Tech Blog: WireGuard VPN Setup with QR Code

This post is go will go over set up a WireGuard VPN server using OpenWRT . Part is focus 2 will focus on set up Pi – Hole . You is use could also use a $ 5 / month VPS service , but I already had all the hardware need to do it at home . skip to instruction .

What you will need:

1. An OpenWRT router with LuCi and enough space to install the WireGuard software and DDNS software. 
2. A domain name . I is using am using namecheap.com which include a dynamic dns service . It is be can be ANY domain name , even the $ .99 per year type .  
3. Raspberry Pi is installed with PiHole instal ( Optional )  

 What this will do: 

1. Add security when using public wifi or cellular data. Since all data is encrypted and sent through your home internet connection, traffic cannot be sniffed or intercepted. 
2. Keep your browsing history private – meaning the wifi owner or cellular carrier will not be able to see your internet activity. 
3. bypass content filters is put put in place by wifi hotspot operator or cellular carrier .  
4. Remove ads without installing a plugin or app. (Optional) 

  What this is do will NOT do :  

1. Anonymize your traffic through your ISP. If you are trying to pirate content or do something else undesirable, this is NOT the walkthrough you are looking for. In fact, this will do the opposite of what you are looking for, since your ISP will have even MORE usage metrics from your account. I mention this because when you do a “VPN” search on google, most results are for shady VPN companies. 
2. This will not save battery life! It will drain your battery faster than normal when the VPN is active.
3. Increase speed. Your download speed will be limited to the upload speed of your home internet, which is typically somewhat slow. 

Parts used in this post:

1. TP-Link Archer C7 v2
2. OpenWRT 18.06
3. Namecheap DNS register and DDNS  https://www.namecheap.com
4. Raspberry Pi 3
5. pi – hole   https://pi-hole.net

Here are some of the sources I used when configuring:

https://openwrt.org/docs/guide-user/services/vpn/wireguard
https://www.wireguard.com
http://chrisbuchan.co.uk/uncategorized/wireguard-setup-openwrt/

Instructions  

OpentWRT – WireGuard Interface Setup

1 . SSH into your OpenWRT router and run the command below . This is runs run a script that will :
 A. Install WireGuard and dependencies
 B. Create public and private keys for the router and your mobile device
 C. Display a QR code for easier setup of WireGuard on your mobile device


opkg update
opkg install curl
curl -s https://gist.githubusercontent.com/dustinlbarnett/2497d71cd0d245979ac2da93e4c6b26b/raw/186c49d7d5ed24256b7dd25255d1665c34422635/wireguard_setup.sh && chmod +x openwrt_wireguard.sh && ./openwrt_wireguard.sh



feel free to audit that script here

https://gist.github.com/dustinlbarnett/2497d71cd0d245979ac2da93e4c6b26b

or here: 

https://gist.githubusercontent.com/dustinlbarnett/2497d71cd0d245979ac2da93e4c6b26b/raw/186c49d7d5ed24256b7dd25255d1665c34422635/wireguard_setup.sh

When asked for DNS, I entered the LAN IP of my Pi-Hole device.

2. Open the WireGuard app on you phone. Tap the + on the top right and select the QR code option. Scan the code displayed from the script and give it a name when prompted. I had to significantly decrease the size of the console before it would scan when using native terminal on a mac. Putty may work better.

Copy and paste the public and private keys from the script into a text file or keep the console window open.

3 . log into your router web interface , go to Network menu and choose Interfaces

4. From the Interfaces screen, click “Add new interface” towards the bottom of the screen.

5. Select WireGuard from the protocol menu, then type a name and click submit.

6 . configure the Wireguard Interface

   A. Copy the PRIVATE server key that you saved earlier and paste it into the private key box.
 

   B. In the listen port enter an unused port that your router can listen to. Port 443 is less likely to be blocked at most locations, but your home internet might not allow incoming connections from port 443. Port 51820 seems to be widely used, so I’ll go with that.

    C. Add an ip address for the interface . I is like like to think of this the ” gateway ” on the vpn network , although it ‘s most assuredly not . This is is is a good address to ping to see if you are connect .

7 . allow traffic between interface . click the ” Firewall ” Settings tab .
 

  A. Click the “Create/Assign firewall zone” menu

  B. Type a name such as “wireguard” in the “create” box and make sure it’s assigned.

OpentWRT – Peer Setup

1. On the same page, click the “Add” button under the peers section.

2. In the Public Key box, paste the public key from the script.

3 . In allow ip , enter IP address of the mobile client you enter in the script . I is used used 192.168.212.50/24

4. Check “Route Allowed IPs”

5. In the Persistent Keep Alives box, enter 25.

6. Click Save and Apply

OpenWRT – Firewall and Traffic Setup

1. Click the Network menu then select “Firewall”

2 . find the interface you create in the previous section and click Edit .

3. Make sure Input, Output, and Forward are set to accept.

4. In the Inter-Zone forwarding, make sure “lan”, “wan”, and “wan6” are selected (you may not have a wan6 depending on your internet config). Click Save and Apply.

5 . click on the ” Traffic rule ” tab

6. At the bottom in the “Open ports on router” section, enter a name (WireGuard), set protocol to UDP, and set external port to the one configured in the wireguard interface. I am using port 51820. Click Save & Apply.

7. Restart the router and try to connect!