Skip to content

Instantly share code, notes, and snippets.

@kckrinke

kckrinke/WireGuard.md

Last active July 1, 2018 17:43
Show Gist options
  • Save kckrinke/fd4583559d593c7b97149f485ca088c2 to your computer and use it in GitHub Desktop.
Save kckrinke/fd4583559d593c7b97149f485ca088c2 to your computer and use it in GitHub Desktop.
Download ZIP
WireGuard for Edge Routers
Raw
WireGuard.md

This guide assumes the following:

  • the Local Net IP range is 10.0.0.0/24
  • the WireGuard IP range is 10.0.1.0/24
  • router is the IP address of the edgemax router
  • user is the admin username on the edgemax router
  • PEER_PUBLIC_KEY was generated already

install wireguard on an android device

Use F-Droid, install the WireGuard app like any other

create an initial profile from scratch, using the WireGuard app

  • Give the profile a unique name that makes sense to you
  • Generate the public and private keys (one button press)
  • Set the address to 10.0.1.2/32
  • Set the DNS servers to 1.1.1.1 (or your preferred DNS)
  • Save the profile
  • Copy the public key somehow and get it to your main computer

download the .deb for your router from https://github.com/Lochnair/vyatta-wireguard/releases

wget -c https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20180625-1/wireguard-e100-0.0.20180625-1.deb

scp the deb to your router

scp wireguard-e100-0.0.20180625-1.deb user@router:./

install the deb file

ssh user@router
sudo dpkg -i wireguard-e100-0.0.20180625-1.deb

generate keys

wg genkey | tee /config/auth/wg.key | wg pubkey > /config/auth/wg.pub

configure the service

sudo su -
configure
set interfaces wireguard wg0 address 10.0.1.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key /config/auth/wg.key
set interfaces wireguard wg0 peer PEER_PUBLIC_KEY allowed-ips 10.0.1.2
commit
save
exit

add a peer to the mobile device's configuration

  • Edit the profile made previously
  • Press the ADD PEER button
  • Set the server's public key to the output of cat /config/auth/wg.pub
  • Set allowed-ips to 0.0.0.0/0
  • Set the endpoint to your router's public IP, port 51820 - ie: example.com:51820
  • Set the keepalive to 60
  • Save the profile

open port 51820 on WAN_LOCAL or whatever your setup is

This is left as an exercise for the reader.

try it out!

Toggle the switch for the profile to the "on" position and then test the VPN access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment