EdgeRouter X Home VPN Setup Pt 2
I am not a network or sysadmin by day. This is something I’m actively learning on and figuring out. If you see something wrong or have suggestions I would love to hear about it.
In part one we configured the network. Now we are ready to install Wireguard and create our interface. Before I jumped into doing this I referenced these post and docs.
To get started ssh into the EdgeRouter device.
ssh <user>@<edgerouterip>Once logged in we need to pull, install the Wireguard .deb.
cd /tmp*# Download the appropriate version, pay special attention here, if you are using the Ubiquity v2 firmware
# you will need the wireguard-v2-*
*curl -qLs https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20190913-1/wireguard-v2.0-e50-0.0.20190913-1.debsudo dpkg -i wireguard.debAn important note from the source repo
Note that since Wireguard is not software bundled with the EdgeOS firmware, firmware upgrades necessitate re-installing the Wireguard debian package. Once the wireguard package is re-installed re-applying the existing Vyatta config file, or rebooting will restore your interfaces.
First things first we need to generate a private key for the router, and a public key to share with clients.
$ wg genkey | tee /dev/tty | wg pubkey
123ddgqeqe123123
This will output two lines. The first is your private key, the second is your public key. Keep these secure, but ready since you will need to provide the public key to all clients.
With our keys generated we can now configure the Wireguard interface. Ours will be wg0. In the terminal:
configureset interfaces wireguard wg0 address 192.168.55.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key <private-key-from above-output>commit
saveThis created a new wireguard network on 192.168.55.1/24; listening to port 51820 and will route all the traffic through wg0.
Now keeping our public key ready we can configure a client.
Configuring Wireguard on Ubuntu¶
If you’re using Ubuntu 19.10 wireguard should be available from apt by default:
sudo apt-get update
sudo apt-get install wireguardWith prior versions:
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguardOnce again we need to generate our keys, now on the client:
wg genkey | tee /dev/tty | wg pubkeyNow, create the wireguard interface, still on the client.
touch /etc/wireguard/wg0.conf
chown root:root /etc/wireguard/wg0.conf
chmod 600 /etc/wireguard/wg0.confsudo vim /etc/wireguard/wg0.conf<--------wg0.conf-------->
[Interface]
Address = 192.168.55.5/32
PrivateKey = <client-private-key>[Peer]
PublicKey = <router-public-key>
AllowedIPs = 192.168.55.0/24
Endpoint = publicipofrouter:51820
Peering the router and client¶
With the client configured and keeping the public key it generated, return to the router. ssh and run:
set interfaces wireguard wg0 peer
Starting your client VPN¶
With wg0 configured and ready bring up the VPN on our client.
sudo wg-quick up wg0
And verify connectivity by running sudo wg on the client, and router.
Next Steps¶
With VPN setup I’m now able to access and provide access to my device lab. This also keeps devices using this router that are not part of the lab separated.
Finally if you’re doing this for the first time some next steps you might want to take include:
- Switch devices to only allowing ssh via keys.
- Switch to a non default ssh port.
- Setup fail2ban.
- Pickup from here