keteflips/Router_Configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add wireguard2.md

Browse Source
This commit is contained in:
keteflips
2026-02-16 19:47:12 +01:00
parent 3aa3b45ad1
commit afcf06732b
1 changed files with 105 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
wireguard2.md Normal file
View File

@@ -0,0 +1,105 @@
# Configuración WireGuard - EdgeRouter 4 (v3.0.1)
Documentación técnica para la implementación de WireGuard VPN. Esta configuración permite el acceso a la red interna (LAN) y la salida a Internet (Full Tunnel) a través de la interfaz PPPoE.
---
## **INSTALL**
Ejecutar estos comandos en el modo operativo (fuera de `configure`) para instalar el paquete y preparar las llaves criptográficas.
```bash
# Descarga del paquete compatible con kernel v2/v3
curl -OL [https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e300-v2-v1.0.20220627-v1.0.20210914.deb](https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e300-v2-v1.0.20220627-v1.0.20210914.deb)
# Instalación del módulo
sudo dpkg -i e300-v2-v1.0.20220627-v1.0.20210914.deb
# Preparación de credenciales
mkdir -p /config/auth
cd /config/auth
wg genkey | tee privatekey | wg pubkey > publickey
```
---
## **CONFIGURE**
Acceder al modo de configuración:
```bash
configure
```
### **1. Configure Server (Interface wg0)**
Configuración de la interfaz virtual de la VPN.
```bash
set interfaces wireguard wg0 private-key /config/auth/privatekey
set interfaces wireguard wg0 address 10.200.254.1/24
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 listen-port 51820
```
### **2. Configure Peer (Clientes)**
Configuración del cliente HMAlH... Se deja sin 'endpoint' para que el router actúe como servidor pasivo.
```bash
set interfaces wireguard wg0 peer HMAlHHPMLvcDWhPoGbOkpDiKpZbdfkPZfIb7z6Q3XV0= allowed-ips 10.200.254.101/32
set interfaces wireguard wg0 peer HMAlHHPMLvcDWhPoGbOkpDiKpZbdfkPZfIb7z6Q3XV0= persistent-keepalive 25
```
### **3. Configure Firewall**
Reglas de seguridad para permitir la entrada del túnel y el tráfico hacia la LAN.
#### **Apertura de puerto WAN (Local)**
```bash
set firewall name INTERNET_LOCAL rule 10 description "Permitir WireGuard"
set firewall name INTERNET_LOCAL rule 10 action accept
set firewall name INTERNET_LOCAL rule 10 protocol udp
set firewall name INTERNET_LOCAL rule 10 destination port 51820
# Aplicar el ruleset a la interfaz PPPoE (Digi)
set interfaces pppoe pppoe0 firewall local name INTERNET_LOCAL
```
#### **Tráfico hacia la red interna (Forward)**
```bash
set firewall name WAN_IN rule 20 description "WireGuard to LAN"
set firewall name WAN_IN rule 20 action accept
set firewall name WAN_IN rule 20 source address 10.200.254.0/24
```
### **4. Configure NAT**
Enmascaramiento para permitir que los clientes VPN naveguen por Internet a través de la interfaz de Digi.
```bash
set service nat rule 5010 description 'WireGuard NAT'
set service nat rule 5010 outbound-interface pppoe0
set service nat rule 5010 type masquerade
set service nat rule 5010 source address 10.200.254.0/24
```
---
## **Save changes**
```bash
commit
save
exit
```
---
## **CLIENT CONFIGURATION (.conf)**
Configuración recomendada para el dispositivo cliente (Móvil/PC).
```ini
[Interface]
Address = 10.200.254.101/32
PrivateKey = ****************
DNS = 1.1.1.1, 192.168.1.1
[Peer]
PublicKey = GMZb+gET9ccNeA6QwOvrQ1Xmhs0V+VuM931JvDYE
Endpoint = capsulecorp.duckdns.org:51820
AllowedIPs = 0.0.0.0/0, 192.168.1.0/24
PersistentKeepalive = 25
```