Customized WireGuard instructions for LEDE/OpenWrt routers

[nopdotcom]

I have been considering generating instructions for WireGuard for LEDE/OpenWrt routers. Although wireguard is now supported as a "native" LEDE protocol in 17.01.4, this also means it's integrated into the UCI system, a central place to store structured configuration data.

UCI (and hence the web UI) don't use the regular WG config files for multiple reasons, and some of them even are good reasons. Right now Streisand just produces a wg0.conf. Admittedly, a lot of people can pick the data they need out of the conf file, but it's not totally obvious which data goes where.

I see three approaches:

1. Regular flow of "click here then type this" in the web UI
2. Use a fully-programmed downloadable script
3. See if uci batch can do the right thing for us.

I don't feel that bad about saying "you need to know how to SSH to your router to do this" considering most users with these routers went through worse during setup, or they know somebody who did.

There's a general feeling that the person running the Streisand builder may be more familiar with Unix than people configuring their clients.

More generally, how far out do we go in configuring particular platforms?

[bondbeau]

Well...all I have to contribute to this idea, is that I have an LEDE/OpenWrt compatible router (currently w/ DD-WRT), that I would strongly consider struggling with, to change firmwares on (NOT simple for me), and then putting Streisand on the non-guest network side, so that we could then hopefully 'not' be throttled by our ISP for streaming too much video data. And, if it would then automatically make any connected device an encrypted connection (and restart Wireguard automatically if the connection drops, or stop passing any data at all until reconnected), that would be awesome! But, as I say, I can't offer much here except, yes please? I've never SSH'd to anything (knowingly anyway), but I guess I could if I had to. My only possibly helpful observation about this overall idea, would be that, similar to Linux or anything else that relies heavily on terminal commands (even on supposed GUI distros), if one hopes to have wide adoption (say to help achieve a more secure internet, etc.), then it really needs to be done toward the 'lowest common denominator' (sort of like me), or it will absolutely never happen, as most people simply don't have the time, aptitude or inclination to try anything terribly new, unless it's dead simple (just my opinion).

[stepanovdg]

@nopdotcom If you have succesfully configured wireguard from streisand conf file. Could you please add at least simple guide to wiki (like existing guide for openvpn).

[bondbeau]

@nopdotcom I'm not sure what kind of consideration (complexity-wise) it takes to be in order for people like me to try to make this jump and configure Streisand for their LEDE/OpenWrt router (using either OpenVPN or WireGuard), but I'll share my perspective if I may? I feel that, regarding the level of complexity involved for these types of projects, that without going too far overboard, it needs to be made as simple, really, as the number of people 'the Streisand project' itself, hopes to attract as active participants. Just as in, how many people are wished to be made substantially safer? Everywhere.

Given the seemingly quite shaky state of even basic internet security, let alone how anyone may feel about how governments and corporations, world-wide, are apparently working in league to leave end-users as vulnerable as possible (for whatever their own end-desires may be), I confess that I long for (even dream about) tough, bedrock, and user-centric ways to be able to participate in the digital world with at least a basic sense that 'we' are not essentially walking around naked (digitally).

For myself, I don't expect 'everything' to be served up, as for children, so I'm trying to do what's smart and responsible for my own needs. And without going into too much detail, I've continued to lean toward more and more open-source (as in the real 'freely open') software, and other like-minded computing/digital presence options. I feels that it's crucially important, if we are to maintain any genuine form of democracy, and I think the odds are extremely against that outcome. Frightfully so.

So, I apologize for such a lengthy 'dissertation', but going back to my initial premise...I feel that whatever processes are used for Streisand (or any other security-centered projects), should strongly consider just how many people they hope will adopt their methods. I'm willing to work a bit harder than many, I think. It's just that I ask for consideration please, in that most all of 'us', simply do not have the time, ability, or money to invest a lot of continuing effort toward attempts at basic safety. So I kindly ask, politely and earnestly, that every 'reasonable' effort be made toward the largest possible adoption, yes? In the end, I feel all our well-being will depend upon that honest and needful course. At least, that is why I'm here, and I trust that whatever 1, 2, 3, approach (or combination thereof) is chosen, I will do my best, just as you all have in kind.

[nopdotcom]

Here's a start on screenshots of settings. The only bit of magic is that you need to restart the router after setting this.

[nopdotcom]

OK, that was interesting timing for those two messages...

[stepanovdg]

@nopdotcom Thank you. And the most interesting is about dns - should it go to dns forwarding field?

[nopdotcom]

Interesting thing: nslookup on 17.04 is still busted. Anyway, DNS needs to go elsewhere:

[stepanovdg]

@nopdotcom Thank you, great job. I think it could be added to wiki at least (it would be easier to find such info for newcomers). As for me now routing is working but still is an issue sometimes due to power loss of router. From time to time. Router after reboot is able to connect to wireguard server and shows lik econnection active. But there are no handshakes. (also all other problems like address is unreachable in case of pinging server 10.192.122.1). At the same time new connects/reconnects (after correct vpn off) to server from mobile (for example) works fine. Restarting router or wg client on router - doesn`t help. But what is more cheerful for me that restarting wg service on server - helps (after some time - handshakes appears).

Haven`t you met such behaviour?

[nopdotcom]

@bondbeau: Thank you for writing that. It's useful to remind people what's at stake, and good to be reminded that there are like-minded people out there--able to write it better than you can yourself. :-) I think I owe you a longer response but one thing that occurred to me on the way out the door:

As a side effect of how we've structured the project, most tech support is organic--you can't really install a Streisand server without background knowledge of how computers and networks work. But our intent is that "regular users" can be walked through setup and installation, first by our distributed instructions, and then the local Streisand installer as first line tech support.

For a while, I've been focusing on making it easier to install Streisand. Hopefully, the current milestones will be finished off soon. (README.md needs to be split into pieces, but https://github.com/StreisandEffect/streisand/pull/1347 cuts an entire section.) That effort should increase the number of potential Streisand installers, which should increase the number of people who can use it.

That does mean that there won’t be a wizard-user behind every install. Given what you’ve said, that does seem to imply we’re going to need more focus and better support on the individual tools and their instructions.

@stepanovdg: No, I haven't run into any of those--or I just hit reset--but I'm going to try to provoke those problems now--thank you for the pointer as to where to look. I have a couple of battery-powered routers; I'll see if I can get me and my friends to break them in interesting ways.

[nopdotcom]

In case you feel like playing with it, I have a nop-wireguard-for-lede tree which will generate LEDE installers. The installers look like this.

[bondbeau]

@nopdotcom I really do appreciate all the work that's being done by you and so many others on Stresiand. And I especially hope that the project will continue to grow, exponentially perhaps, though to do so, for so many (pointing at myself), it unfortunately does have to be so very easy (can't bear the shame of 'lowest common denominator'). I'm not certain what I want to try on the router (OpenVPN or WireGuard), if anything just now, as I even had a terrible time in even learning how to simply SSH to it (first time for PuTTY etc. etc.), let alone follow the rest of the guides. Makes me wonder now how I ever set up the server and accessed it from several different OS's in the first place. Or I'm just scared for now, I don't know. But I'm watching and thinking and offering great accolades to the project and members, so don't write me out completely just yet. :)

[amsteen]

Mr. nopdotcom I am totaly new with WireGuard and I neeed to know how do you get WireGuard information like public key and private and the info file on your photo "The Whisper-hawk" from where you get it

[amsteen]

is this works for changed public ip and behind proxies and firewals ( we do not have real ip ) ??

[M8r]

amsteen, you need to read the quick start guide on the wireguard website. Please note that Wireguard is not stable yet, so if you are asking how to get keys, then I suspect you are not going to have a good experience working with this (or you will need a lot of help). Making keys for a VPN is like multiplication is to calculus... its the first step, and if you have trouble with the first step, you're not going to like the next. :) I have worked extensively with VPNs; Wireguard is FAR easier, but - not easy (yet).

[M8r]

I wrote the StrongSwan instructions for OpenWRT and would love to do it (or help) for WireGuard when it's ready. I had to 30/30/30 reset my TP-Link AC1750 test mule setting up Wireguard but I dont have the time to debug it this week. Also, putting the VPN in the WAN zone puts it on the "wild" side of traffic, which means subject to prejudicial blocking. I would think you want it on its own zone, or LAN zone because this is what you would want to bridge, right?

[nopdotcom]

Sorry, I've been really busy. You get WireGuard information for OpenWrt (like "whisper-hawk") from a recent Streisand instance. Go to the WireGuard page; there's a section on OpenWrt. It has instructions on how to install a profile, even without SSH access to the router.

The VPN interface is placed in the WAN zone. All traffic is routed over it, replacing your existing WAN interface. (The only traffic over your previous WAN interface is WireGuard packets to the Streisand server.)

There's nothing like UPnP for this; someday, I may implement it. But after the Telegram proxy.