This scenario is useful in case you want to use vpn with devices which has no vpn capability like smart tv, or make vpn connection available via router for multiple devices. This is a tested, working scenario with following environment:
- algo installed ubuntu at digitalocean
- client side router "TP-Link TL-WR1043ND" with openwrt ver. 21.02.1. Openwrt Install instructions
- or client side router "TP-Link Archer C20i AC750" with openwrt ver. 21.02.1. Openwrt install instructions see compatible device list at https://openwrt.org/toh/start . Theoretically any of the device on list should work
Make sure that you have
- router with openwrt installed,
- router is connected to internet,
- router and device in front of router does not have same ip . By default openwrt have 192.168.1.1 if so change it to something like 192.168.2.1
- Open router web UI (mostly http://192.168.1.1 )
- Login. (by default username: root, password:
- System -> Software, click "Update lists"
- Install following packages wireguard-tools, kmod-wireguard, luci-app-wireguard, wireguard, kmod-crypto-sha256, kmod-crypto-sha1, kmod-crypto-md5
- restart router
- Open router web UI (mostly http://192.168.1.1 )
- ssh root@192.168.1.1
- opkg update
- opkg install wireguard-tools, kmod-wireguard, luci-app-wireguard, wireguard, kmod-crypto-sha256, kmod-crypto-sha1, kmod-crypto-md5
- reboot
- Open router web UI
- Navigate Network -> Interface
- Click "Add new interface"
- Give a Name. e.g.
AlgoVpn
- Select Protocol.
Wireguard VPN
- click
Create Interface
- In General Settings tab
Bring up on boot
checked- Private key:
Interface -> Private Key
from algo config file - Ip Address:
Interface -> Address
from algo config file - In Peers tab
- Click add
- Name
algo
- Public key:
[Peer]->PublicKey
from algo config file - Preshared key:
[Peer]->PresharedKey
from algo config file - Allowed IPs: 0.0.0.0/0
- Route Allowed IPs: checked
- Endpoint Host:
[Peer]->Endpoint
ip from algo config file - Endpoint Port:
[Peer]->Endpoint
port from algo config file - Persistent Keep Alive:
25
- Click Save & Save Apply
- Open router web UI
- Navigate to Network -> Firewall
- Click
Add configuration
: - Name: e.g. ivpn_fw
- Input: Reject
- Output: Accept
- Forward: Reject
- Masquerading: Checked
- MSS clamping: Checked
- Covered networks: Select created VPN interface
- Allow forward to destination zones - Unspecified
- Allow forward from source zones - lan
- Click Save & Save Apply
- Reboot router
There may be additional configuration required depending on environment like dns configuration.
You can also verify the configuration using ssh. /etc/config/network. It should look like
config interface 'algo'
option proto 'wireguard'
list addresses '10.0.0.2/32'
option private_key '......' # The private key generated by itself just now
config wireguard_wg0
option public_key '......' # Server's public key
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
option endpoint_host '......' # Server's public ip address
option endpoint_port '51820'
option persistent_keepalive '25'