| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
userdoc:tt_edgerouter-x [2018/12/23 20:20]
abelbeck [WireGuard VPN Setup on OpenWrt] |
userdoc:tt_edgerouter-x [2022/08/29 07:23] (current)
mkeuter [Flash ER-X with OpenWrt using AstLinux] |
| AstLinux supports many different x86 (32-bit and 64-bit) hardware devices, so when a remote VPN endpoint is desired in your AstLinux constellation it makes sense to first consider yet another AstLinux solution. Quite often AstLinux is the best solution ... familiarity, full-system firmware upgrades, and if true, you can quit reading any further. | AstLinux supports many different x86 (32-bit and 64-bit) hardware devices, so when a remote VPN endpoint is desired in your AstLinux constellation it makes sense to first consider yet another AstLinux solution. Quite often AstLinux is the best solution ... familiarity, full-system firmware upgrades, and if true, you can quit reading any further. |
| |
| As an alternative for a remote VPN endpoint, the Ubiquiti Networks [[https://www.ubnt.com/edgemax/edgerouter-x/|EdgeRouter-X]] occupies a special sweet-spot of quality hardware and low price (currently, January 2019). While similarly priced to a [[https://www.raspberrypi.org/|Raspberry Pi]] complete system, the EdgeRouter-X has quality hardware designed for networking, including a built-in 5-port Gbit ethernet switch. Additionally, the EdgeRouter-X is only 40%-50% of the cost of the **least** expensive multi-NIC x86 system required by AstLinux. | As an alternative for a remote VPN endpoint, the Ubiquiti Networks [[https://www.ubnt.com/edgemax/edgerouter-x/|EdgeRouter-X]] occupies a special sweet-spot of quality hardware and low price (currently, January 2019). While similarly priced to a [[https://www.raspberrypi.org/|Raspberry Pi]] complete system, the EdgeRouter-X has quality hardware designed for networking, including a built-in 5-port Gbit ethernet switch. Additionally, the EdgeRouter-X is less-than-half the cost of the **least** expensive multi-NIC x86 system required to run AstLinux. |
| |
| {{:userdoc:edgerouter-x-photo.png?nolink|EdgeRouter-X}} | {{:userdoc:edgerouter-x-photo.png?nolink|EdgeRouter-X}} |
| |
| Since the EdgeRouter-X is not x86 hardware, AstLinux will not run on it. The default EdgeRouter-X firmware is EdgeOS, documentation found here: [[https://www.ubnt.com/downloads/guides/edgemax/EdgeOS_UG.pdf|EdgeOS User Guide]]. The WireGuard VPN is currently available for EdgeOS as a third-party ''.deb'' package found here: [[https://github.com/Lochnair/vyatta-wireguard|vyatta-wireguard]]. | Since the EdgeRouter-X is not x86 hardware, AstLinux will not run on it. The default EdgeRouter-X firmware is EdgeOS, documentation found here: [[https://www.ubnt.com/downloads/guides/edgemax/EdgeOS_UG.pdf|EdgeOS User Guide]]. The WireGuard VPN is currently available for EdgeOS as a third-party ''wireguard-e50-<revision>.deb'' package found here: [[https://github.com/Lochnair/vyatta-wireguard|vyatta-wireguard]]. |
| |
| Alternatively, the [[https://openwrt.org/toh/ubiquiti/ubiquiti_edgerouter_x_er-x_ka|OpenWrt Project]] offers firmware specifically built for the EdgeRouter-X with impressive performance. The current standard ''18.06.1'' release performs NAT routing at near 1 Gbps line speed, and WireGuard VPN performance at around 180 Mbps. Quite impressive for a 880 MHz CPU. | Alternatively, the [[https://openwrt.org/toh/ubiquiti/ubiquiti_edgerouter_x_er-x_ka|OpenWrt Project]] offers firmware specifically built for the EdgeRouter-X with impressive performance. The current standard ''18.06.1'' release performs NAT routing at near 1 Gbps line speed, and WireGuard VPN performance at around 180 Mbps. Quite reasonable for a 32-bit, 880 MHz CPU. |
| |
| It could be said that the EdgeRouter-X with OpenWrt and the WireGuard VPN in the kernel is an ideal solution for a remote VPN endpoint. The rest of this documentation describes how to install the current release of OpenWrt ''18.06.1'' on a Ubiquiti Networks EdgeRouter-X (ER-X). | It could be said that the EdgeRouter-X with OpenWrt and the WireGuard VPN in the kernel is an ideal solution for a remote VPN endpoint. The rest of this documentation describes how to install the current release of OpenWrt ''18.06.1'' on a Ubiquiti Networks EdgeRouter-X (ER-X). |
| Also required is a "USB-to-TTL Serial Cable" commonly used with development boards like the Raspberry Pi, BeagleBone Black, Arduino, etc. Search Amazon for "usb serial ttl". A FTDI chipset is preferred, but a Prolific-PL2303 should also work. You also want the individual pins to be separate not molded together. | Also required is a "USB-to-TTL Serial Cable" commonly used with development boards like the Raspberry Pi, BeagleBone Black, Arduino, etc. Search Amazon for "usb serial ttl". A FTDI chipset is preferred, but a Prolific-PL2303 should also work. You also want the individual pins to be separate not molded together. |
| |
| It is assumed the 1st LAN network of AstLinux is 192.168.101.1/24, adjust accordingly below if yours is different. | It is assumed the 1st LAN network of AstLinux is ''192.168.101.1/24'', adjust accordingly below if yours is different. |
| |
| Do not connect power to the ER-X, yet. | !!Do not connect power to the ER-X, yet.!! |
| |
| Connect the ER-X ''eth0'' port to the AstLinux LAN 192.168.101.1/24 network (yellow cable). | Connect the ER-X ''eth0'' port to the AstLinux LAN ''192.168.101.1/24'' network (yellow cable). |
| |
| {{:userdoc:edgerouter-x-astlinux-server.jpeg?nolink|ER-X AstLinux layout}} | {{:userdoc:edgerouter-x-astlinux-server.jpeg?nolink|ER-X AstLinux layout}} |
| |
| With the "System Load Linux to SDRAM via TFTP" chosen, you need to specify two IP addresses and the name of the TFTP filename ''openwrt.bin'', as show above. | With the "System Load Linux to SDRAM via TFTP" chosen, you need to specify two IP addresses and the name of the TFTP filename ''openwrt.bin'', as show above. |
| | |
| | !!Note ->!! Some OpenWRT devices work exclusively with ''192.168.1.1'' + ''192.168.1.2'' as the device + server IP addresses! ((use e.g.\\ ''ifconfig eth1:1 192.168.1.2 netmask 255.255.255.0 up''\\ to add an additional virtual address to the server)) |
| |
| Type RETURN and the ER-X should reboot into the factory initramfs-kernel of OpenWrt. After the dmesg logs appear to stop, type RETURN again, you should see a login as shown below: | Type RETURN and the ER-X should reboot into the factory initramfs-kernel of OpenWrt. After the dmesg logs appear to stop, type RETURN again, you should see a login as shown below: |
| {{:userdoc:edgerouter-x-click-save-apply.png?nolink|Click Save & Apply}} | {{:userdoc:edgerouter-x-click-save-apply.png?nolink|Click Save & Apply}} |
| |
| After a few seconds, no reboot needed, the LAN will now be a 10.1.1.0/24 network. If you were connected via a LAN device, you must change to ''https://10.1.1.1'' to return to the OpenWrt web interface. | After a few seconds, no reboot needed, the LAN will now be a ''10.1.1.0/24'' network. If you were connected via a LAN device, you must change to ''https://10.1.1.1'' to return to the OpenWrt web interface. |
| |
| \\ | \\ |
| Endpoint = vpn20.example.com:51820 | Endpoint = vpn20.example.com:51820 |
| AllowedIPs = 10.4.0.20/32, 10.1.1.0/24 | AllowedIPs = 10.4.0.20/32, 10.1.1.0/24 |
| PersistentKeepalive = 0 | PersistentKeepalive = 25 |
| |
| | !!Tip ->!! Both ''Endpoint'' and ''PersistentKeepalive'' could be removed from the peer definition above if the AstLinux endpoint has a static public WAN IP address, thereby the OpenWrt endpoint would initiate and establish the VPN. |
| |
| \\ | \\ |
| {{:userdoc:edgerouter-x-firewall-wg-interface.png?nolink|Firewall WireGuard Interface}} | {{:userdoc:edgerouter-x-firewall-wg-interface.png?nolink|Firewall WireGuard Interface}} |
| |
| | ===== Alternatives to the EdgeRouter X ===== |
| |
| | The EdgeRouter-X is sometimes hard to get. Kind of alternatives are the "travel router" devices from [[https://www.gl-inet.com/products/|GL.inet]] as they are already based on OpenWRT (plus an additional GL.inet WebGUI) and already include WireGuard and OpenVPN. But they are using plastic cases. You can also easy switch directly to Luci. |
| | |
| | |
| | \\ |
| | \\ |
| | ---- |