szgislle

szgislle

生命不息,折腾不止!
HomeArchives

[NanoPi R2S Bypass Gateway Series](1) Basic Configuration, Wireguard

#NanoPi#R2s#OpenWRT#Wireguard173
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The author had an All in One server running OpenWRT as a virtual machine for 2 years, but faced issues with host machine restarts. To address this, they purchased an R2S router to ensure stability. The requirements included Wireguard for remote access, custom domain names for services, DDNS for automatic IP updates, and KMS for Windows activation. They installed OpenWRT on the R2S, configured network settings, DNS, and NTP servers to ensure internet access and resolved SSL certificate issues.

Preface#

I currently have a self-built All in One server at home, running PVE, on which I have a virtual machine running OpenWRT to serve as a bypass gateway for my home network. Initially, I used a version compiled by an unknown source in China, but later I compiled the official version 22.05 myself, adding the features I wanted, and it has been running stably for 2 years. However, the biggest issue with the All in One setup is the host machine rebooting. Recently, due to experimenting with GPU passthrough, I need to constantly reboot PVE. If the family leader is playing a game and gets disconnected, it won't be pleasant. So, taking advantage of the 618 sales (yes, I only started switching now), I got an R2S to completely eliminate the chance of the family leader finding fault.

Requirements#

Basically, it's the migration of the current OpenWRT functionalities on the virtual machine:

  1. Wireguard

To access the home network from the company via Wireguard combined with the public IP at home.

  1. Custom Domain Name

To access self-deployed services through a custom domain name and Nginx, without needing to remember IPs and ports, and without maintaining a dashboard service.

  1. DDNS Service

To automatically update the public IP, preventing Wireguard from losing connection after each dial-up.

  1. KMS Service

For Windows activation.

  1. Requirements understood by those who know

As mentioned, no further elaboration.

R2S System Installation#

Next, we will implement the above requirements step by step. First, regarding the system selection, based on the official website introduction, I chose the official OpenWRT distribution maintained and compiled by them. Currently, there is no need for Docker, but to prevent needing to install it myself later, I decided to go straight for it and chose the official FriendlyWrt firmware built on OpenWrt 22.03 with Docker.

image.png

Next, we will flash the firmware onto the TF card and power it on.

System Configuration#

Plug in the network cable, change the computer's IP to 192.168.2.100, the system's default IP is 192.168.2.1, and the configured client IP must also be in the 192.168.2.0/16 subnet for mutual access. Now use SSH to access the OpenWRT backend:

ssh root@192.168.2.1

The default password is password.
First, change to a secure password:

passwd root

Change IP Address#

First, modify the IP to enable internet access:

vi /etc/config/network

Find the config interface 'lan' section and modify it as follows:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.5.99'
        option gateway '192.168.5.1'

The above mask and gateway need to be modified according to the home network environment. My virtual machine OpenWRT currently has good network access, so the gateway is set to the IP of the virtual machine OpenWRT. Also, make sure the IP does not conflict.

Change DNS#

vi /etc/config/dhcp

Add list server '192.168.5.1' under the dnsmasq configuration options. The option ignore under the 'lan' DHCP configuration needs to be changed to 1, corresponding to ignoring this interface in the web interface:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        list server '192.168.5.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Execute the command to check internet access capability:

curl https://baidu.com

Certificate error:

root@FriendlyWrt:~# curl https://baidu.com
curl: (60) Cert verify failed: BADCERT_FUTURE
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

The network is connected to the internet, and other machines can access the internet normally. After checking, it turns out the machine's time is incorrect:

root@FriendlyWrt:~# date
Fri Jan 22 17:07:48 CST 2016

Check the NTP service:

root@FriendlyWrt:~# ps | grep ntp
 3942 root      2592 S    {ntpd} /sbin/ujail -t 5 -n ntpd -U ntp -G ntp -C /etc/capabilities/ntpd.json -c -u -r /bin/ubus -r /usr/bin/env -r /usr/bin/jshn -r /usr/sbin/ntpd-hotplug -r /usr/share/libubox/jshn.s
 3954 ntp       1320 S    /usr/sbin/ntpd -n -N -S /usr/sbin/ntpd-hotplug -p 0.openwrt.pool.ntp.org -p 1.openwrt.pool.ntp.org -p 2.openwrt.pool.ntp.org -p 3.openwrt.pool.ntp.org
 5678 root      1572 S    grep ntp

Change NTP to Aliyun NTP:

vi /etc/config/system

config system
        option log_size '64'
        option urandom_seed '0'
        option hostname 'FriendlyWrt'
        option ttylogin '1'
        option timezone 'CST-8'
        option zonename 'Asia/Shanghai'

config timeserver 'ntp'
        option enabled '1'
        option enable_server '0'
        list server 'ntp.aliyun.com'
        list server 'ntp1.aliyun.com'
        list server 'ntp2.aliyun.com'
        list server 'ntp3.aliyun.com'

config led 'led_wan'
        option name 'WAN'
        option sysfs 'wan_led'
        option trigger 'netdev'
        option mode 'link tx rx'
        option dev 'eth0'

config led 'led_lan'
        option name 'LAN'
        option sysfs 'lan_led'
        option trigger 'netdev'
        option mode 'link tx rx'
        option dev 'eth1'

Restart the service:

/etc/init.d/sysntpd restart

Check the time:

root@FriendlyWrt:~# date
Mon Aug  7 14:56:10 CST 2023

Check if there are any certificate errors:

root@FriendlyWrt:~# curl https://baidu.com
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>bfe/1.0.8.18</center>
</body>
</html>

Normal 302 redirection.

Change Source (Optional)#

The FriendlyWrt firmware uses the Tencent source. Since the virtual machine OpenWRT uses the Tsinghua source, I will keep them consistent to avoid package version conflicts:

sed -i -e 's/mirrors.cloud.tencent.com/mirrors.tuna.tsinghua.edu.cn/g' /etc/opkg/distfeeds.conf

Update the index:

opkg update

Wireguard#

Installation#

After configuring the system, add the Wireguard kernel module and toolkit:

opkg install kmod-wireguard wireguard-tools

Check if the kernel has loaded the Wireguard module:

lsmod | grep wireguard

If you see the following output, it indicates that the Wireguard module has been successfully loaded:

root@FriendlyWrt:~# lsmod | grep wireguard
wireguard              77824  0
libchacha20poly1305    16384  1 wireguard
libcurve25519_generic    40960  1 wireguard
udp_tunnel             24576  3 l2tp_core,wireguard,vxlan
ip6_udp_tunnel         16384  3 l2tp_core,wireguard,vxlan

Generate a public-private key pair:

wg genkey | tee privatekey | wg pubkey > publickey

The above command generates the public and private key files stored in privatekey and publickey, respectively.
Configure the Wireguard interface:

vi /etc/config/network

Add the following content at the end, remembering to replace the content in the curly braces:

config interface 'wg0'
        option proto 'wireguard'
        option private_key '{private_key}'
        option listen_port '25378'
        list addresses '192.168.7.1'

Restart the network service:

/etc/init.d/network restart

Check the Wireguard status:

root@FriendlyWrt:~# wg
interface: wg0
  public key: fTaGpi1YIlS6RTsWSjsHoWMHY1drWe/CTTOK/EUFTUE=
  private key: (hidden)
  listening port: 25378

The above steps can also be performed on the web interface, which requires installing LuCI support:

opkg install luci-i18n-wireguard-zh-cn

Web interface:

image.png

Public Network Access#

Currently, my home network topology is as follows:

image.png

Located in Shanghai, with a telecom optical modem dialing, I have a public IP. You can see that the virtual machine OpenWRT is located under the secondary router. To forward the OpenWRT port, it needs to be forwarded once by the secondary router AC-68U, and then forwarded again by the optical modem, which is quite troublesome. Therefore, under the premise of safety, I set the secondary router to DMZ in the telecom app, enabled the secondary router's firewall, and then used the port forwarding function of the secondary router to forward the Wireguard port. This way, the public network takes over all ports of the secondary router, making it easier to configure various port forwarding in the future.

Be careful not to forward the OpenWRT web port 80 and SSH port 22 to the public network, as it will only be a matter of time before hackers scan and find the open box.

Windows Client Configuration#

For Windows, use the official Wireguard client to create a new empty tunnel:

image.png

It will automatically generate a public-private key pair, then fill in the configuration:

[Interface]
PrivateKey = {privatekey}
Address = 192.168.7.2/32
DNS = 192.168.7.1
MTU = 1300

[Peer]
PublicKey = {openwrt_publickey}
AllowedIPs = 192.168.7.0/24,192.168.5.0/24
Endpoint = {public_ip}:{forwarding_port}
PersistentKeepalive = 25
  • Interface configuration
    • PrivateKey: The automatically generated private key, no need to modify.
    • Address: The IP address of the current node, which needs to match the address configured on the other end.
    • DNS: Use the DNS service provided by OpenWRT, which is useful when using custom domain names, allowing access to internal network domain names even from the company.
    • MTU: Default is 1500, which affects packet performance. You may need to experiment with this; a smaller value can improve network performance slightly, but if not too concerned, the default 1500 is fine.
  • Peer configuration
    • PublicKey: Fill in the public key of OpenWRT.
    • AllowedIPs: The subnet allowed for access, here you just need to fill in the home internal network subnet. If you want Wireguard to serve as a tunnel for all subnets, fill in 0.0.0.0/0, and ensure the OpenWRT firewall is configured correctly to access the internet.
    • Endpoint: The public IP and port forwarded for Wireguard.
    • PersistentKeepalive: Keep-alive time, set to 25 seconds.

Configure the Other End#

After configuring Windows, there are still corresponding configurations to be done on OpenWRT:

vi /etc/config/network

Add the following configuration:

config wireguard_wg0
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option public_key 'VM3DZLzhtpkE0w1VgUmeRSuoX/6mgVMlJWtnynomUXg='
        option description 'Worklaptop'
        list allowed_ips '192.168.7.2'

Restart the network service:

/etc/init.d/network restart

Click connect on the Windows client:

image.png

Normal traffic send and receive indicates a successful connection. Ping the gateway to test:

image.png

The connection to the other end is successful, but accessing the internal network 192.168.5.0/24 subnet is obviously not possible. This is because the firewall forwards network access from Wireguard to the LAN interface. Now we will start configuring the firewall.

Firewall Configuration#

Through the OpenWRT web interface, go to "Network" -> "Firewall" -> "NAT Rules", configure a NAT for the address, forwarding traffic from the 192.168.7.0/24 subnet to the LAN interface. This will allow access to the internal network subnet. Of course, if you want Wireguard to have access to all subnets, set the target address to any.

image.png

Summary#

In this chapter, we have implemented the first functionality of OpenWRT, which is the ability to access the internal network from the external network, i.e., VPN functionality. This allows us to access the home internal network conveniently and securely without worrying about the risks of exposing internal network ports through various port forwarding. Next, we will continue to implement the second requirement: custom internal domain names.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.