Hopp-rsk-owr01: Difference between revisions
Acmeraptor (talk | contribs) No edit summary |
Acmeraptor (talk | contribs) No edit summary |
||
| (14 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Linksys WRT3200ACM running OpenWRT, each partition | Linksys WRT3200ACM running OpenWRT, each partition is running a different VPN server for now. KISS! | ||
[https://firmware-selector.openwrt.org/?version=24.10.4 Custom install] | [https://firmware-selector.openwrt.org/?version=24.10.4 Custom install] | ||
Custom script to run on first boot (uci-defaults) | |||
# Beware! This script will be in /rom/etc/uci-defaults/ as part of the image. | |||
# Uncomment lines to apply: | |||
# | |||
# wlan_name="OpenWrt" | |||
# wlan_password="12345678" | |||
# | |||
root_password="changeme" | |||
lan_ip_address="10.65.30.1" | |||
# | |||
# pppoe_username="" | |||
# pppoe_password="" | |||
# log potential errors | |||
exec >/tmp/setup.log 2>&1 | |||
if [ -n "$root_password" ]; then | |||
(echo "$root_password"; sleep 1; echo "$root_password") | passwd > /dev/null | |||
fi | |||
# Configure LAN | |||
# More options: https://openwrt.org/docs/guide-user/base-system/basic-networking | |||
if [ -n "$lan_ip_address" ]; then | |||
uci set network.lan.ipaddr="$lan_ip_address" | |||
uci commit network | |||
fi | |||
# Configure WLAN | |||
# More options: https://openwrt.org/docs/guide-user/network/wifi/basic#wi-fi_interfaces | |||
if [ -n "$wlan_name" -a -n "$wlan_password" -a ${#wlan_password} -ge 8 ]; then | |||
uci set wireless.@wifi-device[0].disabled='0' | |||
uci set wireless.@wifi-iface[0].disabled='0' | |||
uci set wireless.@wifi-iface[0].encryption='psk2' | |||
uci set wireless.@wifi-iface[0].ssid="$wlan_name" | |||
uci set wireless.@wifi-iface[0].key="$wlan_password" | |||
uci commit wireless | |||
fi | |||
# Configure PPPoE | |||
# More options: https://openwrt.org/docs/guide- user/network/wan/wan_interface_protocols#protocol_pppoe_ppp_over_ethernet | |||
if [ -n "$pppoe_username" -a "$pppoe_password" ]; then | |||
uci set network.wan.proto=pppoe | |||
uci set network.wan.username="$pppoe_username" | |||
uci set network.wan.password="$pppoe_password" | |||
uci commit network | |||
fi | |||
echo "So long, and thanks for all the fish!" | |||
Custom OpenVPN Packages | |||
base-files ca-bundle dnsmasq dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd netifd nftables odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd kmod-mwlwifi wpad-basic-mbedtls kmod-btmrvl kmod-mwifiex-sdio mwlwifi-firmware-88w8964 iwinfo luci luci-app-advanced-reboot luci-app-filemanager luci-app-openvpn openssh-sftp-server openvpn-easy-rsa openvpn-openssl | |||
Custom Wireguard Packages | |||
base-files ca-bundle dnsmasq dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd netifd nftables odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd kmod-mwlwifi wpad-basic-mbedtls kmod-btmrvl kmod-mwifiex-sdio mwlwifi-firmware-88w8964 iwinfo luci luci-app-advanced-reboot luci-app-filemanager luci-proto-wireguard openssh-sftp-server qrencode wireguard-tools | |||
==OpenVPN== | ==OpenVPN== | ||
| Line 13: | Line 68: | ||
[https://forums.openvpn.net/viewtopic.php?t=33309 OpenVPN link] | [https://forums.openvpn.net/viewtopic.php?t=33309 OpenVPN link] | ||
====beadon==== | |||
well holy moly, someone released a what looks to be working allinone script that i could never hope to write in a sane timeframe | |||
https://github.com/beadon/OpenWRTOpenVPNMgmt | |||
https://openwrt.org/docs/guide-user/services/vpn/openvpn/server | |||
==WireGuard== | ==WireGuard== | ||
[https://openwrt.org/docs/guide-user/services/vpn/wireguard/server OpenWRT Wiki] | [https://openwrt.org/docs/guide-user/services/vpn/wireguard/server OpenWRT Wiki] | ||
===Command-line instructions=== | |||
Command-line instructions | |||
1. Preparation | 1. Preparation | ||
Install the required packages. Specify configuration parameters for VPN server. | Install the required packages. Specify configuration parameters for VPN server. | ||
# Install packages | # Install packages | ||
opkg update | opkg update | ||
| Line 30: | Line 94: | ||
VPN_ADDR="192.168.9.1/24" | VPN_ADDR="192.168.9.1/24" | ||
VPN_ADDR6="fd00:9::1/64" | VPN_ADDR6="fd00:9::1/64" | ||
2. Key management | 2. Key management | ||
Generate and exchange keys between server and client. | Generate and exchange keys between server and client. | ||
# Generate keys | # Generate keys | ||
umask go= | umask go= | ||
| Line 46: | Line 113: | ||
# Client public key | # Client public key | ||
VPN_PUB="$(cat wgclient.pub)" | VPN_PUB="$(cat wgclient.pub)" | ||
3. Firewall | 3. Firewall | ||
Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone. | Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone. | ||
# Configure firewall | # Configure firewall | ||
uci rename firewall.@zone[0]="lan" | uci rename firewall.@zone[0]="lan" | ||
| Line 62: | Line 132: | ||
uci commit firewall | uci commit firewall | ||
service firewall restart | service firewall restart | ||
4. Network | 4. Network | ||
Configure VPN interface and peers. | Configure VPN interface and peers. | ||
# Configure network | # Configure network | ||
uci -q delete network.${VPN_IF} | uci -q delete network.${VPN_IF} | ||
| Line 82: | Line 155: | ||
uci commit network | uci commit network | ||
service network restart | service network restart | ||
LuCI Web Interface instructions | |||
===LuCI Web Interface instructions=== | |||
1. Installing packages | 1. Installing packages | ||
Navigate to LuCI → System → Software and install the package luci-proto-wireguard. | Navigate to LuCI → System → Software and install the package luci-proto-wireguard. | ||
| Line 89: | Line 165: | ||
2. Restarting services | 2. Restarting services | ||
Navigate to LuCI → System → Startup → Initscripts and click on network → Restart. | Navigate to LuCI → System → Startup → Initscripts and click on network → Restart. | ||
3. Add WireGuard Network Interface | 3. Add WireGuard Network Interface | ||
To create a new WireGuard interface go to LuCI → Network → Interfaces → Add new interface... | To create a new WireGuard interface go to LuCI → Network → Interfaces → Add new interface... | ||
| Line 97: | Line 175: | ||
Name the interface wg0 (or whatever is preferred) | Name the interface wg0 (or whatever is preferred) | ||
Click on Create Interface to create it and open it for editing | Click on Create Interface to create it and open it for editing | ||
4. Configure the WireGuard Network Interface | 4. Configure the WireGuard Network Interface | ||
In the open edit window of the interface configure the following: | In the open edit window of the interface configure the following: | ||
| Line 104: | Line 184: | ||
IP addresses: 10.0.0.1/24 or preferred internal VPN IPv4 address for the WireGuard server interface end of the VPN | IP addresses: 10.0.0.1/24 or preferred internal VPN IPv4 address for the WireGuard server interface end of the VPN | ||
Save this configuration | Save this configuration | ||
5. Configure WireGuard Peers | |||
5. Configure WireGuard Peers | |||
To create a new WireGuard peer configuration go to LuCI → Network → Interfaces → wg0 → Edit → Peers | To create a new WireGuard peer configuration go to LuCI → Network → Interfaces → wg0 → Edit → Peers | ||
*Click on Add peer | *Click on Add peer | ||
| Line 125: | Line 207: | ||
6. Configure Firewall for WireGuard traffic | 6. Configure Firewall for WireGuard traffic | ||
Go to LuCI → Network → Firewall → General Settings and under Zones add a new zone: | Go to LuCI → Network → Firewall → General Settings and under Zones add a new zone: | ||
*Name: WireguardVPN (or preferred name) | *Name: WireguardVPN (or preferred name) | ||
*Input: accept | *Input: accept | ||