EdgeRouter X Home VPN Setup Pt 2

I am not a network or sysadmin by day. This is something I'm actively learning on and figuring out. If you see something wrong or have suggestions I would love to here about it.

In part one we configured the network. Now we are ready to install Wireguard and create our interface. Before I jumped into doing this I referenced these post and docs.

To get started ssh into the EdgeRouter device.

ssh <user>@<edgerouterip>

Once logged in we need to pull, install the Wireguard .deb.

cd /tmp

# Download the appropriate version, pay special attention here, if you are using the Ubiquity v2 firmware
# you will need the wireguard-v2-*
curl -qLs https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20190913-1/wireguard-v2.0-e50-0.0.20190913-1.deb

sudo dpkg -i wireguard.deb

An important note from the source repo

Note that since Wireguard is not software bundled with the EdgeOS firmware, firmware upgrades necessitate re-installing the Wireguard debian package. Once the wireguard package is re-installed re-applying the existing Vyatta config file, or rebooting will restore your interfaces.

First things first we need to generate a private key for the router, and a public key to share with clients.

$ wg genkey | tee /dev/tty | wg pubkey

This will output two lines. The first is your private key, the second is your public key. Keep these secure, but ready since you will need to provide the public key to all clients.

With our keys generated we can now configure the Wireguard interface. Ours will be wg0. In the terminal:

configure

set interfaces wireguard wg0 address 192.168.55.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key <private-key-from above-output>

commit
save

This created a new wireguard network on 192.168.55.1/24; listening to port 51820 and will route all the traffic through wg0.

Now keeping our public key ready we can configure a client.

Configuring Wireguard on Ubuntu

If you're using Ubuntu 19.10 wireguard should be available from apt by default:

sudo apt-get update
sudo apt-get install wireguard

With prior versions:

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard

Once again we need to generate our keys, now on the client:

wg genkey | tee /dev/tty | wg pubkey

Now, create the wireguard interface, still on the client.

touch /etc/wireguard/wg0.conf
chown root:root /etc/wireguard/wg0.conf
chmod 600 /etc/wireguard/wg0.conf

sudo vim /etc/wireguard/wg0.conf

<--------wg0.conf-------->
[Interface]
Address = 192.168.55.5/32
PrivateKey = <client-private-key> 

[Peer]
PublicKey = <router-public-key>
AllowedIPs = 192.168.55.0/24
Endpoint = public_ip_of_router:51820

Peering the router and client

With the client configured and keeping the public key it generated, return to the router. ssh and run:

set interfaces wireguard wg0 peer <client-public-key> allowed-ips 192.168.55.5/32
commit
save

Starting your client VPN

With wg0 configured and ready bring up the VPN on our client.

sudo wg-quick up wg0

And verify connectivty by running sudo wg on the client, and router.

Next Steps

With VPN setup I'm now able to access and provide access to my device lab. This also keeps devices using this router that are not part of the lab separated.

Finally if you're doing this for the first time some next steps you might want to take include:

  • Switch devices to only allowing ssh via keys.
  • Switch to a non default ssh port.
  • Setup fail2ban.
  • Pickup from here