Wireguard

From VyOS Wiki
Jump to: navigation, search

Wireguard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache.
It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployable.
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Getting started with Wireguard

Each client/server needs a private and public key combo. You can view/generate them within the vbash (append "run" if you are in configuration mode):

  generate wireguard keypair           - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
                                       it is stored permanently under /config/auth/wireguard/
  show wireguard privkey               - shows the private key
  show wireguard pubkey                - shows the public key

To view status of an interface:

 show interfaces wireguard <tab completion> [<enter>]
 allowed-ips show all allowed-ips for the specified interface
 endpoints show all endpoints for the specified interface
 peers show all peer IDs for the specified interface

The tab completion shows you the interface which are setup on the system, so if you have more than 1 it shows them as a list you can chose from.
If you just hit enter you get a full statistic for the interface. Example:

  vyos@vyos:~$ show interfaces wireguard wg01
  public key: ABh3lEPhgjifR7eKHYxlV0gL58DZTNXqzWLteLBuK3E=
  private key: (hidden)
  listening port: 12345


  vyos@vyos:~$ show interfaces wireguard peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg='
  allowed ips: 10.200.0.0/24

The sub commands like allowed-ips shows the peer and the configured allowed-ips for it. If you have multiple peers, they show up as a list:

  vyos@vyos:~$ show interfaces wireguard wg01 allowed-ips 
  kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg= 10.200.0.0/24

An example of setting up a connection between a client and server.

We need to create an interface for Wireguard, in this example we call it wg01. Notice that in the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.

On server:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 allowed-ips '10.0.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 persistent-keepalive 15
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 pubkey '<pubkey client1>'
  vyos@vyos# set protocols static interface-route '10.0.0.0/24' next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save

On client 1:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer SERVER allowed-ips '10.1.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer SERVER endpoint '192.168.0.115:12345'
  vyos@vyos# set interfaces wireguard wg01 peer SERVER persistent-keepalive 15
  vyos@vyos# set interfaces wireguard wg01 peer SERVER pubkey '<pubkey server>'
  vyos@vyos# set protocols static interface-route '10.1.0.0/24' next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save


Wireguard commands and parameters

Wireguard commands

  vyos@vyos:~$ generate wireguard
  Possible completions:
    keypair       generate a wireguard keypair

  vyos@vyos:~$ show wireguard
  Possible completions:
    privkey       show wireguard private key
    pubkey        show wireguard public key

  vyos@vyos:~$ show interfaces wireguard
  Possible completions:
    allowed-ips   show all allowed-ips for the specified interface
    endpoints     show all endpoints for the specified interface
    peers         show all peer IDs for the specified interface

Wireguard parameters

Possible completions:
+  address      IPv4/IPv6 address and prefix length '<x.x.x.x/x>'/'<h:h:h:h:h:h:h:h/x>'
   description  description
   listen-port  Local port number to accept connections
+> peer         Base64 encoded public key
+  allowed-ips  IP addresses allowed to traverse the peer
   endpoint     Remote endpoint
   persistent-keepalive
                 how often send keep alives in seconds