Differences

This shows you the differences between two versions of the page.

--- equipment:rbpi_openwrt [2024/01/12 11:05] – created dirk
+++ equipment:rbpi_openwrt [2024/02/09 08:10] (current) – [Setup OpenWRT] dirk
@@ Line 1: / Line 1: @@
 ====== Setup OpenWRT with WireGuard VPN on a Raspberry Pi 4 ======
 This will guide you through the setup of [[server:OpenWRT|OpenWRT]] on a [[equipment:rbpi_4|Raspberry Pi 4]].
-===== Install OPNsense =====
+===== Install OpenWRT =====
-  * Download software from https://www.opnsense.org/download/
+  * Download software from https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi
-    * System architecture: amd64
+    * Model: Raspberry Pi 4
-    * image type: vga
+    * Version: B
-  * Use balenaEtcher or other usb boot drive creator to load the install image to usb.
+    * For the above:
-  * Turn on the device and boot from USB to load installer.
+  * Use balenaEtcher or other favorite tool to write OpenWRT onto SD card.
-  * login as 'installer' with password 'opnsense'
+  * See webpage info below for optional step of resizing the default partition.
-  * select keyboard layout, Install (UFS), select harddrive, ok on swap, change password, reboot without USB plugged in.
+  * Put SD card in Pi, connect ethernet and power on.
-Link: https://www.youtube.com/watch?v=_IzyJTcnPu8
+===== Setup OpenWRT =====
-===== Connect =====
+  * Go to http://192.168.1.1 and login using 'root' and 'openwrt' as default login.
-  * plug into the LAN port (see below note for the FW4C) and navigate to 192.168.1.1
+  * Set a new password by following the prompts.
-    * NOTE: OPNsense defines ports right to left as LAN, WAN but the Protectli FW4C labels them right to left as WAN, LAN. So you'll have to plug into the WAN port for this initial login and we will switch the ports in software so that the labels are matched up.
+  * Change IP block.
-  * log in using 'root' and the password you set during install
+    * Go to Network and choose Interfaces.
-  * go to Interfaces / Assignments and swap the LAN and WAN ports if needed (see above note)
+    * Edit the LAN
-    * once this step is complete, you'll need to plug the wire into the new LAN port and re-login
+      * Protocol: Static address
-===== Setup =====
+      * Bring up on boot: checked
-  * go to Interfaces / LAN
+      * IPv4 address: 10.28.9.1
-    * make sure it is enabled and locked
+      * IPv4 netmask: 255.255.255.0
-    * config type Static IPv4
-    * set IPv4 address to your desire (10.23.79.1/24 for me)
-    * upstream gateway is auto-detect
-    * Save/Apply
-  * go to Interfaces / WAN
-    * make sure it is enabled and locked
-    * block private and bogon networks
-    * config type DHCP (for CenturyLink at least)
-    * Save/Apply
-===== Setting up with CenturyLink Quantum Fiber =====
-  * This service provider requires traffic from the ONT to go to a router set to VLAN 201
-  * go to Interfaces / Other Types / VLAN
-  * create new by clicking on the "+"
-    * Device: vlan01
-    * Parent: igc0 (the address of the WAN port)
-    * VLAN tag: 201
-    * VLAN priority: Best Effort
-    * Description: Internet
     * Save
-  * go to Interfaces / Assignments
+  * Save Apply and reconnect to new IP address with new password.
-    * change WAN to the new vlan01 that you just created
+  * From the top menu, click on Network and choose Wireless.
-    * Save/Apply/Reboot(?)
+  * Click Remove next to the existing wireless config and then Save & Apply.
-  * Plug line from internet into WAN port.
+  * Click Scan to search for available networks, find your and click Join Selected.
-===== Firewall/NAT =====
+  * Enter your WiFi password in the WPA passphrase box and click Submit and then Save.
-==== Port Forwarding ====
+  * Click Save & Apply to connect to your WiFi.
-  * go to Firewall / NAT / Port Forward
+  * You now have a WAN connection on the internal WiFi adapter and a LAN connection on the LAN port.
-  * create new rule by clicking on the "+"
+  * Now add USB WiFi card as radio1 for our WiFi access point for clients to connect to.
-    * Interface: WAN
+  * From the top menu, click on the Network tab and choose Wireless.
-    * Protocol: TCP
+  * If you see radio1, you are all good with the installation of the second WiFi adapter. If not, use these steps to install drivers.
-    * Source Advanced should all be "any"
+    * Click System -> Software
-    * Destination: WAN address
+    * Click Update lists...
-    * Destination port range: select outside port (example: 80 or 443)
+    * when done, in the filter box type "kmod-" and then the drivers for your usb wifi card.
-    * Redirect target IP: Single host or Network / internal IP address of the server (10.23.79.4)
+    * For my CanaKit Raspberry Pi WiFi Wireless Adapter/Dongle (802.11 n/g/b 150 Mbps) I needed: kmod-rt2800-lib, kmod-rt2800-usb, kmod-rt2x00-lib, and kmod-rt2x00-usb
-    * Redirect target port: (other) / internal server port (example: 180 or 1443)
+    * pretty sure the 2800-lib and 2800-usb files installed the 2x00 ones as well.
-    * Description: whatever
+    * Now you should have radio1 show up under Network -> Wireless.
-    * NAT reflection: Enabled
+  * Click Edit for the OpenWrt SSID (under the radio1)
-    * Filter rule association: Add associated filter rule
+    * Click Enable for Wireless network is disabled
-    * Save/Apply
+    * Change Operating Frequency to 7 or anything that is free
-  * repeat for other forwarded ports
+    * Under Interface Configuration, select the Wireless Security tab, choose WPA2-PSK and enter a password that devices will use to connect.
-    * Port Forwarding rules if unraid/ Nginx:<code>80      Both  10.23.79.X  180   HTTP tomcat
+    * Click Save
-     Both  10.23.79.X  1443  HTTPS tomcat
+  * Click Save & Apply
-      Both  10.23.79.X        SSH brimble</code>
+Link: https://tristam.ie/2023/582/#openwrt-install
-    * Port Forwarding rules if standalone:<code>80      Both  10.23.79.X  HTTP tomcat
-     Both  10.23.79.X  HTTPS
-      Both  10.23.79.X  SSH brimble
-   Both  10.23.79.X  Plex</code>
-  * Hairpin NAT:
-    * go to Firewall / Settings / Advanced
-    * Check "Automatic outbound NAT for Reflection"
-    * Save / Apply
-==== Wireguard VPN ====
+===== Setup WireGuard VPN =====
-=== Create Instance and Peers ===
+  * From OpenWRT top menu, click System tab and choose Software.
-  * go to System / Firmware / Plugins and install os-wireguard
+  * Click Update lists button and wait for process to finish.
-  * go to VPN / WireGuard / Settings / Instances
+  * Click Dismiss
-  * create new instance by clicking on the "+"
+  * Install the following packages by using the Filter field and clicking Install
-    * Enabled: check
+    * kmod-wireguard
-    * Name: WG1
+    * luci-proto-wireguard
-    * click the gear to create a Public/Private key pair
+    * luci-app-wireguard (Try installing this first, it should automatically install the others)
-      * we will call this public key "MAINPUBLIC" for rest of tutorial
+  * Click Network->Interfaces->Add new interface.
-    * Listen port: 51820
+    * enter wg0 as the interface name.
-    * Tunnel address: pick a subnet not used elsewhere (10.23.0.1/24)
+    * select WireGuard VPN from protocol drop down
-    * Save/Apply
+    * click Create interface
-  * go to VPN / WireGuard / Settings / General and enable WireGuard
+  * Click General Settings tab and enter following parameters from your Wireguard setup.
-  * go to VPN / WireGuard / Settings / Peers
+    * Bring up on boot: checked
-  * create new peer by clicking on the "+"
+    * Private Key: Generate new key pair
-    * Enabled: check
+    * Public Key: this will go into your home wireguard setup on the other end as the peer's public key)
-    * Name: iPhone / Macbook / whatever
+    * Listen Port: blank
-    * Public key: PEERPUBLIC (put in the key created when you setup the client... see below)
+    * IP Addresses: whatever you assign it in your home wireguard setup as the peer's ip (10.23.0.13/32)
-    * Allowed IPs: something on the subnet configured above (10.23.0.11/32)
+  * Click Advanced Settings tab
-    * Instances: select above instance (WG1)
+    * Use default gateway: checked
-    * Save/Apply
+    * enter custom DNS servers (8.8.8.8 and 8.8.4.4)
-  * go to VPN / WireGuard / Settings / Instances / Edit WG1
+  * Click on the Firewall tab and select the WAN zone for Create/Assign firewall-zone. (wan wg0: wwan:)
-    * Add Peers into Peers drop down
+  * Click the Peers tab and Add peer
-    * Save/Apply
+    * Description: brimble.com
-  * go to Lobby / Dashboard and restart wireguard
+    * Public Key: from the home wireguard instance setup
-=== Create interface ===
+    * Private Key: blank
-  * go to Interfaces / Assignments
+    * Preshared key: blank
-  * in the drop down under new interface, select the WireGuard instance (wg1)
+    * Allowed IPs: 0.0.0.0/0
-    * Enable: check
+    * Route Allowed IPs: checked
-    * Description: WG1
+    * Endpoint Host: brimble.com
-    * Save/Apply
+    * Endpoint Port: 51820
-  * go to Interfaces / WG1
+    * Persistent Keep Alive: 25
-    * Enable: check
+    * Click Save and then Save & Apply.
-    * Description: WG1
+  * Also, set custom DNS again in Interfaces->WWAN if not already.
-    * Save/Apply
-=== Create VPN Firewall rules ===
-  * go to Firewall / Rules / WAN
-  * create new rule by clicking on the "+"
-    * Action: Pass
-    * Quick: check
-    * Interface: WAN
-    * Direction: in
-    * TCP/IP Version: IPv4
-    * Protocol: UDP
-    * Source Invert: unchecked
-    * Source: any
-    * Destination Invert: unchecked
-    * Destination: WAN address
-    * Destination port range: from (other) 51820 to (other) 51820
-    * Description: allow wireguard inbound
-    * Save/Apply
-  * go to Firewall / Rules / [Name of interface assigned above (WG1)]
-  * create new rule by clicking on the "+"
-    * Action: Pass
-    * Quick: check
-    * Interface: WG1
-    * Direction: in
-    * TCP/IP Version: IPv4
-    * Protocol: any
-    * Source Invert: unchecked
-    * Source [Name of interface assigned above NET (WG1 net)]
-    * Destination Invert: unchecked
-    * Destination: any
-    * Destination port range: any
-    * Save/Apply
-=== Setup Clients ===
-  * This will differ based on device... principal is the same.
-  * iPhone
-    * Download WireGuard from app store
-    * create new
-      * Name: brimble.com
-      * Generate keypair
-        * This public key (PEERPUBLIC) will go in VPN / WireGuard / Settings / Peers / Public key box
-      * Addresses: This will be whatever you put in the Allowed IPs box of VPN / WireGuard / Settings / Peers (10.23.0.11/32)
-      * Listen port: Automatic
-      * MTU: Automatic
-      * DNS servers: 8.8.8.8, 8.8.4.4
-      * click Add peer
-      * Public key: MAINPUBLIC this will be in VPN / WireGuard / Settings / Instances / Public key box
-      * Preshared key: blank
-      * Endpoint: the address and port of your server (brimble.com:51820)
-      * Allowed IPs: 0.0.0.0/0
-      * Save
-  * macbook
-    * Downlaod WireGuard from app store
-    * create new
-      * Name: brimble.com
-      * This public key (PEERPUBLIC) will go in VPN / WireGuard / Settings / Peers / Public key box
-      * <code>[Interface]
-PrivateKey = whatever is there
-Address = This will be whatever you put in the Allowed IPs box of VPN / WireGuard / Settings / Peers (10.23.0.11/32)
-DNS = 8.8.8.8, 8.8.4.4
-[Peer]
+Link: https://tristam.ie/2023/805/
-PublicKey = MAINPUBLIC this will be in VPN / WireGuard / Settings / Instances / Public key box
-AllowedIPs = 0.0.0.0/0
-Endpoint = the address and port of your server (brimble.com:51820)
-</code>
-  * Save
-Link: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
-==== NAT for online gaming ====
-  * go to Firewall / Aliases
-    * create new alias by clicking on the "+"
-    * Enabled: check
-    * Name: NintendoSwitch
-    * Type: Host(s)
-    * Content: IP address of Switch
-    * Save/Apply
-  * go to Firewall / NAT / Outbound
-    * change mode to Hybrid so you can add manual rule
-    * create new rule by clicking on the "+"
-    * Interface: WAN
-    * Protocol: any
-    * Source address: NintendoSwitch
-    * Static-port: check
-    * Give it a description
-    * Save/Apply
-Link: https://tyzbit.blog/getting-a-b-nat-type-on-the-nintendo-switch-using-opnsense
+===== Connect =====
+  * Use laptop to connect to broadcasting WiFi
-==== Services ====
+  * go to 10.28.9.1 (or whatever your LAN is)
-  * DHCPv4
+  * go to network/wireless and remove whatever old wifi is under radio0
-    * Range Start 10.23.79.100
+  * click scan next to radio0 and connect to "hotel wifi"
-    * Range Stop 10.23.79.245
+  * click Save & Apply
-    * Save Apply
+  * Should now be connected and devices connecting to your device should work (might require reboot?)
-    * Static MAC/IP Mapping<code>brimNAS          10.23.79.4
+  * If using a captive portal interface you need tunnel thru DNS to bypass captive portals, specifically on port 53. To do this you need to disable "DNS rebinding protection" (this option is ON by default) before you can do this.
-BrimUpstairsAP   10.23.79.5
-BrimDownstairsAP 10.23.79.6
-</code>
-  * DNS (System / Settings / General
-    * 10.23.79.1 to use ISPs
-    * 10.23.79.3 if using PiHole
-    * 8.8.8.8 / 8.8.4.4 (or others) if hardcoding
-  * Dynamic DNS
-    * go to System / Firmware / Plugins and download os-ddclient
-    * go to Services / Dynamic DNS / Settings
-      * add new one by clicking on the "+"
-      * Enabled
-      * Service : easyDNS
-      * Username : easyDNS username
-      * Password : easyDNS token (not password). Token can be gotten from website
-      * Hostnames: brimble.com
-      * Check ip method: dyndns
-      * Interface to monitor: WAN
-      * Check ip timeout: 10
-      * Force SSL: checked
-      * Save/Apply

brimble.com

User Tools

Site Tools

Differences

Page Tools