Differences

This shows you the differences between two versions of the page.

--- equipment:rbpi_openwrt [2024/01/12 11:19] – [Install OPNsense] dirk
+++ equipment:rbpi_openwrt [2024/02/09 08:10] (current) – [Setup OpenWRT] dirk
@@ Line 1: / Line 1: @@
 ====== Setup OpenWRT with WireGuard VPN on a Raspberry Pi 4 ======
 This will guide you through the setup of [[server:OpenWRT|OpenWRT]] on a [[equipment:rbpi_4|Raspberry Pi 4]].
-===== Install and Setup OpenWRT =====
+===== Install OpenWRT =====
   * Download software from https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi
     * Model: Raspberry Pi 4
@@ Line 9: / Line 9: @@
   * See webpage info below for optional step of resizing the default partition.
   * Put SD card in Pi, connect ethernet and power on.
-  * go to http://192.168.1.1 and login using 'root' and 'openwrt' as default login.
-  * set a new password by following the prompts.
+===== Setup OpenWRT =====
+  * Go to http://192.168.1.1 and login using 'root' and 'openwrt' as default login.
+  * Set a new password by following the prompts.
+  * Change IP block.
+    * Go to Network and choose Interfaces.
+    * Edit the LAN
+      * Protocol: Static address
+      * Bring up on boot: checked
+      * IPv4 address: 10.28.9.1
+      * IPv4 netmask: 255.255.255.0
+    * Save
+  * Save Apply and reconnect to new IP address with new password.
   * From the top menu, click on Network and choose Wireless.
   * Click Remove next to the existing wireless config and then Save & Apply.
@@ Line 18: / Line 29: @@
   * You now have a WAN connection on the internal WiFi adapter and a LAN connection on the LAN port.
   * Now add USB WiFi card as radio1 for our WiFi access point for clients to connect to.
-  * The Wifi card I have from a previous nonWifi Pi bundle seems compatable and may not require any extra install steps. See link below for more info if it does.
   * From the top menu, click on the Network tab and choose Wireless.
-  * If you see radio1, you are all good with the installation of the second WiFi adapter.
+  * If you see radio1, you are all good with the installation of the second WiFi adapter. If not, use these steps to install drivers.
-  *
+    * Click System -> Software
-  * Turn on the device and boot from USB to load installer.
+    * Click Update lists...
-  * login as 'installer' with password 'opnsense'
+    * when done, in the filter box type "kmod-" and then the drivers for your usb wifi card.
-  * select keyboard layout, Install (UFS), select harddrive, ok on swap, change password, reboot without USB plugged in.
+    * For my CanaKit Raspberry Pi WiFi Wireless Adapter/Dongle (802.11 n/g/b 150 Mbps) I needed: kmod-rt2800-lib, kmod-rt2800-usb, kmod-rt2x00-lib, and kmod-rt2x00-usb
+    * pretty sure the 2800-lib and 2800-usb files installed the 2x00 ones as well.
+    * Now you should have radio1 show up under Network -> Wireless.
+  * Click Edit for the OpenWrt SSID (under the radio1)
+    * Click Enable for Wireless network is disabled
+    * Change Operating Frequency to 7 or anything that is free
+    * Under Interface Configuration, select the Wireless Security tab, choose WPA2-PSK and enter a password that devices will use to connect.
+    * Click Save
+  * Click Save & Apply
+Link: https://tristam.ie/2023/582/#openwrt-install
-Link: https://www.youtube.com/watch?v=_IzyJTcnPu8
+===== Setup WireGuard VPN =====
-===== Connect =====
+  * From OpenWRT top menu, click System tab and choose Software.
-  * plug into the LAN port (see below note for the FW4C) and navigate to 192.168.1.1
+  * Click Update lists button and wait for process to finish.
-    * NOTE: OPNsense defines ports right to left as LAN, WAN but the Protectli FW4C labels them right to left as WAN, LAN. So you'll have to plug into the WAN port for this initial login and we will switch the ports in software so that the labels are matched up.
+  * Click Dismiss
-  * log in using 'root' and the password you set during install
+  * Install the following packages by using the Filter field and clicking Install
-  * go to Interfaces / Assignments and swap the LAN and WAN ports if needed (see above note)
+    * kmod-wireguard
-    * once this step is complete, you'll need to plug the wire into the new LAN port and re-login
+    * luci-proto-wireguard
-===== Setup =====
+    * luci-app-wireguard (Try installing this first, it should automatically install the others)
-  * go to Interfaces / LAN
+  * Click Network->Interfaces->Add new interface.
-    * make sure it is enabled and locked
+    * enter wg0 as the interface name.
-    * config type Static IPv4
+    * select WireGuard VPN from protocol drop down
-    * set IPv4 address to your desire (10.23.79.1/24 for me)
+    * click Create interface
-    * upstream gateway is auto-detect
+  * Click General Settings tab and enter following parameters from your Wireguard setup.
-    * Save/Apply
+    * Bring up on boot: checked
-  * go to Interfaces / WAN
+    * Private Key: Generate new key pair
-    * make sure it is enabled and locked
+    * Public Key: this will go into your home wireguard setup on the other end as the peer's public key)
-    * block private and bogon networks
+    * Listen Port: blank
-    * config type DHCP (for CenturyLink at least)
+    * IP Addresses: whatever you assign it in your home wireguard setup as the peer's ip (10.23.0.13/32)
-    * Save/Apply
+  * Click Advanced Settings tab
-===== Setting up with CenturyLink Quantum Fiber =====
+    * Use default gateway: checked
-  * This service provider requires traffic from the ONT to go to a router set to VLAN 201
+    * enter custom DNS servers (8.8.8.8 and 8.8.4.4)
-  * go to Interfaces / Other Types / VLAN
+  * Click on the Firewall tab and select the WAN zone for Create/Assign firewall-zone. (wan wg0: wwan:)
-  * create new by clicking on the "+"
+  * Click the Peers tab and Add peer
-    * Device: vlan01
+    * Description: brimble.com
-    * Parent: igc0 (the address of the WAN port)
+    * Public Key: from the home wireguard instance setup
-    * VLAN tag: 201
+    * Private Key: blank
-    * VLAN priority: Best Effort
+    * Preshared key: blank
-    * Description: Internet
+    * Allowed IPs: 0.0.0.0/0
-    * Save
+    * Route Allowed IPs: checked
-  * go to Interfaces / Assignments
+    * Endpoint Host: brimble.com
-    * change WAN to the new vlan01 that you just created
+    * Endpoint Port: 51820
-    * Save/Apply/Reboot(?)
+    * Persistent Keep Alive: 25
-  * Plug line from internet into WAN port.
+    * Click Save and then Save & Apply.
-===== Firewall/NAT =====
+  * Also, set custom DNS again in Interfaces->WWAN if not already.
-==== Port Forwarding ====
-  * go to Firewall / NAT / Port Forward
-  * create new rule by clicking on the "+"
-    * Interface: WAN
-    * Protocol: TCP
-    * Source Advanced should all be "any"
-    * Destination: WAN address
-    * Destination port range: select outside port (example: 80 or 443)
-    * Redirect target IP: Single host or Network / internal IP address of the server (10.23.79.4)
-    * Redirect target port: (other) / internal server port (example: 180 or 1443)
-    * Description: whatever
-    * NAT reflection: Enabled
-    * Filter rule association: Add associated filter rule
-    * Save/Apply
-  * repeat for other forwarded ports
-    * Port Forwarding rules if unraid/ Nginx:<code>80      Both  10.23.79.X  180   HTTP tomcat
-     Both  10.23.79.X  1443  HTTPS tomcat
-      Both  10.23.79.X        SSH brimble</code>
-    * Port Forwarding rules if standalone:<code>80      Both  10.23.79.X  HTTP tomcat
-     Both  10.23.79.X  HTTPS
-      Both  10.23.79.X  SSH brimble
-   Both  10.23.79.X  Plex</code>
-  * Hairpin NAT:
-    * go to Firewall / Settings / Advanced
-    * Check "Automatic outbound NAT for Reflection"
-    * Save / Apply
-==== Wireguard VPN ====
+Link: https://tristam.ie/2023/805/
-=== Create Instance and Peers ===
-  * go to System / Firmware / Plugins and install os-wireguard
-  * go to VPN / WireGuard / Settings / Instances
-  * create new instance by clicking on the "+"
-    * Enabled: check
-    * Name: WG1
-    * click the gear to create a Public/Private key pair
-      * we will call this public key "MAINPUBLIC" for rest of tutorial
-    * Listen port: 51820
-    * Tunnel address: pick a subnet not used elsewhere (10.23.0.1/24)
-    * Save/Apply
-  * go to VPN / WireGuard / Settings / General and enable WireGuard
-  * go to VPN / WireGuard / Settings / Peers
-  * create new peer by clicking on the "+"
-    * Enabled: check
-    * Name: iPhone / Macbook / whatever
-    * Public key: PEERPUBLIC (put in the key created when you setup the client... see below)
-    * Allowed IPs: something on the subnet configured above (10.23.0.11/32)
-    * Instances: select above instance (WG1)
-    * Save/Apply
-  * go to VPN / WireGuard / Settings / Instances / Edit WG1
-    * Add Peers into Peers drop down
-    * Save/Apply
-  * go to Lobby / Dashboard and restart wireguard
-=== Create interface ===
-  * go to Interfaces / Assignments
-  * in the drop down under new interface, select the WireGuard instance (wg1)
-    * Enable: check
-    * Description: WG1
-    * Save/Apply
-  * go to Interfaces / WG1
-    * Enable: check
-    * Description: WG1
-    * Save/Apply
-=== Create VPN Firewall rules ===
-  * go to Firewall / Rules / WAN
-  * create new rule by clicking on the "+"
-    * Action: Pass
-    * Quick: check
-    * Interface: WAN
-    * Direction: in
-    * TCP/IP Version: IPv4
-    * Protocol: UDP
-    * Source Invert: unchecked
-    * Source: any
-    * Destination Invert: unchecked
-    * Destination: WAN address
-    * Destination port range: from (other) 51820 to (other) 51820
-    * Description: allow wireguard inbound
-    * Save/Apply
-  * go to Firewall / Rules / [Name of interface assigned above (WG1)]
-  * create new rule by clicking on the "+"
-    * Action: Pass
-    * Quick: check
-    * Interface: WG1
-    * Direction: in
-    * TCP/IP Version: IPv4
-    * Protocol: any
-    * Source Invert: unchecked
-    * Source [Name of interface assigned above NET (WG1 net)]
-    * Destination Invert: unchecked
-    * Destination: any
-    * Destination port range: any
-    * Save/Apply
-=== Setup Clients ===
-  * This will differ based on device... principal is the same.
-  * iPhone
-    * Download WireGuard from app store
-    * create new
-      * Name: brimble.com
-      * Generate keypair
-        * This public key (PEERPUBLIC) will go in VPN / WireGuard / Settings / Peers / Public key box
-      * Addresses: This will be whatever you put in the Allowed IPs box of VPN / WireGuard / Settings / Peers (10.23.0.11/32)
-      * Listen port: Automatic
-      * MTU: Automatic
-      * DNS servers: 8.8.8.8, 8.8.4.4
-      * click Add peer
-      * Public key: MAINPUBLIC this will be in VPN / WireGuard / Settings / Instances / Public key box
-      * Preshared key: blank
-      * Endpoint: the address and port of your server (brimble.com:51820)
-      * Allowed IPs: 0.0.0.0/0
-      * Save
-  * macbook
-    * Downlaod WireGuard from app store
-    * create new
-      * Name: brimble.com
-      * This public key (PEERPUBLIC) will go in VPN / WireGuard / Settings / Peers / Public key box
-      * <code>[Interface]
-PrivateKey = whatever is there
-Address = This will be whatever you put in the Allowed IPs box of VPN / WireGuard / Settings / Peers (10.23.0.11/32)
-DNS = 8.8.8.8, 8.8.4.4
-[Peer]
+===== Connect =====
-PublicKey = MAINPUBLIC this will be in VPN / WireGuard / Settings / Instances / Public key box
+  * Use laptop to connect to broadcasting WiFi
-AllowedIPs = 0.0.0.0/0
+  * go to 10.28.9.1 (or whatever your LAN is)
-Endpoint = the address and port of your server (brimble.com:51820)
+  * go to network/wireless and remove whatever old wifi is under radio0
-</code>
+  * click scan next to radio0 and connect to "hotel wifi"
-  * Save
+  * click Save & Apply
-Link: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
+  * Should now be connected and devices connecting to your device should work (might require reboot?)
-==== NAT for online gaming ====
+  * If using a captive portal interface you need tunnel thru DNS to bypass captive portals, specifically on port 53. To do this you need to disable "DNS rebinding protection" (this option is ON by default) before you can do this.
-  * go to Firewall / Aliases
-    * create new alias by clicking on the "+"
-    * Enabled: check
-    * Name: NintendoSwitch
-    * Type: Host(s)
-    * Content: IP address of Switch
-    * Save/Apply
-  * go to Firewall / NAT / Outbound
-    * change mode to Hybrid so you can add manual rule
-    * create new rule by clicking on the "+"
-    * Interface: WAN
-    * Protocol: any
-    * Source address: NintendoSwitch
-    * Static-port: check
-    * Give it a description
-    * Save/Apply
-Link: https://tyzbit.blog/getting-a-b-nat-type-on-the-nintendo-switch-using-opnsense
-==== Services ====
-  * DHCPv4
-    * Range Start 10.23.79.100
-    * Range Stop 10.23.79.245
-    * Save Apply
-    * Static MAC/IP Mapping<code>brimNAS          10.23.79.4
-BrimUpstairsAP   10.23.79.5
-BrimDownstairsAP 10.23.79.6
-</code>
-  * DNS (System / Settings / General
-    * 10.23.79.1 to use ISPs
-    * 10.23.79.3 if using PiHole
-    * 8.8.8.8 / 8.8.4.4 (or others) if hardcoding
-  * Dynamic DNS
-    * go to System / Firmware / Plugins and download os-ddclient
-    * go to Services / Dynamic DNS / Settings
-      * add new one by clicking on the "+"
-      * Enabled
-      * Service : easyDNS
-      * Username : easyDNS username
-      * Password : easyDNS token (not password). Token can be gotten from website
-      * Hostnames: brimble.com
-      * Check ip method: dyndns
-      * Interface to monitor: WAN
-      * Check ip timeout: 10
-      * Force SSL: checked
-      * Save/Apply

brimble.com

User Tools

Site Tools

Differences

Page Tools