userdoc:tt_edgerouter-x

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
userdoc:tt_edgerouter-x [2018/12/23 15:03]
abelbeck [WireGuard VPN Setup on OpenWrt]
userdoc:tt_edgerouter-x [2022/08/29 07:23] (current)
mkeuter [Flash ER-X with OpenWrt using AstLinux]
Line 3: Line 3:
 AstLinux supports many different x86 (32-bit and 64-bit) hardware devices, so when a remote VPN endpoint is desired in your AstLinux constellation it makes sense to first consider yet another AstLinux solution.  Quite often AstLinux is the best solution ... familiarity, full-system firmware upgrades, and if true, you can quit reading any further. AstLinux supports many different x86 (32-bit and 64-bit) hardware devices, so when a remote VPN endpoint is desired in your AstLinux constellation it makes sense to first consider yet another AstLinux solution.  Quite often AstLinux is the best solution ... familiarity, full-system firmware upgrades, and if true, you can quit reading any further.
  
-As an alternative for a remote VPN endpoint, the Ubiquiti Networks [[https://www.ubnt.com/edgemax/edgerouter-x/|EdgeRouter-X]] occupies a special sweet-spot of quality hardware and low price  (currently, January 2019). While similarly priced to a [[https://www.raspberrypi.org/|Raspberry Pi]] complete system, the EdgeRouter-X has quality hardware designed for networking, including a built-in 5-port Gbit ethernet switch.  Additionally, the EdgeRouter-X is only 40%-50% of the cost of the **least** expensive multi-NIC x86 system required by AstLinux.+As an alternative for a remote VPN endpoint, the Ubiquiti Networks [[https://www.ubnt.com/edgemax/edgerouter-x/|EdgeRouter-X]] occupies a special sweet-spot of quality hardware and low price  (currently, January 2019). While similarly priced to a [[https://www.raspberrypi.org/|Raspberry Pi]] complete system, the EdgeRouter-X has quality hardware designed for networking, including a built-in 5-port Gbit ethernet switch.  Additionally, the EdgeRouter-X is less-than-half the cost of the **least** expensive multi-NIC x86 system required to run AstLinux.
  
 {{:userdoc:edgerouter-x-photo.png?nolink|EdgeRouter-X}} {{:userdoc:edgerouter-x-photo.png?nolink|EdgeRouter-X}}
  
-Since the EdgeRouter-X is not x86 hardware, AstLinux will not run on it.  The default EdgeRouter-X firmware is EdgeOS, documentation found here: [[https://www.ubnt.com/downloads/guides/edgemax/EdgeOS_UG.pdf|EdgeOS User Guide]].  The WireGuard VPN is currently available for EdgeOS as a third-party ''.deb'' package found here: [[https://github.com/Lochnair/vyatta-wireguard|vyatta-wireguard]].+Since the EdgeRouter-X is not x86 hardware, AstLinux will not run on it.  The default EdgeRouter-X firmware is EdgeOS, documentation found here: [[https://www.ubnt.com/downloads/guides/edgemax/EdgeOS_UG.pdf|EdgeOS User Guide]].  The WireGuard VPN is currently available for EdgeOS as a third-party ''wireguard-e50-<revision>.deb'' package found here: [[https://github.com/Lochnair/vyatta-wireguard|vyatta-wireguard]].
  
-Alternatively, the [[https://openwrt.org/toh/ubiquiti/ubiquiti_edgerouter_x_er-x_ka|OpenWrt Project]] offers firmware specifically built for the EdgeRouter-X with impressive performance.  The current standard ''18.06.1'' release performs NAT routing at near 1 Gbps line speed, and WireGuard VPN performance at around 180 Mbps.  Quite impressive for a 880 MHz CPU.+Alternatively, the [[https://openwrt.org/toh/ubiquiti/ubiquiti_edgerouter_x_er-x_ka|OpenWrt Project]] offers firmware specifically built for the EdgeRouter-X with impressive performance.  The current standard ''18.06.1'' release performs NAT routing at near 1 Gbps line speed, and WireGuard VPN performance at around 180 Mbps.  Quite reasonable for a 32-bit, 880 MHz CPU.
  
 It could be said that the EdgeRouter-X with OpenWrt and the WireGuard VPN in the kernel is an ideal solution for a remote VPN endpoint.  The rest of this documentation describes how to install the current release of OpenWrt ''18.06.1'' on a Ubiquiti Networks EdgeRouter-X (ER-X). It could be said that the EdgeRouter-X with OpenWrt and the WireGuard VPN in the kernel is an ideal solution for a remote VPN endpoint.  The rest of this documentation describes how to install the current release of OpenWrt ''18.06.1'' on a Ubiquiti Networks EdgeRouter-X (ER-X).
Line 21: Line 21:
 Also required is a "USB-to-TTL Serial Cable" commonly used with development boards like the Raspberry Pi, BeagleBone Black, Arduino, etc.  Search Amazon for "usb serial ttl" A FTDI chipset is preferred, but a Prolific-PL2303 should also work.  You also want the individual pins to be separate not molded together. Also required is a "USB-to-TTL Serial Cable" commonly used with development boards like the Raspberry Pi, BeagleBone Black, Arduino, etc.  Search Amazon for "usb serial ttl" A FTDI chipset is preferred, but a Prolific-PL2303 should also work.  You also want the individual pins to be separate not molded together.
  
-It is assumed the 1st LAN network of AstLinux is 192.168.101.1/24, adjust accordingly below if yours is different.+It is assumed the 1st LAN network of AstLinux is ''192.168.101.1/24'', adjust accordingly below if yours is different.
  
-Do not connect power to the ER-X, yet.+!!Do not connect power to the ER-X, yet.!!
  
-Connect the ER-X ''eth0'' port to the AstLinux LAN 192.168.101.1/24 network (yellow cable).+Connect the ER-X ''eth0'' port to the AstLinux LAN ''192.168.101.1/24'' network (yellow cable).
  
 {{:userdoc:edgerouter-x-astlinux-server.jpeg?nolink|ER-X AstLinux layout}} {{:userdoc:edgerouter-x-astlinux-server.jpeg?nolink|ER-X AstLinux layout}}
Line 60: Line 60:
  
 With the "System Load Linux to SDRAM via TFTP" chosen, you need to specify two IP addresses and the name of the TFTP filename ''openwrt.bin'', as show above. With the "System Load Linux to SDRAM via TFTP" chosen, you need to specify two IP addresses and the name of the TFTP filename ''openwrt.bin'', as show above.
 +
 +!!Note ->!! Some OpenWRT devices work exclusively with ''192.168.1.1'' + ''192.168.1.2'' as the device + server IP addresses! ((use e.g.\\  ''ifconfig eth1:1 192.168.1.2 netmask 255.255.255.0 up''\\ to add an additional virtual address to the server))
  
 Type RETURN and the ER-X should reboot into the factory initramfs-kernel of OpenWrt.  After the dmesg logs appear to stop, type RETURN again, you should see a login as shown below: Type RETURN and the ER-X should reboot into the factory initramfs-kernel of OpenWrt.  After the dmesg logs appear to stop, type RETURN again, you should see a login as shown below:
Line 119: Line 121:
 {{:userdoc:edgerouter-x-click-save-apply.png?nolink|Click Save & Apply}} {{:userdoc:edgerouter-x-click-save-apply.png?nolink|Click Save & Apply}}
  
-After a few seconds, no reboot needed, the LAN will now be a 10.1.1.0/24 network.  If you were connected via a LAN device, you must change to ''https://10.1.1.1'' to return to the OpenWrt web interface.+After a few seconds, no reboot needed, the LAN will now be a ''10.1.1.0/24'' network.  If you were connected via a LAN device, you must change to ''https://10.1.1.1'' to return to the OpenWrt web interface.
  
 \\ \\
Line 139: Line 141:
 Apply the generated keys as follows: Apply the generated keys as follows:
  
-  * Use your generated Private Key in the **Common Configuration** below.+  * Use your generated Private Key in the interface **Common Configuration** below.
   * Use your generated Public Key in the remote WireGuard VPN peer AstLinux configuration.   * Use your generated Public Key in the remote WireGuard VPN peer AstLinux configuration.
   * Use the AstLinux remote WireGuard VPN Public Key in the **Peers** configurations below.   * Use the AstLinux remote WireGuard VPN Public Key in the **Peers** configurations below.
Line 152: Line 154:
   ## ER-X/OpenWrt   ## ER-X/OpenWrt
   PublicKey = eWn4K2agIgdmOVIZdUkE4viezPFMW7mfZAckOdRybBY=   PublicKey = eWn4K2agIgdmOVIZdUkE4viezPFMW7mfZAckOdRybBY=
 +  Endpoint = vpn20.example.com:51820
   AllowedIPs = 10.4.0.20/32, 10.1.1.0/24   AllowedIPs = 10.4.0.20/32, 10.1.1.0/24
-  PersistentKeepalive = 0+  PersistentKeepalive = 25
  
 +!!Tip ->!!  Both ''Endpoint'' and ''PersistentKeepalive'' could be removed from the peer definition above if the AstLinux endpoint has a static public WAN IP address, thereby the OpenWrt endpoint would initiate and establish the VPN.
  
 \\ \\
 **Add a WireGuard VPN interface** **Add a WireGuard VPN interface**
  
-Network -> Interfaces { Add new interface... }+Network -> Interfaces -> { Add new interface... }
  
 {{:userdoc:edgerouter-x-create-wg-interface.png?nolink|Create WireGuard Interface}} {{:userdoc:edgerouter-x-create-wg-interface.png?nolink|Create WireGuard Interface}}
Line 182: Line 186:
  
 {{:userdoc:edgerouter-x-config-wg-peer.png?nolink|Config WireGuard Peer}} {{:userdoc:edgerouter-x-config-wg-peer.png?nolink|Config WireGuard Peer}}
 +
 +Specify the "Public Key" from the AstLinux remote WireGuard VPN Public Key.
 +
 +The "Allowed IPs" are what networks are allowed in the tunnel, this simplest case is just the remote AstLinux WireGuard IP address.  If you add additional remote networks, you will want to also check "Route Allowed IPs" to automatically generate routes via the tunnel for those networks.
  
 After the peer is defined, “Save & Apply” changes and then restart WireGuard: After the peer is defined, “Save & Apply” changes and then restart WireGuard:
Line 211: Line 219:
 {{:userdoc:edgerouter-x-firewall-wg-interface.png?nolink|Firewall WireGuard Interface}} {{:userdoc:edgerouter-x-firewall-wg-interface.png?nolink|Firewall WireGuard Interface}}
  
 +===== Alternatives to the EdgeRouter X =====
  
 +The EdgeRouter-X is sometimes hard to get. Kind of alternatives are the "travel router" devices from [[https://www.gl-inet.com/products/|GL.inet]] as they are already based on OpenWRT (plus an additional GL.inet WebGUI) and already include WireGuard and OpenVPN. But they are using plastic cases. You can also easy switch directly to Luci.
 +
 +
 +\\ 
 +\\
 +----
  • userdoc/tt_edgerouter-x.1545599036.txt.gz
  • Last modified: 2018/12/23 15:03
  • by abelbeck