OpenWrt VPN Setup: WireGuard, Amnezia & More!
Hey guys! Setting up a VPN on your OpenWrt router can seriously boost your privacy and give you access to geo-restricted content. This guide will walk you through a script that simplifies the process, supporting WireGuard, Amnezia WireGuard, OpenVPN, Sing-box, and even tun2socks. Let's get started!
Understanding the Basics of OpenWrt VPN
Before we dive in, let's get a handle on the key concepts. A Virtual Private Network (VPN) creates a secure, encrypted connection over a public network (like the internet). This shields your online activity from prying eyes and lets you bypass geographical restrictions. OpenWrt is a powerful, open-source firmware for routers, giving you tons of flexibility to customize your network. This script automates many of the steps involved in setting up different VPN protocols, making it easier for you. We'll be using tools like opkg to install packages, uci to configure the network, and firewall to manage traffic.
Why Use a VPN?
- Privacy: Encrypt your internet traffic, hiding your browsing history and IP address.
- Security: Protect your data on public Wi-Fi networks.
- Access: Bypass geo-restrictions to access content from anywhere.
Setting up the Environment with the VPN Setup Script
First, make sure you have a working OpenWrt router. You will also need SSH access to your router's command line. The script will handle most of the heavy lifting. Start by copying and pasting the script into your router's command line. The script is designed to automate the configuration of different VPN clients. It will install necessary packages, set up firewall rules, and configure routing. It’s important to understand the basics of what each part of the script does. Let's look at the script function by function.
Checking the Repository
check_repo() {
printf "\033[32;1mChecking OpenWrt repo availability...\033[0m\n"
opkg update | grep -q "Failed to download" && printf "\033[32;1mopkg failed. Check internet or date. Command for force ntp sync: ntpd -p ptbtime1.ptb.de\033[0m\n" && exit 1
}
This function ensures your router can connect to the OpenWrt package repository to download and install necessary software. It uses opkg update to refresh the package list and checks for errors. If there's a problem, it prompts you to check your internet connection or sync your router's time. This is critical because if the date is wrong, your router will fail to connect and update. The command ntpd -p ptbtime1.ptb.de will sync your router's time using a time server.
Routing VPN Traffic and Adding Mark Rule
route_vpn () {
if [ "$TUNNEL" == wg ]; then
cat << EOF > /etc/hotplug.d/iface/30-vpnroute
#!/bin/sh
ip route add table vpn default dev wg0
EOF
elif [ "$TUNNEL" == awg ]; then
cat << EOF > /etc/hotplug.d/iface/30-vpnroute
#!/bin/sh
ip route add table vpn default dev awg0
EOF
elif [ "$TUNNEL" == singbox ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then
cat << EOF > /etc/hotplug.d/iface/30-vpnroute
#!/bin/sh
sleep 10
ip route add table vpn default dev tun0
EOF
fi
cp /etc/hotplug.d/iface/30-vpnroute /etc/hotplug.d/net/30-vpnroute
}
This function is crucial for directing your internet traffic through the VPN tunnel. The function creates a routing table named "vpn". The default route is set to use the VPN interface (wg0 for WireGuard, awg0 for Amnezia WireGuard, or tun0 for OpenVPN, Sing-box, tun2socks) so all traffic is forced to use the VPN. It ensures that traffic is correctly routed through your VPN tunnel. This is essential for all your traffic to be secured and for bypassing geo-restrictions.
add_mark() {
grep -q "99 vpn" /etc/iproute2/rt_tables || echo '99 vpn' >> /etc/iproute2/rt_tables
if ! uci show network | grep -q mark0x1; then
printf "\033[32;1mConfigure mark rule\033[0m\n"
uci add network rule
uci set network.@rule[-1].name='mark0x1'
uci set network.@rule[-1].mark='0x1'
uci set network.@rule[-1].priority='100'
uci set network.@rule[-1].lookup='vpn'
uci commit
fi
}
This function adds a marking rule. It first checks if a routing table named "vpn" exists and creates it if it doesn't. Next, it configures a network rule to mark traffic with a specific value (0x1). This mark is then used to direct traffic to the VPN routing table. This allows the router to differentiate traffic and send specific data through the VPN tunnel. It uses uci (Unified Configuration Interface) to set up a rule. The priority is set to 100 to ensure the rule is applied.
Configure Your VPN with the Script
Once you have the script, it's time to run it. Make sure you have the necessary information for your VPN provider. The script will guide you through the process, asking for the information needed for each VPN protocol. For example, for WireGuard, you'll need your private key, internal IP address, public key, endpoint details (host and port), and preshared key (if applicable). For Amnezia WireGuard, you'll also need to input Amnezia WireGuard-specific parameters. Let’s look at the function that sets up the VPN and the steps:
Adding the Tunnel
add_tunnel() {
echo "We can automatically configure only Wireguard and Amnezia WireGuard. OpenVPN, Sing-box(Shadowsocks2022, VMess, VLESS, etc) and tun2socks will need to be configured manually"
echo "Select a tunnel:"
echo "1) WireGuard"
echo "2) OpenVPN"
echo "3) Sing-box"
echo "4) tun2socks"
echo "5) wgForYoutube"
echo "6) Amnezia WireGuard"
echo "7) Amnezia WireGuard For Youtube"
echo "8) Skip this step"
This function guides you through the VPN setup. It presents a menu to choose your VPN protocol. It offers WireGuard, OpenVPN, Sing-box, tun2socks, Amnezia WireGuard, and options for routing Youtube traffic through WireGuard and Amnezia WireGuard. This function also informs you that OpenVPN, Sing-box, and tun2socks will require manual configuration after the basic setup. It installs the necessary packages if they are not already installed.
WireGuard Configuration
If you choose WireGuard, this is the function that is triggered:
if [ "$TUNNEL" == 'wg' ]; then
printf "\033[32;1mConfigure WireGuard\033[0m\n"
if opkg list-installed | grep -q wireguard-tools; then
echo "Wireguard already installed"
else
echo "Installed wg..."
opkg install wireguard-tools
fi
route_vpn
read -r -p "Enter the private key (from [Interface]):"{{content}}#39;
' WG_PRIVATE_KEY
while true; do
read -r -p "Enter internal IP address with subnet, example 192.168.100.5/24 (from [Interface]):"{{content}}#39;
' WG_IP
if echo "$WG_IP" | egrep -oq '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+{{content}}#39;; then
break
else
echo "This IP is not valid. Please repeat"
fi
done
read -r -p "Enter the public key (from [Peer]):"{{content}}#39;
' WG_PUBLIC_KEY
read -r -p "If use PresharedKey, Enter this (from [Peer]). If your don't use leave blank:"{{content}}#39;
' WG_PRESHARED_KEY
read -r -p "Enter Endpoint host without port (Domain or IP) (from [Peer]):"{{content}}#39;
' WG_ENDPOINT
read -r -p "Enter Endpoint host port (from [Peer]) [51820]:"{{content}}#39;
' WG_ENDPOINT_PORT
WG_ENDPOINT_PORT=${WG_ENDPOINT_PORT:-51820}
if [ "$WG_ENDPOINT_PORT" = '51820' ]; then
echo $WG_ENDPOINT_PORT
fi
uci set network.wg0=interface
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key=$WG_PRIVATE_KEY
uci set network.wg0.listen_port='51820'
uci set network.wg0.addresses=$WG_IP
if ! uci show network | grep -q wireguard_wg0; then
uci add network wireguard_wg0
fi
uci set network.@wireguard_wg0[0]=wireguard_wg0
uci set network.@wireguard_wg0[0].name='wg0_client'
uci set network.@wireguard_wg0[0].public_key=$WG_PUBLIC_KEY
uci set network.@wireguard_wg0[0].preshared_key=$WG_PRESHARED_KEY
uci set network.@wireguard_wg0[0].route_allowed_ips='0'
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
uci set network.@wireguard_wg0[0].endpoint_host=$WG_ENDPOINT
uci set network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0'
uci set network.@wireguard_wg0[0].endpoint_port=$WG_ENDPOINT_PORT
uci commit
fi
This configures WireGuard, including installing the necessary wireguard-tools package. It prompts you for your private key, internal IP address, public key, preshared key (if used), endpoint host, and endpoint port. It then uses uci to set up the WireGuard interface. It sets the private key, listen port, and internal IP address. It adds a peer with the public key, preshared key, allowed IPs, endpoint host, and endpoint port. Finally, it commits the changes.
Amnezia WireGuard Configuration
If you choose Amnezia WireGuard, this is the function that is triggered:
if [ "$TUNNEL" == 'awg' ]; then
printf "\033[32;1mConfigure Amnezia WireGuard\033[0m\n"
install_awg_packages
route_vpn
read -r -p "Enter the private key (from [Interface]):"{{content}}#39;
' AWG_PRIVATE_KEY
while true; do
read -r -p "Enter internal IP address with subnet, example 192.168.100.5/24 (Address from [Interface]):"{{content}}#39;
' AWG_IP
if echo "$AWG_IP" | egrep -oq '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+{{content}}#39;; then
break
else
echo "This IP is not valid. Please repeat"
fi
done
read -r -p "Enter Jc value (from [Interface]):"{{content}}#39;
' AWG_JC
read -r -p "Enter Jmin value (from [Interface]):"{{content}}#39;
' AWG_JMIN
read -r -p "Enter Jmax value (from [Interface]):"{{content}}#39;
' AWG_JMAX
read -r -p "Enter S1 value (from [Interface]):"{{content}}#39;
' AWG_S1
read -r -p "Enter S2 value (from [Interface]):"{{content}}#39;
' AWG_S2
read -r -p "Enter H1 value (from [Interface]):"{{content}}#39;
' AWG_H1
read -r -p "Enter H2 value (from [Interface]):"{{content}}#39;
' AWG_H2
read -r -p "Enter H3 value (from [Interface]):"{{content}}#39;
' AWG_H3
read -r -p "Enter H4 value (from [Interface]):"{{content}}#39;
' AWG_H4
read -r -p "Enter the public key (from [Peer]):"{{content}}#39;
' AWG_PUBLIC_KEY
read -r -p "If use PresharedKey, Enter this (from [Peer]). If your don't use leave blank:"{{content}}#39;
' AWG_PRESHARED_KEY
read -r -p "Enter Endpoint host without port (Domain or IP) (from [Peer]):"{{content}}#39;
' AWG_ENDPOINT
read -r -p "Enter Endpoint host port (from [Peer]) [51820]:"{{content}}#39;
' AWG_ENDPOINT_PORT
AWG_ENDPOINT_PORT=${AWG_ENDPOINT_PORT:-51820}
if [ "$AWG_ENDPOINT_PORT" = '51820' ]; then
echo $WG_ENDPOINT_PORT
fi
uci set network.awg0=interface
uci set network.awg0.proto='amneziawg'
uci set network.awg0.private_key=$AWG_PRIVATE_KEY
uci set network.awg0.listen_port='51820'
uci set network.awg0.addresses=$AWG_IP
uci set network.awg0.awg_jc=$AWG_JC
uci set network.awg0.awg_jmin=$AWG_JMIN
uci set network.awg0.awg_jmax=$AWG_JMAX
uci set network.awg0.awg_s1=$AWG_S1
uci set network.awg0.awg_s2=$AWG_S2
uci set network.awg0.awg_h1=$AWG_H1
uci set network.awg0.awg_h2=$AWG_H2
uci set network.awg0.awg_h3=$AWG_H3
uci set network.awg0.awg_h4=$AWG_H4
if ! uci show network | grep -q amneziawg_awg0; then
uci add network amneziawg_awg0
fi
uci set network.@amneziawg_awg0[0]=amneziawg_awg0
uci set network.@amneziawg_awg0[0].name='awg0_client'
uci set network.@amneziawg_awg0[0].public_key=$AWG_PUBLIC_KEY
uci set network.@amneziawg_awg0[0].preshared_key=$AWG_PRESHARED_KEY
uci set network.@amneziawg_awg0[0].route_allowed_ips='0'
uci set network.@amneziawg_awg0[0].persistent_keepalive='25'
uci set network.@amneziawg_awg0[0].endpoint_host=$AWG_ENDPOINT
uci set network.@amneziawg_awg0[0].allowed_ips='0.0.0.0/0'
uci set network.@amneziawg_awg0[0].endpoint_port=$AWG_ENDPOINT_PORT
uci commit
fi
This configures Amnezia WireGuard, a fork of WireGuard designed for enhanced obfuscation. This function installs the required packages. It prompts you for your private key, internal IP address, Amnezia WireGuard-specific parameters (JC, Jmin, Jmax, S1, S2, H1, H2, H3, H4), public key, preshared key (if used), endpoint host, and endpoint port. Then it uses uci to set up the Amnezia WireGuard interface. It also sets the Amnezia WireGuard-specific parameters. Finally, it commits the changes.
OpenVPN, Sing-box, and tun2socks
For OpenVPN, Sing-box, and tun2socks, the script will install the required packages and provide a route for the VPN traffic, but you'll need to manually configure the VPN clients. The script includes links to manuals to help you with these configurations.
Enhancing Privacy with DNS and Domain Routing
The script offers additional features to boost your privacy and customize your network experience.
DNS Configuration and Resolvers
add_dns_resolver() {
echo "Configure DNSCrypt2 or Stubby? It does matter if your ISP is spoofing DNS requests"
DISK=$(df -m / | awk 'NR==2{ print $2 }')
if [[ "$DISK" -lt 32 ]]; then
printf "\033[31;1mYour router a disk have less than 32MB. It is not recommended to install DNSCrypt, it takes 10MB\033[0m\n"
fi
echo "Select:"
echo "1) No [Default]"
echo "2) DNSCrypt2 (10.7M)"
echo "3) Stubby (36K)"
This function lets you choose between DNSCrypt2 and Stubby, both designed to encrypt your DNS queries, preventing your ISP from monitoring your DNS requests. This adds an extra layer of privacy. It installs and configures the selected DNS resolver. It also restarts Dnsmasq. It's recommended to encrypt your DNS queries. DNSCrypt2 is recommended but it uses more disk space.
Configuring dnsmasq for encrypted DNS (DNSCrypt2 or Stubby)
After installing a DNS resolver, you need to configure dnsmasq to use it. This section will set dnsmasq to use the encrypted DNS server. This configuration makes sure your DNS requests go through the encrypted resolver.
uci set dhcp.@dnsmasq[0].noresolv="1"
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="127.0.0.53#53"
uci add_list dhcp.@dnsmasq[0].server='/use-application-dns.net/'
uci commit dhcp
/etc/init.d/dnsmasq restart
Domain-Based Routing (Optional)
add_getdomains() {
echo "Choose you country"
echo "Select:"
echo "1) Russia inside. You are inside Russia"
echo "2) Russia outside. You are outside of Russia, but you need access to Russian resources"
echo "3) Ukraine. uablacklist.net list"
echo "4) Skip script creation"
This function lets you add a list of domains to route through the VPN. This is useful for selectively routing traffic. It creates a script that downloads and updates a list of domains and adds them to a firewall IP set, using the firewall. This allows you to route traffic to specific domains through the VPN, leaving other traffic to go through your regular connection. The script offers lists for different countries.
Finishing Up and Troubleshooting
Once the script has finished, your VPN should be set up! Restart your network and test your connection. Check the output of the script for any errors. Double-check your VPN configuration details. If you're still having trouble, consult the OpenWrt documentation or seek help from the OpenWrt community. If you encounter any problems, here are some troubleshooting tips:
- Check the Logs: Examine the OpenWrt system logs for error messages.
- Verify Configuration: Double-check all configuration details against your VPN provider's instructions.
- Firewall Rules: Ensure your firewall rules are correctly configured.
- Connectivity: Test your internet connection by disabling the VPN temporarily.
Conclusion
This script makes setting up a VPN on OpenWrt a breeze. Whether you choose WireGuard, Amnezia WireGuard, OpenVPN, Sing-box, or tun2socks, you now have the tools to protect your privacy and access geo-restricted content. Enjoy your secure and private browsing experience!