Saturday, July 6, 2019

[Standalone] Tunneled Wireless/LAN Connection using WireGuard


Basic Idea

Setting up a wireless / LAN router that provides tunneled traffic to clients.

I use wireguard on my PC to encrypt my internet connection. Although it's possible to install wireguard on each device you want to have an encrypted connection, I had a spare wireless router at home and decided to run a wireless access point which provides its clients a tunneled connection out of the box.

The PC in the diagram can be replaced by a Raspberry Pi board to make the tunnel standalone. Orange Pi PC model should be enough as we only need a USB port to get internet from the main router and a LAN port to deliver the tunneled traffic to the wireless router

Tunneled Wireless/LAN Connection using WireGuard

Overview 
1- Run Wireguard on your VPS and your PC to tunnel your traffic to the vps server

2- Run DHCP Server on the PC and configure the PC to route all traffic from the wireless router to the wireguard interface 

3- Configure the wireless router to get internet from the PC using its LAN (WAN) Port

Steps

You first need to get a vps server and install wireguard on it. 
Cloud server
I used this (and this) tutorial to run and install wireguard on a centos 7 server. The config file on the server side was like this :
[Interface] 
Address = 10.10.0.1/24 
ListenPort = TUNNEL_PORT 
PrivateKey = SERVER_PRIVATE_KEY 
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE 
#PC 
[Peer] 
PublicKey = PC_PUBLIC_KEY 
AllowedIPs = 10.10.0.2/32
where eth0 is your external network interface on the vps server.
PC 
On the PC, we first need to install wireguard and configure it to connect to the server:
[Interface] 
PrivateKey = PC_PRIVATE_KEY 
Address = 10.10.0.2/24 
DNS = 8.8.8.8, 8.8.4.4 
Table = off 
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; ip rule add from 10.1.0.0/24 table INET2; ip route add default via 10.10.0.1 dev wg0 table INET2; ip route flush cache 
PreDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; ip rule del from 10.1.0.0/24 table INET2; ip route del default via 10.10.0.1 dev wg0 table INET2; ip route flush cache
[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0
Endpoint = CLOUD_SERVER_IP:TUNNEL_PORT
where 10.1.0.0/24 is the network address of the lan port connected to the wireless router, and 10.10.0.1 is the wg0 gateway IP address on the vps server. We need to create a new route table to configure the PC to route all traffics from the wireless router to the wireguard interface. I have used the required commands in the PostUp and PostDown arguments above, so it's only required to run the following command on the PC once to create the new route table : 
echo 200 INET2 >> /etc/iproute2/rt_tables
In addition, packet forwarding needs to be enabled on the PC.
Now, we need to setup the PC to act as a DHCP server for our wireless router. I used eth0 lan port to connect it to the router, so first I assign a static IP address to this interface by adding these lines in the /etc/network/interfaces:
auto eth0 
iface eth0 inet static  
address 10.1.0.1  
netmask 255.255.255.0 
post-up /sbin/ifconfig eth0 mtu 1420 
dns-nameservers 8.8.4.4 
dns-nameservers 8.8.8.8

and also add these to /etc/dhcpcd.conf (required if you are using raspberry pi):

interface eth0

static ip_address=10.1.0.1/24

static domain_name_servers=8.8.4.4 8.8.8.8

static interface_mtu=1420 

# if you have another network card eth1 and want to make it the default route

interface eth1

metric 200;

 then install a dhcp server on the PC node. 



Add eth0 to INTERFACESv4 variable in /etc/default/isc-dhcp-server file


Use the following config file /etc/dhcp/dhcpd.conf :

option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
subnet 10.1.0.0 netmask 255.255.255.0 {
option routers 10.1.0.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.1.0.255;
option interface-mtu 1420;
range 10.1.0.10 10.1.0.20;
}

Note that we used the same 10.1.0.1 IP address and subnet masks that's consistent with the IP address used in PostUp and PostDown sections of our wireguard config file on the PC. We have also deliberately set MTU to 1420 as it is the default MTU for wireguard tunnels.


Wireless Router

The wireless router is connected to the PC via a LAN port. I used D-Link 2750U that had 4 LAN ports, and according to the modem manual, the lan port #4 was a WAN port in the router which means that the router could be set up to get internet from this LAN port and share it through wireless or other LAN ports.

To set up the D-LINK 2750U router, I created a new interface in Advanced Setup -> Wan Service and set the type to IPoE with enabled NAT. Then set the primary uplink in Advanced Setup -> 3G Connection to Ethernet.

You can use dhcp-lease-list command on the PC to ensure that the the modem has acquired a correct IP address.

Note that the default MTU of wireguard interfaces is 1420, so you need to set the MTU in your wireless router to this value otherwise you may have weird problems such as some websites working and others not



You can use this guide to do MTU discovery. This post has explained how to set the correct MTU on wireguard in details.

That's all, now any client that connects to the wireless router gets its encrypted internet from the cloud VPS server.. 

No comments:

Post a Comment

How to export Apple Health / Google Fit training activity to TCX format

  I own a Xiaomi Smart Band 7, and recently, my Mi Fitness app stopped syncing running activities to Strava. Mi Fitness supports syncing dat...