For a long time, I relied on a PPTP VPN tunnel to connect my Android 11 phone to my local network over the internet effortlessly. This built-in feature in Android proved to be handy, especially since it seamlessly operated behind the NAT of my cell phone carrier. However, my experience took a turn when I upgraded to Android 13; suddenly, the support for PPTP and L2TP vanished, a change introduced since Android 12. This left me in search of an alternative VPN solution, and that’s when I discovered WireGuard VPN. In this guide, I’ll walk you through the steps of configuring my EdgeRouter and various client devices to work smoothly with WireGuard VPN.
Table of Contents
Let me outline my existing setup for clarity. The EdgeRouter is directly linked to the internet via port eth0, while my Local Area Network (LAN) is accessible through eth1, operating within the IP range of 192.168.2.0/24. Notably, all peers, whether on 4G, 5G, DSL, or any other network, are positioned behind Network Address Translation (NAT).
To get started, access your EdgeRouter through SSH. Once logged in, download the appropriate WireGuard installation file tailored for your specific EdgeRouter model. In my case, the EdgeRouter 4P, i’ll be using the E300 (v2) installation package. Since EdgeRouters vary in architecture, it’s important to find the correct package to ensure compatibility.
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e300-v2-v1.0.20220627-v1.0.20210914.deb
Install the package
sudo dpkg -i e300-v2-v1.0.20220627-v1.0.20210914.deb
The initial step in configuring WireGuard involves generating private and public keys.
It’s essential to understand the fundamental principle: your private key must be kept confidential. From this private key, the corresponding public key is derived. This public key is then shared exclusively with client peers intending to establish a connection with the WireGuard server. It is paramount never to disclose your private key, as it has the capability to generate new public keys.
wg genkey | tee /config/auth/private_key | wg pubkey > public_key
Following key generation, the next step involves entering configuration mode. Here, you create the WireGuard
wg0 interface and specify your private key. For this setup, I’ve opted for the IP address 192.168.5.1/24 for my
wg0 interface. However, you have the flexibility to modify it according to your preferences.
configure set interfaces wireguard wg0 address 192.168.5.1/24 set interfaces wireguard wg0 listen-port 51820 set interfaces wireguard wg0 route-allowed-ips true set interfaces wireguard wg0 private-key /config/auth/private_key
In the configuration process, the IP address and listening port of the
wg0 interface are initially assigned. Following this, routing over the
wg0 interface is permitted, allowing communication from your LAN or other peers. Additionally, the location of your private key is specified to ensure secure connections.
Subsequently, firewall rules are created to allow WireGuard traffic, ensuring communication from the internet.
set firewall name WAN_LOCAL rule 30 action accept set firewall name WAN_LOCAL rule 30 protocol udp set firewall name WAN_LOCAL rule 30 description 'WireGuard' set firewall name WAN_LOCAL rule 30 destination port 51820
Here we create a new rule (30 in this instance) designed to accept UDP traffic to WAN_LOCAL. This rule specifically targets traffic destined for the EdgeRouter itself on port 51820, allowing communication destined to the EdgeRouter from the internet.
Upon completion of these configurations, the final step involves committing the changes and saving the settings. This action solidifies the setup, making certain that all adjustments are applied and your WireGuard VPN operates securely and efficiently.
commit save exit
With the EdgeRouter now successfully configured, the next step is setting up various clients to connect to the WireGuard server.
To set up the Android client, begin by downloading the WireGuard application from the Google Play Store. Once installed, launch the WireGuard app and locate the plus sign (+) situated in the bottom right corner. From there, choose the Create from scratch option to proceed with the configuration.
This step involves creating the WireGuard interface on your Android device. Certain fields need to be populated, although not all of them are mandatory for the process to proceed.
- Give the interface (tunnel) a name. Can be whatever you like
- Private key
- This is where we generate our private and public key.
- Click the refresh icon the right of the Private key field
- Now both the private and public fields are populated
- Copy the public key (or write it down). We’re going to need that on the EdgeRouter
- This is where we enter our assigned IP address
- I have selected to use 192.168.5.50 as my IP address
- With a mask of /32 because i just need one IP address (not a range)
Some optional fields that are worth mentioning include:
- DNS servers
- Add your DNS server of the EdgeRouter (eg 192.168.5.1) to be able to resolve local domain names (have left that empty)
- All Application
- Here you can select which Android apps can use the WireGuard tunnel (have left that empty)
At this stage, we need to configure the EdgeRouter to recognize the newly created client peer. Recall the public key you were instructed to write down earlier. We will utilize this key to establish a WireGuard client peer on the EdgeRouter. To initiate this process, log in to the EdgeRouter via SSH and execute the following commands.
configure set interfaces wireguard wg0 peer VMz6Go/hGoO6t8YGlBI7t+7FIgYbFxY98lpNuELYQUQ= description Android set interfaces wireguard wg0 peer VMz6Go/hGoO6t8YGlBI7t+7FIgYbFxY98lpNuELYQUQ= allowed-ips 192.168.5.50/32 commit save exit
Allow me to provide some context for these instructions. Initially, a peer is established on the existing
wg0 interface. This peer is identified and authorized via its unique public key, such as VMz6Go/hGoO6t8YGlBI7t+7FIgYbFxY98lpNuELYQUQ= in the example above. It’s important to replace it with your own public key, which you obtained from your Android phone. Furthermore, the WireGuard server is configured to permit traffic destined for the specific IP address 192.168.5.50/32 to traverse this tunnel (peer).
With the interface created and the EdgeRouter configured, the next step is to add the peer on your Android device. This step involves clicking on the Add peer option, where you will input all the necessary information about the WireGuard server you intend to connect to.
Here, you’ll enter the information previously configured on the EdgeRouter. Certain fields need to be filled out, although not all of them are mandatory for the setup to progress.
- Public key
- This is the public key we’ve generated on the EdgeRouter
- Just do a “cat public_key” on the EdgeRouter if you haven’t written it down yet
- Persistent keepalive
- I wanted the tunnel to always be active, so i added 25 here (optional)
- This is the public IP address or domain name of your EdgeRouter
- Followed by :51820 as the port number
- Allowed IPs
- Here we define which IP addresses are allowed to transverse the tunnel
- 192.168.5.0/24 for the whole 192.168.5.0 (WireGuard) network
- 192.168.2.0/24 for my local LAN network
- Add more IP addresses if you’d like, separated by a comma
Following the configuration steps, your setup on the Android device should resemble something similar to this.
Once you have entered the necessary details, click the save icon, and your WireGuard tunnel should be operational and ready for use.
On Ubuntu/Debian systems, the installation process aligns closely with the steps outlined for Android. After installing the WireGuard package, open the WireGuard configuration, add a new peer, and input the EdgeRouter configuration details.
Apt update and upgrade
sudo apt update && sudo apt upgrade -y
sudo apt install wireguard
Generate private and public key
wg genkey | tee private_key | wg pubkey > public_key
Show the public key
Copy the public key and utilize it to create an additional WireGuard peer on the EdgeRouter. Proceed by logging into the EdgeRouter via SSH and input the following commands to establish the new peer.
configure set interfaces wireguard wg0 peer 7ef0Kcmay2u6hkxzzHJKCjvKdZ4wA5gt4nnCYM00R08= description Ubuntu set interfaces wireguard wg0 peer 7ef0Kcmay2u6hkxzzHJKCjvKdZ4wA5gt4nnCYM00R08= allowed-ips 192.168.5.51/32 commit save
Once again, a new peer is created on the existing
wg0 interface. This peer is recognized and authenticated by its public key, for instance, 7ef0Kcmay2u6hkxzzHJKCjvKdZ4wA5gt4nnCYM00R08= in the example above. Replace that with your own public key, previously copied from your Ubuntu/Debian PC and specify a description for this peer. (Ubuntu or whatever you like to name it)
The second line inform the WireGuard server that traffic directed to 192.168.5.51/32 should pass through this tunnel. The
/32 mask is used because the peer (client) is utilizing only one IP address. If you plan to set up a site-to-site tunnel (although not covered in this tutorial), a larger mask, like
/24, would be more appropriate. (254 IP addresses available)
To continue the configuration of the WireGuard client peer on Ubuntu/Debian, you’ll require your private key.
Copy the private key and create configuration file
sudo nano /etc/wireguard/wg0.conf
[Interface] Address = 192.168.5.51/32 PrivateKey = <client private_key> [Peer] PublicKey = <server public_key> Endpoint = your.domain.com:51820 AllowedIPs = 192.168.5.0/24, 192.168.2.0/24 PersistentKeepalive = 25
Let me explain further. In the configuration file, the Address field designates the IP address assigned to the
wg0 interface, and <client private_key> represents the private key you have just copied.
Within the [Peer] section, you provide the details necessary to establish a connection with the WireGuard server. <server public_key> corresponds to the public key of the WireGuard server, which can be obtained by using the cat public_key command on the EdgeRouter if you haven’t saved it. The Endpoint field specifies the domain name or IP address to which the client will connect. AllowedIPs enumerates the IP addresses permitted to traverse the tunnel. The inclusion of PersistentKeepalive ensures the tunnel remains active continuously, although it is an optional parameter.
Once the configuration file is complete, save and exit the file. Proceed to test the connection to confirm the tunnel is working.
# Bring up the WireGuard tunnel wg-quick up wg0 # Show active connections sudo wg show # Ping the WireGuard server ping 192.168.5.1 # Bring down the WireGuard tunnel wg-quick down wg0
If you receive a ping response, it indicates the successful operation of the tunnel. Additionally, you can test the routing functionality by pinging the client’s IP from your LAN. Once you are satisfied with the configuration and both tests are successful, you can enable the WireGuard service to start automatically during system startup. This ensures your WireGuard VPN connection is enabled at startup.
sudo systemctl enable wg-quick@wg0
Alternative Configuration Methods
While the previous configuration steps mandated manual entry of CLI commands, Christoph Loesch developed a WireGuard GUI specifically tailored for the EdgeRouter.
The WireGuard GUI, accessible via the EdgeRouter’s web interface, functions as a wizard to configure WireGuard and its peers. While my preference lies in manual CLI configuration, this GUI proves valuable, especially for tasks like scanning peer QR codes and querying connected WireGuard peers. Its convenience becomes apparent in scenarios requiring quick and visual management of WireGuard setups.
Git clone the latest WireGuard ER Wizard on your PC
git clone https://github.com/vchrizz/ER-wizard-WireGuard.git
And tar archive three files
cd ER-wizard-WireGuard.git tar -cvf wireguard.tar validator.json wizard.html wizard-run
Access the EdgeRouter’s web interface and navigate to the Wizards tab. Within the Feature Wizards section on the left, click the plus sign (+) to install the WireGuard GUI. Enter WireGuard as the Wizard Name and select the previously created wireguard.tar file under Wizard Files and click on Save.
Upon successful installation, you’ll notice that many WireGuard server configuration options are automatically populated based on the CLI commands we previously entered. However, a few useful common options are missing and can be found under the Peer common options header.
- Peer allowed ips
- These are the IP’s that are allowed to transverse the tunnel
- Peers remote endpoint
- This is the common endpoint for you peers (eg your.domain.com:51820)
As the name suggests, these settings are universal and apply to all peers, eliminating the need for individual specifications for each peer.
For demonstration purposes, in the example below no peers have been configured yet. If you wish to add a peer, click on Add Peer. In this step, you’ll need to fill in a few obligatory fields:
- Give your peer a name (eg Android)
- Under Allowed IPs click Add IP
- Enter the IP address you want to manually assign to the peer (eg 192.168.5.50/32)
- Set keepalive to 25 (seconds) to keep the tunnel alive
- Then under Client config QR click on Generate config
- This will generate the private and public key
For Android users using the WireGuard app, simply scan the QR code to import the tunnel configuration. If you’re using a different client on a PC, whether Linux, Windows or Mac, you can click Download Client Configuration. This file contains all the necessary details to establish a connection with the WireGuard server.
If you like my work, please consider supporting.