TL; DRA: I install Wireguard on a VPS, connect to it from my home OpenWRT router, and access my home subnet from my phone.
If you keep a personal infrastructure on your home server or you have a lot of IP-controlled devices at home, then you probably want to have access to them from work, from the bus, train and metro. Most often, for similar tasks, an IP is purchased from a provider, after which the ports of each service are forwarded to the outside.
Instead, I set up a VPN with access to my home LAN. The advantages of this solution:
- Transparency: feel at home under any circumstances.
- Ease: set it up and forget it, no need to think about forwarding each port.
- Price: I already have a VPS, for such tasks a modern VPN is almost free in terms of resources.
- Security: nothing sticks out, you can leave MongoDB without a password and no one will steal the data.
As always, there are downsides. First, you will have to configure each client individually, including on the server side. It can be inconvenient if you have a large number of devices from which you want to access services. Secondly, you may have a locale that matches the range at work - you will have to resolve this problem.
We need:
- VPS (in my case on Debian 10).
- Router on OpenWRT.
- Phone.
- Home server with some kind of web service to check.
- Straight arms.
I will be using Wireguard as the VPN technology. This solution also has strengths and weaknesses, I will not describe them. For VPN I use subnet 192.168.99.0/24and at my house 192.168.0.0/24.
VPS configuration
Even the most beggarly VPS for 30 rubles a month is enough for business, if you are lucky .
I do all operations on the server as root on a clean machine, add `sudo` if necessary and adapt the instructions.
They didn't manage to bring Wireguard into the stable, so I do `apt edit-sources` and add two lines of backports to the end of the file:
deb http://deb.debian.org/debian/ buster-backports main
# deb-src http://deb.debian.org/debian/ buster-backports main
The package is installed in the usual way: apt update && apt install wireguard.
Next, we generate a pair of keys: wg genkey | tee /etc/wireguard/vps.private | wg pubkey | tee /etc/wireguard/vps.public. Repeat this operation twice more for each device participating in the scheme. Change the paths to files with keys for another device and don't forget about the security of private keys.
Now we are preparing the config. To file /etc/wireguard/wg0.conf put config:
[Interface]
Address = 192.168.99.1/24
ListenPort = 57953
PrivateKey = 0JxJPUHz879NenyujROVK0YTzfpmzNtbXmFwItRKdHs=
[Peer] # OpenWRT
PublicKey = 36MMksSoKVsPYv9eyWUKPGMkEs3HS+8yIUqMV8F+JGw=
AllowedIPs = 192.168.99.2/32,192.168.0.0/24
[Peer] # Smartphone
PublicKey = /vMiDxeUHqs40BbMfusB6fZhd+i5CIPHnfirr5m3TTI=
AllowedIPs = 192.168.99.3/32
In section [Interface] the settings of the machine itself are indicated, and in [Peer] - settings for those who will connect to it. IN AllowedIPs subnets are specified separated by commas, which will be routed to the corresponding peer. Because of this, "client" device peers on the VPN subnet must have a mask /32, everything else will be routed by the server. Since the home network will be routed through OpenWRT, in AllowedIPs of the corresponding peer, add the home subnet. IN PrivateKey ΠΈ PublicKey decompose the private key generated for the VPS and the public keys of the peers, respectively.
On the VPS, it remains only to run a command that will bring up the interface and add it to autorun: systemctl enable --now wg-quick@wg0. The current status of connections can be checked with the command wg.
Open WRT configuration
Everything you need for this step is in the luci module (OpenWRT web interface). Log in to it and in the System menu open the Software tab. OpenWRT does not keep a cache on the machine, so you need to update the list of available packages by clicking on the green Update lists button. After completion, drive into the filter luci-app-wireguard and, looking at the window with a beautiful dependency tree, install this package.
In the Networks menu, select Interfaces and press the green Add New Interface button under the list of existing ones. After entering a name (also wg0 in my case) and selecting the WireGuard VPN protocol, a settings form with four tabs opens.
On the General Settings tab, you need to drive in the private key and IP address prepared for OpenWRT along with the subnet.
On the Firewall Settings tab, set the interface to the local network. So connections from the VPN will freely enter the local area.
On the Peers tab, click the only button, and then fill in the VPS server data in the updated form: public key, Allowed IPs (you need to route the entire VPN subnet to the server). In Endpoint Host and Endpoint Port, enter the IP address of the VPS with the port previously specified in the ListenPort directive, respectively. Check Route Allowed IPs to create routes. And be sure to fill in Persistent Keep Alive, otherwise the tunnel tunnel from the VPS to the router will break if the latter is behind NAT.
After that, you can save the settings, and then on the page with the list of interfaces, click Save and apply. If necessary, explicitly start the interface with the Restart button.
Setting up a smartphone
You will need the Wireguard client, available at , and the App Store. Having opened the application, press the plus sign and in the Interface section enter the connection name, private key (the public key will be generated automatically) and the phone address with the /32 mask. In the Peer section, specify the VPS public key, a pair of addresses: the port of the VPN server as the Endpoint, and routes to the VPN and home subnets.
Bold screenshot from phone
Click on the floppy disk in the corner, turn it on and ...
Finish
Now you can access home monitoring, change router settings, or do anything at the IP level.
Screenshots from local
Source: habr.com