Hopp-rsk-owr01: Difference between revisions
Acmeraptor (talk | contribs) No edit summary Tags: Mobile edit Mobile web edit |
Acmeraptor (talk | contribs) No edit summary |
||
| (9 intermediate revisions by the same user not shown) | |||
| Line 53: | Line 53: | ||
Custom OpenVPN Packages | Custom OpenVPN Packages | ||
base-files ca-bundle dnsmasq dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd netifd nftables odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd kmod-mwlwifi wpad-basic-mbedtls kmod-btmrvl kmod-mwifiex-sdio mwlwifi-firmware-88w8964 iwinfo luci luci-app-advanced-reboot luci-app-openvpn openvpn-easy-rsa openvpn-openssl | base-files ca-bundle dnsmasq dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd netifd nftables odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd kmod-mwlwifi wpad-basic-mbedtls kmod-btmrvl kmod-mwifiex-sdio mwlwifi-firmware-88w8964 iwinfo luci luci-app-advanced-reboot luci-app-filemanager luci-app-openvpn openssh-sftp-server openvpn-easy-rsa openvpn-openssl | ||
Custom Wireguard Packages | Custom Wireguard Packages | ||
base-files ca-bundle dnsmasq dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd netifd nftables odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd kmod-mwlwifi wpad-basic-mbedtls kmod-btmrvl kmod-mwifiex-sdio mwlwifi-firmware-88w8964 iwinfo luci luci-app-advanced-reboot wireguard-tools | base-files ca-bundle dnsmasq dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd netifd nftables odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd kmod-mwlwifi wpad-basic-mbedtls kmod-btmrvl kmod-mwifiex-sdio mwlwifi-firmware-88w8964 iwinfo luci luci-app-advanced-reboot luci-app-filemanager luci-proto-wireguard openssh-sftp-server qrencode wireguard-tools | ||
==OpenVPN== | ==OpenVPN== | ||
| Line 68: | Line 68: | ||
[https://forums.openvpn.net/viewtopic.php?t=33309 OpenVPN link] | [https://forums.openvpn.net/viewtopic.php?t=33309 OpenVPN link] | ||
====beadon==== | |||
well holy moly, someone released a what looks to be working allinone script that i could never hope to write in a sane timeframe | |||
https://github.com/beadon/OpenWRTOpenVPNMgmt | |||
https://openwrt.org/docs/guide-user/services/vpn/openvpn/server | |||
==WireGuard== | ==WireGuard== | ||
[https://openwrt.org/docs/guide-user/services/vpn/wireguard/server OpenWRT Wiki] | [https://openwrt.org/docs/guide-user/services/vpn/wireguard/server OpenWRT Wiki] | ||
===Command-line instructions=== | |||
Command-line instructions | |||
1. Preparation | 1. Preparation | ||
Install the required packages. Specify configuration parameters for VPN server. | Install the required packages. Specify configuration parameters for VPN server. | ||
# Install packages | # Install packages | ||
opkg update | opkg update | ||
| Line 85: | Line 94: | ||
VPN_ADDR="192.168.9.1/24" | VPN_ADDR="192.168.9.1/24" | ||
VPN_ADDR6="fd00:9::1/64" | VPN_ADDR6="fd00:9::1/64" | ||
2. Key management | 2. Key management | ||
Generate and exchange keys between server and client. | Generate and exchange keys between server and client. | ||
# Generate keys | # Generate keys | ||
umask go= | umask go= | ||
| Line 101: | Line 113: | ||
# Client public key | # Client public key | ||
VPN_PUB="$(cat wgclient.pub)" | VPN_PUB="$(cat wgclient.pub)" | ||
3. Firewall | 3. Firewall | ||
Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone. | Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone. | ||
# Configure firewall | # Configure firewall | ||
uci rename firewall.@zone[0]="lan" | uci rename firewall.@zone[0]="lan" | ||
| Line 117: | Line 132: | ||
uci commit firewall | uci commit firewall | ||
service firewall restart | service firewall restart | ||
4. Network | 4. Network | ||
Configure VPN interface and peers. | Configure VPN interface and peers. | ||
# Configure network | # Configure network | ||
uci -q delete network.${VPN_IF} | uci -q delete network.${VPN_IF} | ||
| Line 137: | Line 155: | ||
uci commit network | uci commit network | ||
service network restart | service network restart | ||
LuCI Web Interface instructions | |||
===LuCI Web Interface instructions=== | |||
1. Installing packages | 1. Installing packages | ||
Navigate to LuCI → System → Software and install the package luci-proto-wireguard. | Navigate to LuCI → System → Software and install the package luci-proto-wireguard. | ||
| Line 144: | Line 165: | ||
2. Restarting services | 2. Restarting services | ||
Navigate to LuCI → System → Startup → Initscripts and click on network → Restart. | Navigate to LuCI → System → Startup → Initscripts and click on network → Restart. | ||
3. Add WireGuard Network Interface | 3. Add WireGuard Network Interface | ||
To create a new WireGuard interface go to LuCI → Network → Interfaces → Add new interface... | To create a new WireGuard interface go to LuCI → Network → Interfaces → Add new interface... | ||
| Line 152: | Line 175: | ||
Name the interface wg0 (or whatever is preferred) | Name the interface wg0 (or whatever is preferred) | ||
Click on Create Interface to create it and open it for editing | Click on Create Interface to create it and open it for editing | ||
4. Configure the WireGuard Network Interface | 4. Configure the WireGuard Network Interface | ||
In the open edit window of the interface configure the following: | In the open edit window of the interface configure the following: | ||
| Line 159: | Line 184: | ||
IP addresses: 10.0.0.1/24 or preferred internal VPN IPv4 address for the WireGuard server interface end of the VPN | IP addresses: 10.0.0.1/24 or preferred internal VPN IPv4 address for the WireGuard server interface end of the VPN | ||
Save this configuration | Save this configuration | ||
5. Configure WireGuard Peers | |||
5. Configure WireGuard Peers | |||
To create a new WireGuard peer configuration go to LuCI → Network → Interfaces → wg0 → Edit → Peers | To create a new WireGuard peer configuration go to LuCI → Network → Interfaces → wg0 → Edit → Peers | ||
*Click on Add peer | *Click on Add peer | ||
| Line 180: | Line 207: | ||
6. Configure Firewall for WireGuard traffic | 6. Configure Firewall for WireGuard traffic | ||
Go to LuCI → Network → Firewall → General Settings and under Zones add a new zone: | Go to LuCI → Network → Firewall → General Settings and under Zones add a new zone: | ||
*Name: WireguardVPN (or preferred name) | *Name: WireguardVPN (or preferred name) | ||
*Input: accept | *Input: accept | ||