::\/0<\/pre>\n
This is the same conf file you’d grab and install into a wireguard client, but in our case we want to setup an OpenWRT<\/a> router at a remote location to use this as it’s client configuration. The 10.13.13.x<\/code> address is the default wireguard network for the linuxserver.io container.<\/p>\n
I will assume that we’re on a recent version of OpenWRT (21.02 or above), as of this writing 23.03.2 is the latest stable release. As per the documentation page on setting up the client<\/a> you’ll need to install some packages. This is easy to do via the cli.<\/p>\n
# Install packages\r\nopkg update\r\n# 21.02 or above\r\nopkg install wireguard-tools luci-app-wireguard luci-proto-wireguard<\/pre>\n
Now there are some configuration parameters you need to setup (again in the cli, as we’re going to set some environment variables then use them later).<\/p>\n
# Configuration parameters\r\nWG_IF=\"wg0\"\r\nWG_SERV=\"mydomain.com\"\r\nWG_PORT=\"51820\"\r\nWG_ADDR=\"10.13.13.4\/32\"\r\nWG_KEY=\"SECRETPRIVKEY=\"\r\nWG_PSK=\"SECRETPRESHARE=\"\r\nWG_PUB=\"SECRETPUBKEY=\"<\/pre>\n
Now this is where I got stuck following the documentation. It wasn’t clear to me that the WG_ADDR<\/code> value should be taken from the peer_remote.conf<\/code> file as I’ve done above. I thought this was just another private network value to uniquely identify the new wg0 device I was creating on the OpenWRT router. Thankfully some kind folk on the OpenWRT forum<\/a> helped point me down the right path to figure this out.<\/p>\n
Obviously WG_SERV<\/code> points at our existing wireguard installation, and the three secrets WG_KEY<\/code>, WG_PSK<\/code>, and WG_PUB<\/code> all come from the same peer_remote.conf<\/code> file. I do suspect that one of these might be allowed to be unique for the remote installation however, I know that this works – and I do not believe we are introducing any security issues.<\/p>\n
At this point we have all the configuration we need, and can proceed to configure the firewall and network<\/p>\n
# Configure firewall\r\nuci rename firewall.@zone[0]=\"lan\"\r\nuci rename firewall.@zone[1]=\"wan\"\r\nuci del_list firewall.wan.network=\"${WG_IF}\"\r\nuci add_list firewall.wan.network=\"${WG_IF}\"\r\nuci commit firewall\r\n\/etc\/init.d\/firewall restart\r\n\r\n# Configure network\r\nuci -q delete network.${WG_IF}\r\nuci set network.${WG_IF}=\"interface\"\r\nuci set network.${WG_IF}.proto=\"wireguard\"\r\nuci set network.${WG_IF}.private_key=\"${WG_KEY}\"\r\nuci add_list network.${WG_IF}.addresses=\"${WG_ADDR}\"\r\n \r\n# Add VPN peer\r\nuci -q delete network.wgserver\r\nuci set network.wgserver=\"wireguard_${WG_IF}\"\r\nuci set network.wgserver.public_key=\"${WG_PUB}\"\r\nuci set network.wgserver.preshared_key=\"${WG_PSK}\"\r\nuci set network.wgserver.endpoint_host=\"${WG_SERV}\"\r\nuci set network.wgserver.endpoint_port=\"${WG_PORT}\"\r\nuci set network.wgserver.route_allowed_ips=\"1\"\r\nuci set network.wgserver.persistent_keepalive=\"25\"\r\nuci add_list network.wgserver.allowed_ips=\"0.0.0.0\/0\"\r\nuci commit network\r\n\/etc\/init.d\/network restart<\/pre>\n
This sets up a full tunnel VPN configuration. If you want to permit a split-tunnel then we need to change one line in the above script.<\/p>\n
uci add_list network.wgserver.allowed_ips=\"0.0.0.0\/0\"<\/pre>\n
The allowed_ips<\/code> needs to change to specify the subnet you want to route over this wireguard connection.<\/p>\n
One important note. You need to ensure that your home network and remote network do not have overlapping IP ranges. This would introduce confusion about where to route what. Let’s assume that the home network lives on 192.168.1.0\/24<\/code> – we’d want to ensure that our remote network did not use that range so let’s assume we’ve configure the remote OpenWRT setup to use 192.168.4.0\/24<\/code>. By doing this – we make it easy to know which network we mean when we are routing packets around.<\/p>\n
Thus if we wanted to only send traffic destined for the home network over the wireguard interface, we’d specify:<\/p>\n
uci add_list network.wgserver.allowed_ips=\"192.168.1.0\/24\"<\/pre>\n
As another way of viewing this configuration, let’s go take a peek at the config files on the OpenWRT router.<\/p>\n
\/etc\/config\/network<\/code> will have two new sections<\/p>\n
config interface 'wg0'\r\n\toption proto 'wireguard'\r\n\toption private_key 'SECRETPRIVKEY='\r\n\tlist addresses '10.13.13.4\/32'\r\n\r\nconfig wireguard_wg0 'wgserver'\r\n\toption public_key 'SECRETPUBKEY='\r\n\toption preshared_key 'SECRETPRESHARE='\r\n\toption endpoint_host 'mydomain.com'\r\n\toption endpoint_port '51820'\r\n\toption route_allowed_ips '1'\r\n\toption persistent_keepalive '25'\r\n\tlist allowed_ips '192.168.1.0\/24'<\/pre>\n
and the \/etc\/config\/firewall<\/code> will have one modified section<\/p>\n
config zone 'wan'\r\n\toption name 'wan'\r\n\tlist network 'wan'\r\n\tlist network 'wan6'\r\n\tlist network 'wg0'\r\n\toption input 'REJECT'\r\n\toption output 'ACCEPT'\r\n\toption forward 'REJECT'\r\n\toption masq '1'\r\n\toption mtu_fix '1'<\/pre>\n
You’ll note that the wg0<\/code> device is part of the wan<\/code> zone.<\/p>\n
It really is pretty cool to have IoT devices at a remote site, magically controlled over the internet – and I don’t need any cloud services to do this.<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Previously I’ve written about running wireguard as a self hosted VPN. In this post I’ll cover how to connect a remote site back to your wireguard installation allowing that remote site to reach machines on your local (private) network. This is really no different than configuring a wireguard client on your phone or laptop, but … Continue reading “OpenWRT as a wireguard client”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,12,21],"tags":[],"class_list":["post-2086","post","type-post","status-publish","format-standard","hentry","category-computing","category-how-to","category-network"],"_links":{"self":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/2086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/comments?post=2086"}],"version-history":[{"count":3,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/2086\/revisions"}],"predecessor-version":[{"id":2090,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/2086\/revisions\/2090"}],"wp:attachment":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/media?parent=2086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/categories?post=2086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/tags?post=2086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}