Warning: the OpenWRT web UI backup process only includes a portion of the
/etcdirectoy. Back it up manually to preserve any customizations done outside ofuci/luci.
Flash the 64 EFI variant of the latest OpenWRT version.
Specifically, the x86-64-generic-ext4-combined-efi variant.
dd if=openwrt-21.02.0-x86-64-generic-ext4-combined.img bs=1M of=/dev/sdX
Reboot, set up interface mappings and additonal packages:
opkg update
opkg install htop nano
opkg install luci-proto-wireguard qrencode # wiregurad
opkg install bash curl # dyndns
Make HTTP/HTTPS ports available:
nano /etc/config/uhttpd
config uhttpd 'main'
list listen_http '0.0.0.0:8080'
list listen_http '[::]:8080'
list listen_https '0.0.0.0:8443'
list listen_https '[::]:8443'
option redirect_https '1'
Then setup gobetween:
#!/bin/sh /etc/rc.common
USE_PROCD=1
START=21
STOP=91
start_service() {
procd_open_instance
procd_set_param command /etc/gobetween/gobetween -c /etc/gobetween/gobetween.json -f json
procd_set_param stdout 1
procd_set_param stderr 1
procd_close_instance
}
Use luci-proto-wireguard to add a VPN interface.
On the server side, the allowed-ips option for client peer configurations should include a single IP unique to that peer (i.e. a /32 CIDR prefix), so that the server has a unique route back to the client peer.
See https://wiki.archlinux.org/title/WireGuard#Manual_configuration
Required packages for Debian
sudo apt install wireguard resolvconf
Client connections (peers) follow this format:
[Interface]
PrivateKey = <PEER_PRIVATE_KEY>
Address = <PEER_VPN_IP_ADDRESS>
DNS = <VPN_DNS_SERVER> # <-- allows resolving internal hostnames
[Peer]
PublicKey = <VPN_SERVER_PUBLIC_KEY>
PresharedKey = <PSK>
AllowedIPs = <LAN_NETWORK_RANGES> # <-- defines extra internal IP subnets that this peer wants to access (push routes)
Endpoint = <VPN_SERVER_PUBLIC_DNS>:<WIREGUARD_PORT>
PersistentKeepAlive = 30 # <-- defined in seconds
Start connection, or use WireGuard Inidicator:
sudo wg-quick up wg0