brimble.com

User Tools

Site Tools

Trace: rbpi_openwrt
equipment:rbpi_openwrt

This is an old revision of the document!

Table of Contents

Setup OpenWRT with WireGuard VPN on a Raspberry Pi 4

This will guide you through the setup of OpenWRT on a Raspberry Pi 4.

Install OpenWRT

  • Download software from https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi
    • Model: Raspberry Pi 4
    • Version: B
    • For the above:
  • Use balenaEtcher or other favorite tool to write OpenWRT onto SD card.
  • See webpage info below for optional step of resizing the default partition.
  • Put SD card in Pi, connect ethernet and power on.

Setup OpenWRT

  • Go to http://192.168.1.1 and login using 'root' and 'openwrt' as default login.
  • Set a new password by following the prompts.
  • Change IP block.
    • Go to Network and choose Interfaces.
    • Edit the LAN
      • Protocol: Static address
      • Bring up on boot: checked
      • IPv4 address: 10.28.9.1
      • IPv4 netmask: 255.255.255.0
    • Save
  • Save Apply and reconnect to new IP address with new password.
  • From the top menu, click on Network and choose Wireless.
  • Click Remove next to the existing wireless config and then Save & Apply.
  • Click Scan to search for available networks, find your and click Join Selected.
  • Enter your WiFi password in the WPA passphrase box and click Submit and then Save.
  • Click Save & Apply to connect to your WiFi.
  • You now have a WAN connection on the internal WiFi adapter and a LAN connection on the LAN port.
  • Now add USB WiFi card as radio1 for our WiFi access point for clients to connect to.
  • The Wifi card I have from a previous nonWifi Pi bundle seems compatable and may not require any extra install steps. See link below for more info if it does.
  • From the top menu, click on the Network tab and choose Wireless.
  • If you see radio1, you are all good with the installation of the second WiFi adapter.
  • Click Edit for the OpenWrt SSID (under the radio1)
    • Click Enable for Wireless network is disabled
    • Change Operating Frequency to 7 or anything that is free
    • Under Interface Configuration, select the Wireless Security tab, choose WPA2-PSK and enter a password that devices will use to connect.
    • Click Save
  • Click Save & Apply

Link: https://tristam.ie/2023/582/#openwrt-install

Setup WireGuard VPN

  • From OpenWRT top menu, click System tab and choose Software.
  • Click Update lists button and wait for process to finish.
  • Click Dismiss
  • Install the following packages by using the Filter field and clicking Install
    • kmod-wireguard
    • luci-proto-wireguard
    • luci-app-wireguard (Try installing this first, it should automatically install the others)
  • Click Network→Interfaces→Add new interface.
    • enter wg0 as the interface name.
    • select WireGuard VPN from protocol drop down
    • click Create interface
  • Click General Settings tab and enter following parameters from your Wireguard setup.
    • Bring up on boot: checked
    • Private Key: Generate new key pair
    • Public Key: this will go into your home wireguard setup on the other end as the peer's public key)
    • Listen Port: blank
    • IP Addresses: whatever you assign it in your home wireguard setup as the peer's ip (10.23.0.13/32)
  • Click Advanced Settings tab
    • Use default gateway: checked
    • enter custom DNS servers (8.8.8.8 and 8.8.4.4)
  • Click on the Firewall tab and select the WAN zone for Create/Assign firewall-zone. (wan wg0: wwan:)
  • Click the Peers tab and Add peer
    • Description: brimble.com
    • Public Key: from the home wireguard instance setup
    • Private Key: blank
    • Preshared key: blank
    • Allowed IPs: 0.0.0.0/0
    • Route Allowed IPs: checked
    • Endpoint Host: brimble.com
    • Endpoint Port: 51820
    • Persistent Keep Alive: 25
    • Click Save and then Save & Apply.
  • Also, set custom DNS again in Interfaces→WWAN if not already.

Link: https://tristam.ie/2023/805/

Connect

  • plug into the LAN port (see below note for the FW4C) and navigate to 192.168.1.1
    • NOTE: OPNsense defines ports right to left as LAN, WAN but the Protectli FW4C labels them right to left as WAN, LAN. So you'll have to plug into the WAN port for this initial login and we will switch the ports in software so that the labels are matched up.
  • log in using 'root' and the password you set during install
  • go to Interfaces / Assignments and swap the LAN and WAN ports if needed (see above note)
    • once this step is complete, you'll need to plug the wire into the new LAN port and re-login

Setup

  • go to Interfaces / LAN
    • make sure it is enabled and locked
    • config type Static IPv4
    • set IPv4 address to your desire (10.23.79.1/24 for me)
    • upstream gateway is auto-detect
    • Save/Apply
  • go to Interfaces / WAN
    • make sure it is enabled and locked
    • block private and bogon networks
    • config type DHCP (for CenturyLink at least)
    • Save/Apply
  • This service provider requires traffic from the ONT to go to a router set to VLAN 201
  • go to Interfaces / Other Types / VLAN
  • create new by clicking on the “+”
    • Device: vlan01
    • Parent: igc0 (the address of the WAN port)
    • VLAN tag: 201
    • VLAN priority: Best Effort
    • Description: Internet
    • Save
  • go to Interfaces / Assignments
    • change WAN to the new vlan01 that you just created
    • Save/Apply/Reboot(?)
  • Plug line from internet into WAN port.

Firewall/NAT

Port Forwarding

  • go to Firewall / NAT / Port Forward
  • create new rule by clicking on the “+”
    • Interface: WAN
    • Protocol: TCP
    • Source Advanced should all be “any”
    • Destination: WAN address
    • Destination port range: select outside port (example: 80 or 443)
    • Redirect target IP: Single host or Network / internal IP address of the server (10.23.79.4)
    • Redirect target port: (other) / internal server port (example: 180 or 1443)
    • Description: whatever
    • NAT reflection: Enabled
    • Filter rule association: Add associated filter rule
    • Save/Apply
  • repeat for other forwarded ports
    • Port Forwarding rules if unraid/ Nginx:
      80      Both  10.23.79.X  180   HTTP tomcat
443     Both  10.23.79.X  1443  HTTPS tomcat
22      Both  10.23.79.X        SSH brimble
    • Port Forwarding rules if standalone:
      80      Both  10.23.79.X  HTTP tomcat
443     Both  10.23.79.X  HTTPS
22      Both  10.23.79.X  SSH brimble
32400   Both  10.23.79.X  Plex
  • Hairpin NAT:
    • go to Firewall / Settings / Advanced
    • Check “Automatic outbound NAT for Reflection”
    • Save / Apply

Wireguard VPN

Create Instance and Peers

  • go to System / Firmware / Plugins and install os-wireguard
  • go to VPN / WireGuard / Settings / Instances
  • create new instance by clicking on the “+”
    • Enabled: check
    • Name: WG1
    • click the gear to create a Public/Private key pair
      • we will call this public key “MAINPUBLIC” for rest of tutorial
    • Listen port: 51820
    • Tunnel address: pick a subnet not used elsewhere (10.23.0.1/24)
    • Save/Apply
  • go to VPN / WireGuard / Settings / General and enable WireGuard
  • go to VPN / WireGuard / Settings / Peers
  • create new peer by clicking on the “+”
    • Enabled: check
    • Name: iPhone / Macbook / whatever
    • Public key: PEERPUBLIC (put in the key created when you setup the client… see below)
    • Allowed IPs: something on the subnet configured above (10.23.0.11/32)
    • Instances: select above instance (WG1)
    • Save/Apply
  • go to VPN / WireGuard / Settings / Instances / Edit WG1
    • Add Peers into Peers drop down
    • Save/Apply
  • go to Lobby / Dashboard and restart wireguard

Create interface

  • go to Interfaces / Assignments
  • in the drop down under new interface, select the WireGuard instance (wg1)
    • Enable: check
    • Description: WG1
    • Save/Apply
  • go to Interfaces / WG1
    • Enable: check
    • Description: WG1
    • Save/Apply

Create VPN Firewall rules

  • go to Firewall / Rules / WAN
  • create new rule by clicking on the “+”
    • Action: Pass
    • Quick: check
    • Interface: WAN
    • Direction: in
    • TCP/IP Version: IPv4
    • Protocol: UDP
    • Source Invert: unchecked
    • Source: any
    • Destination Invert: unchecked
    • Destination: WAN address
    • Destination port range: from (other) 51820 to (other) 51820
    • Description: allow wireguard inbound
    • Save/Apply
  • go to Firewall / Rules / [Name of interface assigned above (WG1)]
  • create new rule by clicking on the “+”
    • Action: Pass
    • Quick: check
    • Interface: WG1
    • Direction: in
    • TCP/IP Version: IPv4
    • Protocol: any
    • Source Invert: unchecked
    • Source [Name of interface assigned above NET (WG1 net)]
    • Destination Invert: unchecked
    • Destination: any
    • Destination port range: any
    • Save/Apply

Setup Clients

  • This will differ based on device… principal is the same.
  • iPhone
    • Download WireGuard from app store
    • create new
      • Name: brimble.com
      • Generate keypair
        • This public key (PEERPUBLIC) will go in VPN / WireGuard / Settings / Peers / Public key box
      • Addresses: This will be whatever you put in the Allowed IPs box of VPN / WireGuard / Settings / Peers (10.23.0.11/32)
      • Listen port: Automatic
      • MTU: Automatic
      • DNS servers: 8.8.8.8, 8.8.4.4
      • click Add peer
      • Public key: MAINPUBLIC this will be in VPN / WireGuard / Settings / Instances / Public key box
      • Preshared key: blank
      • Endpoint: the address and port of your server (brimble.com:51820)
      • Allowed IPs: 0.0.0.0/0
      • Save
  • macbook
    • Downlaod WireGuard from app store
    • create new
      • Name: brimble.com
      • This public key (PEERPUBLIC) will go in VPN / WireGuard / Settings / Peers / Public key box
      • [Interface]
PrivateKey = whatever is there
Address = This will be whatever you put in the Allowed IPs box of VPN / WireGuard / Settings / Peers (10.23.0.11/32)
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = MAINPUBLIC this will be in VPN / WireGuard / Settings / Instances / Public key box
AllowedIPs = 0.0.0.0/0
Endpoint = the address and port of your server (brimble.com:51820)
  • Save

Link: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

NAT for online gaming

  • go to Firewall / Aliases
    • create new alias by clicking on the “+”
    • Enabled: check
    • Name: NintendoSwitch
    • Type: Host(s)
    • Content: IP address of Switch
    • Save/Apply
  • go to Firewall / NAT / Outbound
    • change mode to Hybrid so you can add manual rule
    • create new rule by clicking on the “+”
    • Interface: WAN
    • Protocol: any
    • Source address: NintendoSwitch
    • Static-port: check
    • Give it a description
    • Save/Apply

Link: https://tyzbit.blog/getting-a-b-nat-type-on-the-nintendo-switch-using-opnsense

Services

  • DHCPv4
    • Range Start 10.23.79.100
    • Range Stop 10.23.79.245
    • Save Apply
    • Static MAC/IP Mapping
      brimNAS          10.23.79.4
BrimUpstairsAP   10.23.79.5
BrimDownstairsAP 10.23.79.6
  • DNS (System / Settings / General
    • 10.23.79.1 to use ISPs
    • 10.23.79.3 if using PiHole
    • 8.8.8.8 / 8.8.4.4 (or others) if hardcoding
  • Dynamic DNS
    • go to System / Firmware / Plugins and download os-ddclient
    • go to Services / Dynamic DNS / Settings
      • add new one by clicking on the “+”
      • Enabled
      • Service : easyDNS
      • Username : easyDNS username
      • Password : easyDNS token (not password). Token can be gotten from website
      • Hostnames: brimble.com
      • Check ip method: dyndns
      • Interface to monitor: WAN
      • Check ip timeout: 10
      • Force SSL: checked
      • Save/Apply
equipment/rbpi_openwrt.1705082744.txt.gz · Last modified: by dirk

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki