WireGuard VPN Setup with QR Code - Mobile Security and Ad Blocking

This post will go over setting up a WireGuard VPN server using OpenWRT. Part 2 will focus on setting up Pi-Hole. You could also use a $5/month VPS service, but I already had all the hardware needed to do it at home. Skip to instructions.

What you will need:

  1. An OpenWRT router with LuCi and enough space to install the WireGuard software and DDNS software. 
  2. A domain name. I am using namecheap.com which includes a Dynamic DNS service. It can be ANY domain name, even the $.99 per year type. 
  3. Raspberry Pi with PiHole installed (Optional) 

 What this will do: 

  1. Add security when using public wifi or cellular data. Since all data is encrypted and sent through your home internet connection, traffic cannot be sniffed or intercepted. 
  2. Keep your browsing history private - meaning the wifi owner or cellular carrier will not be able to see your internet activity. 
  3. Bypass content filters put in place by wifi hotspot operators or cellular carriers. 
  4. Remove ads without installing a plugin or app. (Optional) 

 What this will NOT do: 

  1. Anonymize your traffic through your ISP. If you are trying to pirate content or do something else undesirable, this is NOT the walkthrough you are looking for. In fact, this will do the opposite of what you are looking for, since your ISP will have even MORE usage metrics from your account. I mention this because when you do a "VPN" search on google, most results are for shady VPN companies. 
  2. This will not save battery life! It will drain your battery faster than normal when the VPN is active.
  3. Increase speed. Your download speed will be limited to the upload speed of your home internet, which is typically somewhat slow. 

Parts used in this post:

  1. TP-Link Archer C7 v2
  2. OpenWRT 18.06
  3. Namecheap DNS register and DDNS  https://www.namecheap.com
  4. Raspberry Pi 3
  5. Pi-hole https://pi-hole.net

Here are some of the sources I used when configuring:


OpentWRT - WireGuard Interface Setup

1. SSH into your OpenWRT router and run the commands below. This runs a script that will:
 A. Install WireGuard and dependencies
 B. Create public and private keys for the router and your mobile device
 C. Display a QR code for easier setup of WireGuard on your mobile device

opkg update
opkg install curl

curl -s https://gist.githubusercontent.com/dustinlbarnett/2497d71cd0d245979ac2da93e4c6b26b/raw/186c49d7d5ed24256b7dd25255d1665c34422635/wireguard_setup.sh && chmod +x openwrt_wireguard.sh && ./openwrt_wireguard.sh

Feel free to audit that script here https://gist.github.com/dustinlbarnett/2497d71cd0d245979ac2da93e4c6b26b or here: https://gist.githubusercontent.com/dustinlbarnett/2497d71cd0d245979ac2da93e4c6b26b/raw/186c49d7d5ed24256b7dd25255d1665c34422635/wireguard_setup.sh

When asked for DNS, I entered the LAN IP of my Pi-Hole device.

2. Open the WireGuard app on you phone. Tap the + on the top right and select the QR code option. Scan the code displayed from the script and give it a name when prompted. I had to significantly decrease the size of the console before it would scan when using native terminal on a mac. Putty may work better.

Copy and paste the public and private keys from the script into a text file or keep the console window open.

3. Log into your router web interface, go to Network menu and choose Interfaces

4. From the Interfaces screen, click "Add new interface" towards the bottom of the screen.

5. Select WireGuard from the protocol menu, then type a name and click submit.
6. Configure the Wireguard Interface
   A. Copy the PRIVATE server key that you saved earlier and paste it into the private key box.
   B. In the listen port enter an unused port that your router can listen to. Port 443 is less likely to be blocked at most locations, but your home internet might not allow incoming connections from port 443. Port 51820 seems to be widely used, so I'll go with that.

   C. Add an IP address for the interface. I like to think of this the "gateway" on the vpn network, although it's most assuredly not. This is a good address to ping to see if you are connected.

7. Allow traffic between interfaces. Click the "Firewall" Settings tab.
  A. Click the "Create/Assign firewall zone" menu

  B. Type a name such as "wireguard" in the "create" box and make sure it's assigned.

OpentWRT - Peer Setup

1. On the same page, click the "Add" button under the peers section.

2. In the Public Key box, paste the public key from the script.

3. In allowed IPs, enter IP address of the mobile client you entered in the script. I used

4. Check "Route Allowed IPs"

5. In the Persistent Keep Alives box, enter 25.

6. Click Save and Apply

OpenWRT - Firewall and Traffic Setup

1. Click the Network menu then select "Firewall"

2. Find the interface you created in the previous section and click Edit.

3. Make sure Input, Output, and Forward are set to accept.

4. In the Inter-Zone forwarding, make sure "lan", "wan", and "wan6" are selected (you may not have a wan6 depending on your internet config). Click Save and Apply.

5. Click on the "Traffic Rules" tab

6. At the bottom in the "Open ports on router" section, enter a name (WireGuard), set protocol to UDP, and set external port to the one configured in the wireguard interface. I am using port 51820. Click Save & Apply.

7. Restart the router and try to connect!

No comments:

Post a Comment