AntiZapret WireGuard/AmneziaWG on OpenWRT
t.me/aukernyamPreamble:
In order to use WireGuard/AmneziaWG VPN configs on an OpenWRT router you first would need to obtain .conf files from your VPS. The installation script can be found here: https://github.com/GubernievS/AntiZapret-VPN.
After creating the clients (described in the repo), you can get your configs either via scp on Windows/Linux or by using some kind of a sftp client (e.g. FileZilla).
This guide uses LuCI, as its easier for beginners to get around with.
Tested on OpenWRT 23.05, your results and namings of the options may differ.
Setup (General):
Create a firewall zone in Network --> Firewall with the following options:
- Name — any name;
- Input — Reject, Output — Accept, Forward — Reject;
- Masquerading — On, MSS clamping — On;
- Covered networks — leave as None/unspecified as we will setup this later;
- Allow forward to destination zones — leave as None/unspecified as we will setup this later;
- Allow forward from source zones — LAN.
Optionally disable Rebind protection in Network --> DHCP and DNS.
Setup (WireGuard):
In the beginning, you would need to download and install the following packages on your router (either via opkg or in LuCI: first, update the list of packages in System --> Software --> Update lists..., then search for and install the needed packages):
wireguard-tools kmod-wireguard luci-proto-wireguard
After a reboot (System --> Reboot), login into the LuCI interface, go into Network --> Interfaces and create a new interface with any name and the WireGuard VPN protocol selected. Then, import your .conf file with the Import configuration button.
After importing, we've got a few things to edit in the interface:
Firstly, in Firewall Settings assign our previously-created firewall zone to the interface:
Secondly, we should edit a peer that was created after importing the config, in Peers:
- In Allowed IPs add either 1.1.1.1/32 or whatever DNS servers you'd like with the /32 prefix.
- Turn on Route Allowed IPs.
- Optionally change the Persistent Keep Alive to 25 if you're behind NAT.
Save all the edits.
Lastly, you should change your WAN (and optionally WAN6) interfaces' DNS servers to the ones you added in the Allowed IPs list of the WireGuard VPN interface. First uncheck the Use DNS server advertised by peer option and enter 1.1.1.1 (or whatever you chose previously) without prefixes as shown below:
Save all the edits again and after a few seconds the VPN should now work.
If you want, you can also check the latest handshake time and some other info about the current WireGuard connection in Status --> WireGuard.
Setup (AmneziaWG):
Look at your Target Platform in Status --> Overview. We'll use this information to determine which packages to download and install. Since AmneziaWG is currently not in the OpenWRT repo, we would have to manually install the needed packages, which are:
1: kmod-amneziawg.ipk 2: amneziawg-tools.ipk 3: luci-proto-amneziawg.ipk (or luci-app-amneziawg.ipk)
Look into one of the following repos for the .ipk files:
- https://github.com/lolo6oT/awg-openwrt/releases
- https://github.com/Slava-Shchipunov/awg-openwrt/releases
Use CTRL+F to find .ipk with your router's architecture info we got earlier and the OpenWRT version you have installed.
After downloading, go into System --> Software --> Upload Package... and install all three packages you downloaded in the given order. After that, reboot the system in System --> Reboot.
After a reboot, go into Network --> Interfaces and create a new interface with any name and the AmneziaWG VPN protocol selected. Then, import your .conf file with the Import configuration button.
After importing, we've got a few things to edit in the interface:
Firstly, in Firewall Settings assign our previously-created firewall zone to the interface:
Next, in AmneziaWG Settings set all the options to the ones that you have in the .conf file you downloaded, as shown in the example:
AmneziaWG, at least in the version for OpenWRT 23.05 has an annoying issue of not properly importing the Peer from the config, since that, we'll have to manually import again, by pressing Import configuration as peer... in the Peers tab (drag and drop the .conf file there) and also delete (if it appears) the blank peer (with no Allowed IPs and Endpoint Host) as shown below.
Now edit the peer that was created after importing the config:
- In Allowed IPs add either 1.1.1.1/32 or whatever DNS servers you'd like with the /32 prefix.
- Turn on Route Allowed IPs.
- Optionally change the Persistent Keep Alive to 25 if you're behind NAT.
Save all the edits.
Lastly, you should change your WAN (and optionally WAN6) interfaces' DNS servers to the ones you added in the Allowed IPs list of the AmneziaWG VPN interface. First uncheck the Use DNS server advertised by peer option and enter 1.1.1.1 (or whatever you chose previously) without prefixes as shown below:
Save all the edits again and after a few seconds the VPN should now work.
If you want, you can also check the latest handshake time and some other info about the current AmneziaWG connection in Status --> AmneziaWG.
Troubleshooting:
Many issues may occur due to different AntiZapret versions or configurations on the server, due to the OpenWRT version etc.
Some of the acknowledged issues are listed here with possible fixes (P - the problem, S - the solution):
- P: No packets are being sent/received by the router, or no handshake is being made.
S: Your public IP is probably temporarily blocked by the AntiZapret script, try rebooting the server entirely or making an exception in the ipset. - P: Some of the blocked websites are not opening, or are showing a "you've been blocked" page.
S: Your server's IP is either not clean (i.e. has been previously assigned to a machine used in criminal or abusive activities), or is misregistered in some of the GeoIP databases as if it was in one of the sanctioned countries. To solve this, you may try contacting your hosting support for them to change your IP, use a different hosting entirely, or use proxy on the server, for example the one from Comss.ru (this option is available on the installation step on the newest AntiZapret version). - P: Embedded YouTube videos do not play with the error being "Sign in to confirm you’re not a bot".
S: Your IP was previously used on a machine with abusive behavior. Log in to your YouTube (Google) account and use either the official website or apps (that support account log-ins). There's nothing you can do except trying to contact Google (proven to be almost useless), contacting your hosting support to change your machine's IP, or using a different hosting entirely.