Thank you for visiting!
My little window on internet allowing me to share several of my passions
Categories:
- OpenBSD
- High Availability
- vdcron
- My Sysupgrade
- FreeBSD
- Nas
- DragonflyBSD
- fapws
- Alpine Linux
- Openbox
- Desktop
- Security
- nvim
- yabitrot
- nmctl
- Tint2
- Firewall
- VPN
- Project Management
- Hifi
- Alarm
Most Popular Articles:
Last Articles:
Setup Wireguard as home VPN and connect it via Android
Posted on 2024-10-05 14:17:00 from Vincent in OpenBSD
I'm looking for a simple way to connect my Android devices to my home via VPN. The goal is to have my GSM apps acting as if I'm home.
Specially interesting for services I want to use or check, but I don't want to provide them directly on internet.
For example my zigbee devices
Introduction
Having his own VPN allow you to be connected as if you would be surfing from home.
I'm regularly using ssh tunnels to allow my OpenBSD laptop to work as if I'm at home. But having such ssh tunnels from an Android mobile device is not possible. At least with my setup.
But which VPN system to use ?
Selection of the VPN system
At home, except 1, all my machines are running OpenBSD. So, imagine on which machine I will host my VPN?
Sure it will be on OpenBSD.
On this OS, we have 3 VPN systems possible: IPsec, OpenVPN and Wireguard.
After some research, I've decided to implement Wireguard because is easy to setup and works nicely on Android (and on lot of systems).
My setup
Let me draw a schematic view of my setup:
So the goal will be to configure the firewall to allow incoming wireguard traffic.
Assign IP in the range 10.0.0.0/24 for such connection. And let him go inside to my zigbee coordinator machine.
OpenBSD configuration
Since wireguard is in base (cfr wg), we do not have to install packages.
First create the required certificates.
I've just said that packages are not required, but I will install one for the creation of the certificates. I will do this on my laptop:
obsd:~ $ doas pkg_add wireguard-tools py3-qrcode
obsd:~ $ wg genkey | tee server-pri.key | wg pubkey > server-pub.key
obsd:~ $ wg genkey | tee android-pri.key | wg pubkey > android-pub.key
Thanks to this command I have my private and public keys for both my server (my firewall in my case) and the client (my android device in my case).
We can now transfer those files to the firewall machine:
obsd:~ $ scp server-pri.key vi@fw:/home/vi
obsd:~ $ scp android-pub.key vi@fw:/home/vi
Note: the 2nd package called py3-qrcode will be used to transfer those keys to the android devise. I'll detail this later.
Let's create a wireguard channel on the firewall machine
I first create the required folder on my firewall:
fw:~ # mkdir /etc/wireguard
fw:~ # mv /home/vi/server-pri.key /etc/wireguard/
fw:~ # mv /home/vi/android-pub.key /etc/wireguard/
We can now create our wireguard interface:
fw:~ # ifconfig wg0 create wgport 51820 wgkey $(cat /etc/wireguard/server.key)
fw:~ # ifconfig wg0 10.0.0.1/24
You we have something like this:
fw:~ # ifconfig wg0
wg0: flags=8082<BROADCAST,NOARP,MULTICAST> mtu 1420
index 6 priority 0 llprio 3
wgport 51820
wgpubkey <server pub key>
groups: wg
The next step is to allow connection coming from my android device:
fw:~ # ifconfig wg0 wgpeer $(cat /etc/wireguard/android-pub.key) wgaip 10.0.0.1/24
In such case the ifconfig will be something like this:
fw:~ # ifconfig wg0
wg0: flags=8082<BROADCAST,NOARP,MULTICAST> mtu 1420
index 6 priority 0 llprio 3
wgport 51820
wgpubkey <server pub key>
wgpeer <android pub key>
tx: 0, rx: 0
wgaip 10.0.0.1/24
groups: wg
In this case I'm authorising IP in the range 10.0.0.1/24
This setup is manual and temporary. If you want to disable it you can do:
fw:~ # ifconfig wg0 destroy
To make it permanent, you have to create a /etc/hostname.wg0 file like this:
fw:~ # cat /etc/hostname.wg0
wgkey <server private key> wgport 51820
inet 10.0.0.1/24
wgpeer <android public key> wgaip 10.0.0.1/24
up
We have now to adapt our pf rules
In my case, $ext_if is "re0", and I apply the following rules:
pass in on $ext_if proto udp from any to any port 51820
pass on wg0
pass out on $ext_if inet from 10.0.0.1/24 nat-to $ext_if
You can apply the rules by doing:
fw:~ # pfctl -vf /etc/pf.conf
Adapt your internet router
Since we are hosting a service inside our home's lan, we have to adapt the internet router.
I cannot show it here because every ISP has his own router with different layout and features.
But globally we must redirect outside traffic coming on port 51820 to the IP of the interface "re0".
After such change, it could be that you have to reboot this internet router.
With those elements our firewall is now ready to accept remote connection from the outside.
Configure our Android device
In my case I've install the app "wireguard" as documented on their website: https://www.wireguard.com/install/
The following steps will be executed on my laptop, at least the machine where we have created the keys and install a qr code generator.
The 1st step is to build a config file like this one:
obsd:~ $ cat wg_android.conf
[Interface]
PrivateKey = <android private key>
Address = 10.0.0.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = <server public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <your ISP public IP>:<public ISP port>
You have to replace few elements with your specific keys, IP and port.
Then we can generate a qr code that our mobile device can read:
obsd:~ $ cat wg_android.conf | qr
Then a big qr code will be generated. In my case it works inside xterm and alacrity sessions.
I'm not sure this can works directly from a server.
But it looks like this:
Then on your mobile device, you have to start the wireguard app and click on "+" to add a new channel.
The app will propose you to scan a QR code via the camera.
Just point you terminal session and you should be good to go ;).
Once the VPN is started a small "key icon" is presented on the top of your android screen.
In such case all applications will use the VPN. So it's like you mobile device is located at your home.
By applying few PF rules, I can let pass the traffic between my vlan 10.0.0.0/24 and my zigbee coordinator.
This part is very specific case by case, so I let you define what you need.
Debugging
To confirm it's working as it should, you must see values in transfer part for "rx".
If you only have "tx" KB, then you have a problem with the VPN. Most probably the mobile device send requests, but the server does not answer.
In case something else is not working, you can activate a debugging feature on the server side:
fw:~ # ifconfig wg0 debug
Anyhow, on the mobile device, you can check the log screen.
Please also make you that your ISP allow such traffic. You could have some "natting" or firewall rules which block such traffic.
the only possibility to be sure is to try it :(.
So, be patient and verify each steps closely.
Other readings
Other readings that could interest you:
- Securely tunnal smart phone traffic with wireguard and OpenBSD by Thomas Ward
- How to setup a wireguard VPN server with unbound on OpenBSD by Marco Cetica
- Howto: Wireguard on OpenBSD by Ianix
- Full wireguard setup with OpenBSD by Solene