WireGuard Road-Warrior: accesso sicuro alla rete di casa

Di /

WireGuard Road-Warrior: accesso sicuro alla rete di casa

Obiettivo: raggiungere la tua LAN da fuori (NAS, Home Assistant, stampanti) in modo semplice e veloce.

Hardware rapido

A) Installazione WireGuard

opkg update
opkg install wireguard-tools luci-app-wireguard qrencode

B) Server wg0

umask 077
wg genkey | tee /etc/wireguard/server.key | wg pubkey > /etc/wireguard/server.pub
SERVER_PRIV=$(cat /etc/wireguard/server.key)
SERVER_PUB=$(cat /etc/wireguard/server.pub)

uci set network.wg0=interface
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key="$SERVER_PRIV"
uci set network.wg0.listen_port='51820'
uci add_list network.wg0.addresses='10.6.0.1/24'
uci commit network
/etc/init.d/network restart

Firewall

uci add firewall zone
uci set firewall.@zone[-1].name='wg'
uci add_list firewall.@zone[-1].network='wg0'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].forward='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci add firewall forwarding; uci set firewall.@forwarding[-1].src='wg'; uci set firewall.@forwarding[-1].dest='lan'
uci add firewall forwarding; uci set firewall.@forwarding[-1].src='lan'; uci set firewall.@forwarding[-1].dest='wg'
uci add firewall rule; uci set firewall.@rule[-1].name='Allow-WireGuard-Inbound'
uci set firewall.@rule[-1].src='wan'; uci set firewall.@rule[-1].dest_port='51820'
uci set firewall.@rule[-1].proto='udp'; uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall; /etc/init.d/firewall restart

C) Client

umask 077
wg genkey | tee /etc/wireguard/client1.key | wg pubkey > /etc/wireguard/client1.pub
CLIENT_PRIV=$(cat /etc/wireguard/client1.key)
CLIENT_PUB=$(cat /etc/wireguard/client1.pub)

uci add network wireguard_wg0
uci set network.@wireguard_wg0[-1].description='client1'
uci set network.@wireguard_wg0[-1].public_key="$CLIENT_PUB"
uci add_list network.@wireguard_wg0[-1].allowed_ips='10.6.0.2/32'
uci commit network
/etc/init.d/network restart

Config client

[Interface]
PrivateKey = CLIENT_PRIV
Address = 10.6.0.2/32
DNS = 192.168.1.1
[Peer]
PublicKey = SERVER_PUB
AllowedIPs = 192.168.1.0/24, 10.6.0.0/24
Endpoint = TUO_DDNS_O_IP_PUBBLICO:51820
PersistentKeepalive = 25

D) DDNS e casi difficili

opkg install luci-app-ddns
# Configura provider e dominio e usalo come Endpoint

Per instradare tutto il traffico: AllowedIPs=0.0.0.0/0 + masquerade sulla zona wg. MTU: prova 1420, poi 1380/1280 se alcuni siti non caricano. Con CGNAT usa un VPS come hub.

Link utili

Approfondisci

Torna in alto