VPN configuration

Wireguard

Wireguard is a modern VPN architecture with clients most operating systems. It is typically simpler to configure than other VPN solutions, and offers exceptional speeds and performance. This makes it the preferred choice for VPN networking on embedded devices like the Packet Squirrel.

Requirements

Using a Packet Squirrel as a Wireguard client of course requires a Wireguard server on a public IP address reachable by the Packet Squirrel network.

For more information about configuring a Wireguard server, we recommend the official Wireguard documentation and third-party documentation like the Digital Ocean tutorial on Wireguard.

Some commercial VPN services may also offer Wireguard options.

Configuring Wireguard

Configuring the Packet Squirrel to be a Wireguard VPN client can be done via the WIREGUARD command. This command simplifies the process and works with the uci and NETMODE commands.

The WIREGUARD command is configured by several environment variables, and should be configured before NETMODE is called.

Configuration options

Variable

Configuration

WG_KEY

Wireguard client private key (generated by wg genkey)

WG_ADDR

Wireguard client IPv4 address

WG_ADDR6

Wireguard client IPv6 address (optional)

WG_PUB

Wireguard server public key

WG_PSK

Wireguard server pre-shared key (optional)

WG_SERV

Wireguard server address

WG_PORT

Wireguard server port

Example use

The WIREGUARD command should be called in a payload before the NETMODE command, for example:

#!/bin/bash

# Title: Wireguard
# Description: Example Wireguard configuration 

# First, we define all the environment variables.  Use the 'export' 
# command to make them available to the WIREGUARD command. 

# Set the private key of this client, generated by 'wg genkey'.  The 
# server must be configured with the public key for this client!
export WG_KEY="0NdX+uzkgPs5gu0inDxhtQsMG9MmAcFxc5DHQL1nTn4="

# Set the IPv4 address of this endpoint.  This is the private address 
# inside the VPN 
export WG_ADDR="10.10.10.42"

# Set the IPv6 (if any) of this endpoint.  This is the private address 
# inside the VPN.  For IPv4 only, don't provide a WG_ADDR6
export WG_ADDR6="2001:0db8:85a3:0000:0000:8a2e:0370:7334"

# Set the wireguard SERVER public key.  This must match your server public key!
export WG_PUB="NDYEu47emGG4ei5iCwotBNaA27ZI9ss+e7yTmpCRIUU="

# Set the wireguard server PSK.  This is an additional security measure on 
# top of the key exchange.  If you have no psk, don't define a WG_PSK.
export WG_PSK="wexnHUPDZXFwx2FXi55t/Hrh/grvUxiwKkMzGbskA3E="

# Set the wireguard server address
export WG_SERV="1.2.3.4"

# Set the wireguard server port
export WG_PORT="12345"

# Run the WIREGUARD command to generate the config
WIREGUARD

# Set the network mode
NETMODE BRIDGE

# Start the SSH server
SSH_START

# Do other payload activity...

OpenVPN

OpenVPN is another common VPN system with support for essentially all operating systems. It typically is slightly slower (about 50% the speed of Wireguard) but is well supported and documented.

Requirements

Using a Packet Squirrel as an OpenVPN client of course requires an OpenVPN server on a public IP address reachable by the Packet Squirrel network.

For more information about configuring an OpenVPN server, we recommend the OpenVPN community installation guides, and the Digital Ocean configuration guide.

Some commercial VPN services may also offer OpenVPN options.

You will need an OpenVPN configuration file including the embedded certificates to configure the Packet Squirrel OpenVPN client.

Configuring OpenVPN

OpenVPN on the Packet Squirrel is configured by placing the OpenVPN configuration in /tmp/openvpn.conf and starting the OpenVPN service.

This should be done after the NETMODE command; the OpenVPN client must be able to contact the server!

#!/bin/bash 

# Title: OpenVPN Example
#
# Description: Demonstrate running the Packet Squirrel as an OpenVPN appliance.

# Clients will receive an IP address from the Packet Squirrel via NETMODE NAT
# (DHCP Server), and their Internet traffic will be tunneled through the 
# configured DHCP server. Include the contents of your .ovpn file below.

LED SETUP
NETMODE NAT

# This will copy the openvpn.conf file out of the payload into 
# /tmp/openvpn.conf
cat <<EOF > /tmp/openvpn.conf

# Replace this line with the multi-line contents of your .ovpn config file.

EOF

# This will launch the openvpn service
service openvpn start

SSH_START
LED ATTACK

Last updated 2 years ago

Was this helpful?