Français  English 

WireGuard

WireGuard is almost certainly the best connection option that Streisand provides. This is due to its incredible performance, class-leading cryptography, and many, many other benefits.

WireGuard is available on Linux, and cross-platform and portable userspace implementations can be downloaded for Android and macOS.

An experimental configuration for OpenWrt/LEDE 17.01.4 (or later) is also available.

• Platforms
  • Android
  • iOS
  • Linux
  • macOS
  • OpenWrt

Android

1. Install WireGuard.
2. Launch the app and tap the blue button to add a new tunnel.
3. Tap Create from QR code and grant the app permission to access the camera. A viewfinder will appear.
4. Use the camera to scan one of these client configuration QR codes. Only one device can use a profile at a time:
   • brother-various
   • shallow-exotic
   • uncle-task
   • script-pizza
   • rely-inherit
5. Enter a name for the tunnel and tap Create Tunnel to save the configuration.
6. Tap the switch next to the tunnel's name to enable the VPN. If this is your first time using WireGuard on your Android device, you will be prompted to accept the VPN connection request.
7. You should be good to go! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

iOS

1. Install WireGuard (by WireGuard Development Team) from the App Store.
2. Launch the app and tap the blue button to add a new tunnel.
3. Tap Create from QR code and grant the app permission to access the camera. A viewfinder will appear.
4. Use the camera to scan one of these client configuration QR codes. Only one device can use a profile at a time:
   • brother-various
   • shallow-exotic
   • uncle-task
   • script-pizza
   • rely-inherit
5. Enter a name for the tunnel and tap Create Tunnel to save the configuration.
6. Tap the switch next to the tunnel's name to enable the VPN. If this is your first time using WireGuard on your iOS device, you will be prompted to accept the VPN connection request.
7. You should be good to go! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

Linux

1. Install WireGuard.
2. Download one of the client configuration files. Only one computer can use a profile at a time. For this example we'll assume you downloaded brother-various:
   • brother-various
   • shallow-exotic
   • uncle-task
   • script-pizza
   • rely-inherit

3. Move the client configuration file into the correct directory:

   sudo sh -c 'umask 077; mkdir -p /etc/wireguard; cat > /etc/wireguard/brother-various.conf' < ~/Downloads/brother-various.conf

4. (Ubuntu/Debian) For Ubuntu and Debian users you will need to install the openresolv package:

   sudo apt-get install openresolv

5. Use the wg-quick utility to bring up the WireGuard interface:

   sudo wg-quick up brother-various

6. For Linux systems using systemd you can also enable Wireguard at boot:

   'sudo systemctl enable wg-quick@brother-various.service'

7. You should be good to go! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

8. To stop routing your traffic through WireGuard, simply bring the interface back down:

   sudo wg-quick down brother-various

A note on DNS configuration

Each client configuration profile includes a DNS command that uses resolvconf to direct DNS traffic to the dnsmasq server that is available via the WireGuard encrypted interface at 10.192.122.1. Although resolvconf is a common utility, you may need to use PostUp/PostDown with a different command for your distribution or particular network configuration.

macOS

WARNING: The macOS WireGuard client is in early stages of development and still considered experimental. It may be unstable or buggy.

1. Install Homebrew, if you haven't already.

2. Install the WireGuard tools using Homebrew:

   brew install wireguard-tools

3. Download one of the client configuration files. Only one computer can use a profile at a time. For this example we'll assume you downloaded brother-various:
   • brother-various
   • shallow-exotic
   • uncle-task
   • script-pizza
   • rely-inherit
4. Move the client configuration file into the WireGuard configuration directory. The following command assumes you downloaded the configuration file into your Downloads folder. (If that's not the case, modify it accordingly):

sudo sh -c 'umask 077 && mkdir -p /etc/wireguard/ && cat ~/Downloads/brother-various.conf > /etc/wireguard/brother-various.conf'

1. Use the wg-quick utility to bring up the WireGuard interface:

   sudo wg-quick up brother-various

2. You should be good to go! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

3. You can check the vpn status at any time using wg: sudo wg show

4. To stop routing your traffic through WireGuard, simply bring the interface back down:

   sudo wg-quick down brother-various

EXPERIMENTAL: OpenWrt (LEDE)

As an unsupported experiment, these profiles are available for routers running OpenWrt. Support requires OpenWrt/LEDE 17.01.4 or later; OpenWrt Chaos Calmer is too old.

OpenWrt devices run Linux, but they're managed through a centralized configuration system called UCI. Most OpenWrt devices have a web admin interface called LuCI, which hides the complexity of UCI. These WireGuard profiles can be installed through a shell, or through the LuCI web interface.

These profiles will replace the existing Internet connection. As a result, you should only install them when you're connected to the router's WiFi or LAN network interface. If you're logged in remotely, you may be locked out.

Installing WireGuard software

Make sure these software packages are installed: luci-app-wireguard and luci-proto-wireguard. To install those packages from the web UI:

1. Go to the LuCI System:Software page, and click the Update lists button.
2. Type wireguard into the Find package box.
3. Click on the Available packages (wireguard) tab.
4. Click Install next to luci-app-wireguard; go back to step 2 to install luci-proto-wireguard as well.

(If you're managing your router without the LuCI user interface, you can instead opkg update; opkg install kmod-wireguard wireguard-tools .)

Installing the profile

Experienced users can install these profiles from the router's SSH command line; place one in a file, and run it as a shell script.

There's also a simple way to install via the web interface. The LuCI System:Startup web page contains a Local Startup text box. It's a shell script which is run each time the router boots up. These WireGuard profiles are designed to be pasted into the Local Startup box, replacing the existing contents. (Make sure to delete any exit 0 lines.)

The next time the router reboots, the script will be run. It removes itself automatically. Check the Local Startup box for the status result.

Changes made by the profile

• A new interface named like poem_walk will be created
• The interface is added to the WAN network zone
• The default route to the Internet is set to the interface. (This will break WAN connectivity, so be sure to install only from WiFi/LAN.)
• The WireGuard keepalive is set to 25 seconds
• System-wide DNS is forced to point at the Streisand server

If you don't like the DNS default, you can change DNS behavior on the Network:DHCP and DNS LuCI page. Put the DNS server address in DNS forwardings. On the Resolv and Hosts Files tab, leave Ignore resolve file checked, unless you want to use your upstream DNS. (You probably don't.)

If you know you aren't behind a NAT device, edit the WireGuard interface to set the keepalive to 0.

OpenWrt Profiles

• brother-various
• shallow-exotic
• uncle-task
• script-pizza
• rely-inherit