Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / programming / Internet

Completely Secure Local Networks using OpenWRT Routers and Wireguard

0.00/5 (No votes)
5 Jul 2024CPOL3 min read 2.2K  
Securing local networks with wireguard connected OpenWRT routers. Prevents RF data leakage and spies from reading internet traffic.
When devices are connected via Ethernet cables, traffic can be readout by direct connections or RF leakage. Local wireguard tunnels in all LAN connections will make ethernet cables secure. Connecting the main router to VPN will negate traffic leak on the other side. This article describes achieving both these objectives.

Introduction

Ethernet cables have two problems. 1) They are open to traffic inspection. 2) They are prone to RF leakage, enabling reconstruction of traffic. When we connect our local routers to each other using regular Ethernet cables, we are open to spying on traffic, even though they are HTTPS connections, data mining can be done. This can be mitigated by securing local connections with Wireguard tunnels and enabling WPA3 WiFi on wireless devices. Internet from our ISPs is also insecure as those connections tend to leak data that will lead to internet habit reconstruction, hence people generally use VPNs for mitigating it. This article describes achieving these objectives using OpenWRT routers.

The diagram below shows the general idea of a secure local network.

Image 1

The Wireguard tunnels between local devices is necessary for securing the connections when Ethernet cables are used instead of WPA3 WiFi. The next section of the article describes connecting two OpenWRT routers using a Wireguard connection, so that the Wireguard tunnel will be used as WAN of the other router.

Prerequisites

To implement this article, you need either two routers flashed with OpenWRT or one OpenWRT router and a client with wireguard installed (Windows PC with LAN). You can skip appropriate sections. You need to enable LAN and WiFi on the OpenWRT routers. Install the following packages on OpenWRT routers and restart. 

opkg update
opkg install wireguard-tools luci-proto-wireguard

Local Wireguard Tunnel Implementation

First step is to configure Wireguard as a server on a OpenWRT router. We are configuring two servers with a peer each. Read about wireguard further here and here.

Wireguard Server on OpenWRT Router

Add the following lines to /etc/config/network file to create the server, assign the interface to LAN firewall zone.

...
config interface 'wgserver'
	option proto 'wireguard'
	option private_key '<private key of server1>'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	option mtu '2000'

config wireguard_wgserver
	option description 'desktop'
	option public_key '<public key of peer1>'
	option private_key '<private key of peer1>'
	option preshared_key '<preshared key of peer1>'
	list allowed_ips '0.0.0.0/0'

config device
	option name 'wgserver'
	option ipv6 '0'
	option acceptlocal '1'

config interface 'wgserver_r1'
	option proto 'wireguard'
	option private_key '<private key of server2>'
	option listen_port '51821'
	list addresses '192.168.91.1/24'
	option mtu '2000'

config wireguard_wgserver_r1
	option description 'router1'
	option public_key '<public key of peer2>'
	option private_key '<private key of peer2>'
	option preshared_key '<preshared key of peer2>'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

config device
	option name 'wgserver_r1'
	option ipv6 '0'
	option acceptlocal '1'

Add the following lines to /etc/config/firewall, the lines in bold are to be added

...
config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wifi24'
	list network 'wifi50'	
    list network 'wgserver'
	list network 'wgserver_r1'

...

Restart router, check if interface has indeed appeared and assigned to proper firewall zone in luci.

Wireguard Client on Windows

https://www.wireguard.com/install/ will contain all the clients, please install them. On windows add the following tunnel configuration.

[Interface]
PrivateKey = <private key>
Address = 192.168.9.7/32
DNS = 8.8.8.8

[Peer]
PublicKey = <public key>
PresharedKey = <pre shared key>
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = 192.168.10.1:51820

Where 192.168.10.1 is replaced by the local gateway of br-lan or similar interface. Check internet access after connecting to tunnel. If successful, your tunnel works properly.

Image 2

Wireguard Client on OpenWRT router

Follow this section if you have a second OpenWRT router. Wireguard configured as a client replaces WAN as its internet access automatically. This forces all clients of the router to use the tunnel as internet source and internet won't work if tunnel is improperly. 

Add the following lines to /etc/config/network of the client router.

...
config interface 'wgc'
    option proto 'wireguard'
    option private_key '<private key>'
    list dns '8.8.8.8'
    option mtu '2000'
    list addresses '192.168.91.8/32'

config wireguard_wgc
    option description 'Imported peer configuration'
    option public_key '<public key>'
    option preshared_key '<preshared key>'
    list allowed_ips '0.0.0.0/0'
    option endpoint_host '192.168.10.1'
    option endpoint_port '51821'
    option route_allowed_ips '1'
    option persistent_keepalive '20'

Assign the interface to WAN firewall zone by adding the following lines to /etc/config/firewall

...
config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'wan'
    list network 'wan6'
    list network 'wgc'
...

Restart the router and check if internet data is flowing through the interface and on the router's WiFi clients. 

OpenWRT VPN Installation on OpenWRT Router.

Refer to the following article for instructions to adding resilient VPN to OpenWRT router. Link here. The current section requires the VPN to be setup in the said manner described in the linked article. The remaining steps in this article are to add Wireguard servers to custom table created in the article mentioned, for the Wireguard servers to use the OpenVPN tunnel 'tun0' for internet traffic.

Modifying Kill Switch Scripts

1) Add a file /etc/kill-switch/kill-switch-setup-wgserver.sh with following contents in the router configured for resilient VPN. Make the file executable.

Bash
#!/bin/sh

/etc/openvpn/kill-switch/activate-kill-switch-for-interface.sh 192.168.9.0/24 wgserver 192.168.9.1 custom_lan

2) Add a file /etc/kill-switch/kill-switch-setup-wgserver_r1.sh with following contents. Make the file executable.

Bash
#!/bin/sh

/etc/openvpn/kill-switch/activate-kill-switch-for-interface.sh 192.168.91.0/24 wgserver_r1 192.168.91.1 custom_lan

3) Modify the /etc/hotplug.d/iface/99-wan-interfaces file with the following lines, leaving other lines as is.

...
wgserverstateret=`cat /tmp/wgserverstate`
wgserver_r1stateret=`cat /tmp/wgserver_r1state`

...
wgserverstarted=`echo "$wgserverstateret" started | awk '{ print ($1 == $2) ? 1 : 0 }'`
wgserver_r1started=`echo "$wgserver_r1stateret" started | awk '{ print ($1 == $2) ? 1 : 0 }'`
...
killswitchwgserverstateret=`cat /tmp/killswitchwgserverstate`
killswitchwgserver_r1stateret=`cat /tmp/killswitchwgserver_r1state`
...
killswitchwgserverstarted=`echo "$killswitchwgserverstateret" started | awk '{ print ($1 == $2) ? 1 : 0 }'`
killswitchwgserver_r1started=`echo "$killswitchwgserver_r1stateret" started | awk '{ print ($1 == $2) ? 1 : 0 }'`

...
activatewgserverkillswitch=0
activatewgserver_r1killswitch=0
...
if [ "${ACTION}" == "ifdown" ] && [ "${INTERFACE}" = "wgserver" ]
then
    rm /tmp/killswitchwgserverstate
fi

if [ "${ACTION}" == "ifdown" ] && [ "${INTERFACE}" = "wgserver_r1" ]
then
    rm /tmp/killswitchwgserver_r1state
fi
...
if [ "${ACTION}" == "ifup" ] && [ "${DEVICE}" = "wan" ]
then
    echo started > /tmp/wanstate
    ...
    if [ $wgserverstarted -eq 1 ] && [ $killswitchwgserverstarted -eq 0 ]
    then
        activatewgserverkillswitch=1
    fi
    if [ $wgserver_r1started -eq 1 ] && [ $killswitchwgserver_r1started -eq 0 ]
    then
        activatewgserver_r1killswitch=1
    fi
fi
...
if [ "${ACTION}" == "ifup" ] && [ "${DEVICE}" = "wgserver" ]
then
    echo started > /tmp/wgserverstate
    if [ $wanstarted -eq 1 ] && [ $killswitchwgserverstarted -eq 0 ]
    then
        activatewgserverkillswitch=1
    fi
fi

if [ "${ACTION}" == "ifup" ] && [ "${DEVICE}" = "wgserver_r1" ]
then
    echo started > /tmp/wgserver_r1state
    if [ $wanstarted -eq 1 ] && [ $killswitchwgserver_r1started -eq 0 ]
    then
        activatewgserver_r1killswitch=1
    fi
fi
...
if [ $activatewgserverkillswitch -eq 1 ]
then
    echo started > /tmp/killswitchwgserverstate
    /etc/openvpn/kill-switch/kill-switch-setup-wgserver.sh
fi

if [ $activatewgserver_r1killswitch -eq 1 ]
then
    echo started > /tmp/killswitchwgserver_r1state
    /etc/openvpn/kill-switch/kill-switch-setup-wgserver_r1.sh
fi
...
exit 0

Now after restarting your router, Wireguard traffic will now use internet from ‘tun0’ VPN tunnel. Check if this is the case by observing traffic data in luci.

WPA3 WiFi

Your WiFi interfaces must be configured to use VPN tunnel, as described in the article mentioned earlier and set to WPA3 security, for client devices to have VPN access. The WiFi password must be kept secure, with a different Guest wireless network if needed. 

The End

After implementation of these concepts, local routers and devices connected by Ethernet cables will not leak data, either by connected spyware or RF leakage. Cloud servers can also utilize Wireguard within their LAN networks to improve privacy and add a level of protection to traffic.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)