vpn


Back to OpenWrt

Some years ago, my network provider (O2 – Spain) installed a router for me (Mitrastar HGU GPT-2541GNAC) with much better specs than my old OpenWrt router (TP-Link TL-WDR4300). So, I ditched OpenWrt and started using the company’s router.

But the Mitrastar needed to be factory reset every 6 months because it had some problems with the DHCP in my network. Recently, I offloaded the DHCP to an OrangePi 3B, but now my home network was relying too much on the availability of this device. Also, the Mitrastar is starting to show its age without features like WiFi 6…

A couple of weeks ago I found on Aliexpress a new Xiaomi AX3000T router. It has an amazing set of specs:

  • 2 ARMv8 cores @ 1.3GHz (MediaTek MT7981B)
  • 128 MB ROM
  • 256 MB RAM
  • WiFi 6 (AX) in the 2.4 GHz and 5 GHz bands

And it’s compatible with the lastest snapshot of OpenWrt:

https://openwrt.org/inbox/toh/xiaomi/ax3000t

I was able to get it during the AliExpress ChoiceDay (this happens the first days of each month) for 26 EUR (including a 4 EUR coupon).

When it arrived, I found it a bit smaller than what I expected, and I liked its minimalist look. It has only one button for WPS (+ the reset pinhole), and one LED in the front panel (i.e. it does not have LEDs on the ethernet ports).

Everything was in Chinese, but it’s easy to read it using the Google Translate camera, only for the steps necessary to set up OpenWrt. I did a simple installation without the U-Boot boot loader.

So, I put again an OpenWrt router back in my home network moving the DHCP and WireGuard services to the router. I had forgotten the beauty and simplicity of OpenWrt.

I also tested adblock-lean and it works quite well on the router with big lists like https://oisd.nl/: It’s able to manage the 660K domains of both oisd big and osid nsfw lists. But at the moment I’ll continue using the Pi-hole on the OrangePi. I still need the OrangePi to run Home Assistant and the NAS.


WireGuard

I always used OpenVPN in my servers, but now WireGuard is a better option:

https://www.wireguard.com/

  • It’s simpler
  • It’s more efficient
  • It’s faster
  • It uses modern cryptography algorithms

I’m using it to remotely access private services in my home server. I setup a star topology, where all the VPN clients connect to the home server and they can only see the server.

So I need a dynamic DNS and an open port in the router, I already have them for Home Assistant.

Eloy Coto recommended Tailscale, it is an amazing mesh VPN based in WireGuard. It’s much simpler to set up, and you do not need to open public ports, but it’s commercial and a bit overkill for my needs.

Generating the WireGuard configurations

The most tedious part of WireGuard is to generate the configurations, but there are some nice tools to ease that, like:

https://www.wireguardconfig.com/

The tool generates the configuration for the server and for the requested number of clients. It does everything in the frontend, so it is not leaking the VPN keys.

As I’m only acessing the server, I have removed the IP forwarding options in the Post-Up and Post-Down rules.

Installing and configuring the WireGuard server

WireGuard is in the official Ubuntu repos, so to install it in the server it’s enough to do:

sudo apt install wireguard

Then I needed to put the config in the /etc/wireguard/wg0.conf file and do:

sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service

Installing and configuring the clients

WireGuard has clients for almost any OS:

https://www.wireguard.com/install/

To setup the client in the phones, the WireGuard Config web tool generates QR codes. In other devices you’ll need to create a file with it or paste the config contents.

Using Pi-hole from the VPN clients

To use the Pi-hole hosted in the same VPN server from the VPN clients, you can specify a DNS property in the client config, i.e. if the server is 100.100.1.1 and the client is 100.100.1.2:

[Interface]
PrivateKey = <client-private-key>
Address = 100.100.1.2/32
DNS = 100.100.1.1

[Peer]
PublicKey = <server-public-key>
PresharedKey = <preshared-key>
Endpoint = <my-home-server>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Every time that you connect the VPN, the DNS server in the client changes to 100.100.1.1 and it is reverted to the previous DNS server when the VPN is disconnected.

Additionally, Pi-hole needs to be listening in the wg0 interface, I explained how to make Pi-hole listen on multiple interfaces in the Pi-hole post.