WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
- Openmediavault-wireguard integrates into the OMV interface the ability to generate one or more point-to-site and/or point-to-point encrypted Wireguard VPN connection networks with two clicks.
- Wireguard's point-to-site connection allows access to the entire network where the server is, that is, you will be able to access all your shared folders and all the services you have configured on your local network as if you were there.
- In addition, all client traffic will be forwarded through the VPN connection (if you want), providing privacy through the encrypted connection. You can be connected to a public Wi-Fi network and navigate with the security that nobody sees what you do.
- The point-to-point connection allows the connection between two servers, communicating only with each other. For example to make remote backups.
Installing the Plugin
- Prerequisite. You must have the openmediavault-omvextrasorg plugin installed. You can see how to do it here OMV-Extras.org Plugin.
- To install the openmediavault-wireguard plugin: In the OMV GUI go to System> Plugins> find and select the openmediavault-wireguard plugin and click "Install".
Configuration of a Wireguard Tunnel
- In the OMV GUI go to Services> Wireguard> Tunnels> Press the "Create" button.
the dialog box enable the tunnel and fill in the fields:
- Name: You can name the tunnel to identify it later.
Adapter: Click on the Network adapter dropdown menu and choose your
- If you are not sure which adapter you have, you can go to Network>Interfaces to find out.
You must write the public IP address of your router if it is fixed
or the name of your domain if your public IP is dynamic. This
endpoint will direct the client to the public IP of your router.
- If your IP is dynamic and you do not have a domain, a simple solution may be the one described in this guide. [How-To] Install DuckDNS. Automatic dynamic IP update. On google you can find other solutions.
In the Port field, type the port you want to use for the
connection, usually it is 51820.
- You can choose any available port, it must not be occupied on your system by any service or by another wireguard tunnel.
- Remember that you must open this port in the router and direct it to the IP of your server and with the same port. Use the UDP protocol. If you don't know how to do it, consult the manual of your router.
- Configure iptables. This will generate the settings in iptables to allow traffic on your internal network from outside. If you want to create a point to point tunnel you can disable it.
- Click the Save button and accept the changes. At this time the connection is configured and active. Click save and accept the changes.
- Press the "Edit" button if you need to modify the tunnel configuration, select it beforehand.
- Press the "Delete" button to delete a tunnel, select it previously.
Configuration of a Client
- In the OMV GUI go to Services> Wireguard> Clients> Press the "Create" button.
the dialog box enable the client and fill in the data:
- Client number: It must not coincide with that of other clients.
- Tunnel number: You must assign the client to one of the previously created tunnels.
- Name: You can name the client to identify it later.
- Click "Save". At this point, if you have already activated the tunnel and the client, the connection will be up and running.
- By pressing the "Edit" button you can modify the parameters or disable the client. Please select it in advance.
- Pressing the "Delete" button will remove the client from the tunnel. Select it previously.
- By pressing the button "Client configuration" you can see the client configuration file, you can copy and paste the text in a file to configure the connection in the client. If you do it this way, add the ending ".conf" to the created file. Treat this file like a password, it is the access key to your network. Once the connection is configured, it is advisable to delete this file for security.
- A QR will appear in the table (if the client is enabled), which you can scan from a smartphone to configure the connection without having to copy a file. If you need to send it you can take a photo. Treat this image as a password, it is the access key to your network.
- Use a different client configuration for each client. If you configure the same connection on several clients at the same time, they will not be able to connect simultaneously.
How to configure a smartphone or pc:
the client is a smartphone (android or iOS):
- Install the Wireguard App on your smartphone.
the app and tap the + button to add a connection. Tap the option to
scan a QR code.
- Alternatively it can be configured from a text file in the same way as a PC (see next point)
- In the OMV interface go to Services>Wireguard>Clients. Scan the corresponding customer's QR code from the smartphone.
- Type a name for your connection on your smartphone and tap OK.
client is configured. You just have to activate the connection and
you will have access to the network of your server.
- Depending on the configuration of your router, the connection may not work if you are connected by Wi-Fi on the same network as the server, please disable the Wi-Fi connection of the smartphone in this case.
the client is a PC (Linux, MacOS or Windows):
- Install the Wireguard application on the PC. https://www.wireguard.com/install/
- In the OMV interface, go to Services> Wireguard> Clients, click the Client Configuration button. A window with client settings will open. Copy and paste the text into a file and add the extension ".conf" to it, save it on the desktop of the PC you want to configure.
- Open the Wireguard app and click add connection from file. Select the file from your desktop and click ok.
- Your client is configured. You just have to activate the connection and you will have access to the network of your server.
- If you need to split the tunnel traffic for some reason you can edit the AllowedIP field on the client. Changing the value 0.0.0.0/0 to something else will restrict tunnel traffic to the specified IP range. For example, if you only want to forward traffic to access your 192.168.1.x network you can specify 192.168.1.0/24.