This guide shows how to connect TH-100 STBs to a Wireguard VPN server. On the server side you need a Linux box with Wireguard installed. For Debian/Ubuntu simply run:
$ sudo apt install wireguard
$ sudo sysctl -w net.ipv4.ip_forward=1
Your TH-100 STBs needs to run firmware version 286 or later.
- Generate private key for the server:
$ wg genkey
CIVLquqtzkI2uZCKj2DEu2zqxp1kalvyO7KHojO1EmE=
The private key goes into /etc/wireguard/wg0.conf
on the server.
- Generate the corresponding public key:
$ echo -n 'CIVLquqtzkI2uZCKj2DEu2zqxp1kalvyO7KHojO1EmE=' | wg pubkey
oh4Mqs83cq6zvh0uZ1VLmocXp5v/IjB52C9Z6HC0BwU=
The public key needs to be configured on each TH-100 which will connect to the server (see below).
Let's say that you want to connect two STBs with MACs d0:9f:d9:a0:20:ea
and d0:9f:d9:a0:20:a6
.
You can obtain the public key of TH-100 by using its MAC address like this:
$ curl https://stb.xakcop.com/pubkey/d0:9f:d9:a0:20:ea
SKTXhheT0P6aOWPLhcHdrcr2DheVPsAEkX+7WKiL23o=
$ curl https://stb.xakcop.com/pubkey/d0:9f:d9:a0:20:a6
gDIVnYb5ca4TpOKI3pPT3UuhpHWGXASSsoOD34i4hx8=
Now put the following into /etc/wireguard/wg0.conf
[Interface]
# This is the IP address of the server, it needs to be in the 10.0.0.0/8 network
Address = 10.0.0.1/8
# The UDP port used for Wireguard
ListenPort = 51820
# The server private key from above
PrivateKey = CIVLquqtzkI2uZCKj2DEu2zqxp1kalvyO7KHojO1EmE=
# substitute eth0 in the following lines to match the Internet-facing interface
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# This is the public key for TH-100 with MAC d0:9f:d9:a0:20:ea
PublicKey = SKTXhheT0P6aOWPLhcHdrcr2DheVPsAEkX+7WKiL23o=
# The IP of each TH-100 is "10.x.y.z" where x.y.z are the last 3 octets from the MAC address. The net mask should be always /32
AllowedIPs = 10.160.32.234/32
[Peer]
# This is the public key for TH-100 with MAC d0:9f:d9:a0:20:a6
PublicKey = gDIVnYb5ca4TpOKI3pPT3UuhpHWGXASSsoOD34i4hx8=
# The IP of each TH-100 is "10.x.y.z" where x.y.z are the last 3 octets from the MAC address. The net mask should be always /32
AllowedIPs = 10.160.32.166/32
You can start the server with:
sudo wg-quick up wg0
and bring it down with:
sudo wg-quick down wg0
Let's say that the public IP of your Wireguard server is 163.172.161.0. Create th100.ini
file with following content:
[Wireguard]
Enable=1
Endpoint=163.172.161.0:51820
ServerKey=oh4Mqs83cq6zvh0uZ1VLmocXp5v/IjB52C9Z6HC0BwU=
Please note that you must use an IP address for the server, hostnames don't work. Put this file on a flashdrive and then boot each TH-100 with it. When booted, it should connect to your VPN and route all traffic through it.
The creation of config files can be automated with the th100-wg.py script.
Save all TH-100 MAC addresses into a file (e.g. macs.txt
):
$ cat macs.txt
d0:9f:d9:a0:20:a6
d0:9f:d9:a0:20:a7
d0:9f:d9:a0:20:a8
d0:9f:d9:a0:20:a9
Then run the script like this:
$ ./th100-wg.py macs.txt 163.172.161.0:51820
Server config saved to wg0.conf
TH-100 config saved to th100.ini