algo/docs/client-openwrt-router-wireguard.md

# Using Router with OpenWRT as a Client with WireGuard
This scenario is useful in case you want to use vpn with devices which has no vpn capability like smart tv, or make vpn connection available via router for multiple devices.
This is a tested, working scenario with following environment: 

- algo installed ubuntu at digitalocean
- client side router "TP-Link TL-WR1043ND" with openwrt ver. 21.02.1. [Openwrt Install instructions](https://openwrt.org/toh/tp-link/tl-wr1043nd)
- or client side router "TP-Link Archer C20i AC750" with openwrt ver. 21.02.1. [Openwrt install instructions](https://openwrt.org/toh/tp-link/archer_c20i)
see compatible device list at https://openwrt.org/toh/start . Theoretically any of the device on list should work


## Router setup
Make sure that you have 
- router with openwrt installed, 
- router is connected to internet, 
- router and device in front of router does not have same ip . By default openwrt have 192.168.1.1 if so change it to something like 192.168.2.1 
### Install required packages(WebUI)
- Open router web UI (mostly http://192.168.1.1 )
- Login. (by default username: root, password:<empty>
- System -> Software, click "Update lists"
- Install following packages wireguard-tools, kmod-wireguard, luci-app-wireguard, wireguard, kmod-crypto-sha256, kmod-crypto-sha1, kmod-crypto-md5
- restart router

### Alternative Install required packages(ssh)
- Open router web UI (mostly http://192.168.1.1 )
- ssh root@192.168.1.1
- opkg update
- opkg install wireguard-tools, kmod-wireguard, luci-app-wireguard, wireguard, kmod-crypto-sha256, kmod-crypto-sha1, kmod-crypto-md5
- reboot

### Create an Interface(WebUI)
- Open router web UI 
- Navigate Network -> Interface
- Click "Add new interface"
- Give a Name. e.g. `AlgoVpn`
- Select Protocol. `Wireguard VPN` 
- click `Create Interface`
- In *General Settings* tab
- `Bring up on boot` *checked*
- Private key: `Interface -> Private Key` from algo config file
- Ip Address: `Interface -> Address` from algo config file
- In *Peers* tab
- Click add
- Name `algo`
- Public key: `[Peer]->PublicKey` from algo config file
- Preshared key: `[Peer]->PresharedKey` from algo config file
- Allowed IPs: 0.0.0.0/0
- Route Allowed IPs: checked
- Endpoint Host: `[Peer]->Endpoint` ip from algo config file
- Endpoint Port: `[Peer]->Endpoint` port from algo config file
- Persistent Keep Alive: `25`
- Click Save & Save Apply

### Configure Firewall(WebUI)
- Open router web UI 
- Navigate to Network -> Firewall
- Click `Add configuration`:
- Name: e.g. ivpn_fw
- Input: Reject
- Output: Accept
- Forward: Reject
- Masquerading: Checked
- MSS clamping: Checked
- Covered networks: Select created VPN interface
- Allow forward to destination zones - Unspecified
- Allow forward from source zones - lan
- Click Save & Save Apply
- Reboot router


There may be additional configuration required depending on environment like dns configuration.

You can also verify the configuration using ssh. /etc/config/network. It should look like 

```
config interface 'algo'                 
    option proto 'wireguard'                                                                                             
    list addresses '10.0.0.2/32'         
    option private_key '......'  # The private key generated by itself just now        

config wireguard_wg0
    option public_key '......' # Server's public key
    option route_allowed_ips '1'
    list allowed_ips '0.0.0.0/0'
    option endpoint_host '......' # Server's public ip address
    option endpoint_port '51820'
    option persistent_keepalive '25'
```
Fix typos (#14635) 2023-08-14 15:43:02 +00:00			`# Using Router with OpenWRT as a Client with WireGuard`
Added OpenWrt Wireguard client manual (#14399) 2022-01-13 19:55:55 +00:00			`This scenario is useful in case you want to use vpn with devices which has no vpn capability like smart tv, or make vpn connection available via router for multiple devices.`
			`This is a tested, working scenario with following environment:`

			`- algo installed ubuntu at digitalocean`
			`- client side router "TP-Link TL-WR1043ND" with openwrt ver. 21.02.1. [Openwrt Install instructions](https://openwrt.org/toh/tp-link/tl-wr1043nd)`
			`- or client side router "TP-Link Archer C20i AC750" with openwrt ver. 21.02.1. [Openwrt install instructions](https://openwrt.org/toh/tp-link/archer_c20i)`
			`see compatible device list at https://openwrt.org/toh/start . Theoretically any of the device on list should work`



			`## Router setup`
			`Make sure that you have`
			`- router with openwrt installed,`
			`- router is connected to internet,`
			`- router and device in front of router does not have same ip . By default openwrt have 192.168.1.1 if so change it to something like 192.168.2.1`
			`### Install required packages(WebUI)`
			`- Open router web UI (mostly http://192.168.1.1 )`
Fix typos (#14635) 2023-08-14 15:43:02 +00:00			`- Login. (by default username: root, password:<empty>`
Added OpenWrt Wireguard client manual (#14399) 2022-01-13 19:55:55 +00:00			`- System -> Software, click "Update lists"`
			`- Install following packages wireguard-tools, kmod-wireguard, luci-app-wireguard, wireguard, kmod-crypto-sha256, kmod-crypto-sha1, kmod-crypto-md5`
			`- restart router`

Fix typos (#14635) 2023-08-14 15:43:02 +00:00			`### Alternative Install required packages(ssh)`
Added OpenWrt Wireguard client manual (#14399) 2022-01-13 19:55:55 +00:00			`- Open router web UI (mostly http://192.168.1.1 )`
			`- ssh root@192.168.1.1`
			`- opkg update`
			`- opkg install wireguard-tools, kmod-wireguard, luci-app-wireguard, wireguard, kmod-crypto-sha256, kmod-crypto-sha1, kmod-crypto-md5`
			`- reboot`

			`### Create an Interface(WebUI)`
			`- Open router web UI`
			`- Navigate Network -> Interface`
			`- Click "Add new interface"`
			- Give a Name. e.g. `AlgoVpn`
			- Select Protocol. `Wireguard VPN`
			- click `Create Interface`
			`- In General Settings tab`
			- `Bring up on boot` checked
			- Private key: `Interface -> Private Key` from algo config file
			- Ip Address: `Interface -> Address` from algo config file
			`- In Peers tab`
			`- Click add`
			- Name `algo`
			- Public key: `[Peer]->PublicKey` from algo config file
			- Preshared key: `[Peer]->PresharedKey` from algo config file
			`- Allowed IPs: 0.0.0.0/0`
			`- Route Allowed IPs: checked`
			- Endpoint Host: `[Peer]->Endpoint` ip from algo config file
			- Endpoint Port: `[Peer]->Endpoint` port from algo config file
			- Persistent Keep Alive: `25`
			`- Click Save & Save Apply`

			`### Configure Firewall(WebUI)`
			`- Open router web UI`
			`- Navigate to Network -> Firewall`
			- Click `Add configuration`:
			`- Name: e.g. ivpn_fw`
			`- Input: Reject`
			`- Output: Accept`
			`- Forward: Reject`
			`- Masquerading: Checked`
			`- MSS clamping: Checked`
			`- Covered networks: Select created VPN interface`
			`- Allow forward to destination zones - Unspecified`
			`- Allow forward from source zones - lan`
			`- Click Save & Save Apply`
			`- Reboot router`


			`There may be additional configuration required depending on environment like dns configuration.`

			`You can also verify the configuration using ssh. /etc/config/network. It should look like`

			```
			`config interface 'algo'`
			`option proto 'wireguard'`
			`list addresses '10.0.0.2/32'`
			`option private_key '......' # The private key generated by itself just now`

			`config wireguard_wg0`
			`option public_key '......' # Server's public key`
			`option route_allowed_ips '1'`
			`list allowed_ips '0.0.0.0/0'`
			`option endpoint_host '......' # Server's public ip address`
			`option endpoint_port '51820'`
			`option persistent_keepalive '25'`
			```