VPN for your Home Network with Wireguard on OpenWrt and iphone connecting to linux VPN

Accessing your home network from the internet
can be a tricky thing. Maybe you have a home automation software and want to trigger an
action or verify a sensor at home or you want to check the IP cameras at home while you
are away. Finding your home from the internet can be done with dynamic DNS services such
as DynDNS, DDNS, NoIP and so on. But how do you get into your home network ? For sure
you have a firewall that is meant to prevent exactly that: Someone from the internet accessing
your systems at home. Now you might just open a hole in your firewall and forward traffic
let’s say to that webcam in your living room which is of course protected with a password.
But username and password are actually quite weak protections. They can be broken with
lexical analysis and brute force attacks, meaning someone finds the hole and tests thousands
of commonly used passwords in seconds. Furthermore, devices tend to have bugs. When have you last
updated the firmware of your 5 years old webcam ? Never? Well, then chances are high that
the system does have a lot of security issues and that an exploit can be used to gain access
to it.

In order to access your home environment from the internet, you may use a VPN. That
is, you install a VPN software on a PC or in a docker container or on a raspberry pi
or – of course – and this is the preferred solution – directly on your router at home.
You will still have to open a hole on your firewall but the vpn is designed to resist
against wrong logins and also it uses a stronger authentication mechanism. Rather than using
a simple username and password, a good VPN uses modern encryption technologies such as
a private and public key or a certificate and private key that have been signed by a
certification authority. This way connections can be refused before they open any buggy
web pages in your intranet that ask for username and password and could easily be hacked. For
the home user there are mainly two VPN solutions that are of interest. One is called openVPN
and the other one is the new kid on the block and is called Wireguard. Today’s episode
will be about setting up a wireguard VPN on an openWrt Router and using an iphone to connect
to it from the internet.

The first step before we want to do anything
on OpenWrt is always to check the OpenWrt web site because the documentation there is
very well maintained. Quickly googling for Wireguard OpenWrt leads us to the right web
page with very detailed instructions on how to set things up. Now I know that many people
do not like the command line and would rather use graphical tools but unfortunately there
is not yet a complete gui for the wireguard solution – as I said before, it’s quite
new. But this is no problem, I have put the commands together in a script and you can
download it from my github repository. The link is – like always – in the description
of the video.

The openWrt page also links to a a page that actually tells you how to
gain secure shell access to your router. Under windows you may use Putty, on the mac or on
linux you can just ssh from any shell window. In order to transfer the script you could
either download it from the command line using curl or wget or you could copy it over using
scp or – the most comfortable way – you could use filezilla or WinSCP to transfer
the file. We just need to install the SFTP software on the router so that it accepts
Secure FTP connections. Alternatively you could of course just copy and paste the content
of the script into the terminal window. The script only takes seconds to run and it does
a lot of things automatically for you. First, it will download and install the necessary
software package. Second, it will setup a new firewall rule
that allows Wireguard VPN traffic in from the WAN, that means from the internet.

Third
it installs a network interface called wg0. This is where we will later set up the so
called peers for wireguard. I also want to have a graphical user interface in order to
see the status and add new connections with a barcode so I also install the package luci-app-wireguard
That’s all we need to do on the router.

Now let’s see what we need to do on the
iphone. First I need to install the wireguard client. This can be found in the app store.
From the main screen I can add a new VPN connection using the plus button. I can now either create
a new connection from scratch, from a file or – and that is my preferred solution – from
a QR Code. So let’s go back to openWrt, select status and then Wireguard status. In
order to have the bar code displayed I need the qrencode package – no problem, quickly
back to the package management under system-Software, search for the package ad install it. Here
we go – the package is installed and I can scan the QR Code. Unfortunately the current
version of this interface does not do everything for me, there are still two or three things
I need to do manually. First let’s do this on the iphone. I need to tell my iphone where
to find the VPN. Here I can either specify an IP address or a DNS name. Typically you
would put in the name from the dynamic DNS service here followed by a colon and then
the port number.

By default the port number is 51820. I also need to tell the iphone which
IP address it is going to get on the VPN. That is a bit cumbersome as I would normally
expect this to happen over DHCP, but for a handful of devices like we would expect in
a home environment that is OK. The script has given the Wireguard interface the private
IP address 192.168.9.1, so the address of my iphone needs to be in the same subnet.
I have chosen 192.168.9.18 – the slash 32 indicates that this is a single IP address
and not a subnet. The other values are OK. In order to allow my iphone to access the
VPN Server at home I need to tell wireguard about it. Wireguard has no concept of client
and servers, but rather of so called peers. So I need to add a new peer. This is done
on the network interface, so I need to go to network – interfaces – and then click
on Edit next to the WG0 interface.

Here I can review the most important settings of
the wireguard network interface such as the general settings, the port it is listening
on, the private IP address it uses, some additional features such as the maximum transfer units
or MTUs which you should leave unchanged. However just a little hint here – if you
run into issues connecting from a mobile 3G or LTE network, then try lowering this value.
With prepaid cards or on public Wifi in the train I had to lower this to values around
400 to get VPN working stable.

But again, leave this unchanged unless you know exactly
what you do. The firewall settings show the assigned firewall zone which is the LAN and
moving over to the Peers tab we can add the iphone. Here you need to add the public key
from your iphone. Unfortunately this is not done by the gui. A way to copy this over from
your iphone would be to create a mail but rather than sending it keep it in your drafts
and then access it from your PC and copy over the public key. You should not send keys per
mail in general. Alternatively you can of course open this page from your iphone and
then copy paste the value over from Safari. The second field that must be filled out is
the allowed Ips field. Here we fill in the IP address which we specified on the iphone.
Last but not least we activate routing by ticking the box Route Allowed Ips.
That’s it – clicking on save and apply restarts the networking services and applies
the changes.

I can now try and connect from my iphone to the VPN on the router. It seems
to connect, that’s fine. Checking the status page on the router my connection details are
shown and the icon goes from grey to blue once I connect. On the phone I may click on
settings and then View log which will show me additional information about the connection
progress. Here we go, I am connected and may now check my IP cameras at home – let me
launch the IP Cam application – here it is and yes – I can connect and check the
cameras. All good, all working. That concludes today’s episode. In another
episode on VPN we will actually build our own outbound VPN service by renting a server
for a Dollar per month, install VPN software on it and connect to it from home or from
a mobile device.

In other words, we build our own VPN service for a Dollar per month
– I am sure that is an offer you can’t refuse – so please make sure that you are
subscribed to my channel. Thanks for watching, stay safe, stay healthy, bye for now..

You May Also Like