Difference between revisions of "Wireguard"

From VyOS Wiki
Jump to: navigation, search
(Created page with "= Wireguard = WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art [https://www.wireguard.com/protocol/ cryptography].<br> * [https://w...")
 
Line 15: Line 15:
 
<span style="color:red">This is under construction!</span>
 
<span style="color:red">This is under construction!</span>
  
Each host needs a private and public key combo that you can generate with these commands:
+
Each client/server needs a private and public key combo.
wg genkey '''(generates a private key)'''<br>
+
You can view/generate them within the vbash (append "run" if you are in configuration mode):
wg pubkey '''(generates a public key using the private key, for example: wg pubkey < "private key here")'''<br>
+
<pre style="color: silver; background: black;">
 +
  generate wireguard keypair          - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
 +
                                      it is stored permanently under /config/auth/wireguard/
 +
  show wireguard privkey              - shows the private key
 +
  show wireguard pubkey               - shows the public key
 +
</pre>
 +
planned:
 +
<pre style="color: silver; background: black;">
 +
  show wireguard status                - show status for all wg interfaces
 +
  show wireguard status <wgN>          - status for a specific interface
 +
  show wireguard status peer [peerkey] - status for a specific peer
 +
</pre>
 
<br>
 
<br>
For extra security you can also use a pre-shared key that can be generate with this command:<br>
 
wg genpsk '''(this is optional, and the same pre-shared key should be used on both hosts)'''<br>
 
<br>
 
We need to create an interface for Wireguard, '''(in this example we call it wg0)'''<br>
 
set interface wireguard wg0<br>
 
 
<br>
 
<br>
 +
We need to create an interface for Wireguard, '''(in this example we call it wg01)'''<br>
  
'''On host 1:'''<br>
+
'''On server:'''<br>
   configure<br>
+
<pre style="color: silver; background: black;">
   set interfaces wireguard wg0 address 10.2.2.1/24 '''(ipv4/ipv6 address of this host, including cidr/prefix)'''
+
   vyos@vyos# configure
   set interfaces wireguard wg0 description wg02-test '''(optional)'''
+
   vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
  set interfaces wireguard wg0 listen-port 51820 '''(this is an UDP port and it is optional, but one of the hosts must specify this for one to know what port to connect to)'''
+
   vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
   set interfaces wireguard wg0 peer <public key of host 2> allowed-ips 10.1.1.0/24 '''(IP/CIDR that should pass through the wg0 interface)'''
+
   vyos@vyos# set interfaces wireguard wg01 peer <pubkey client 1> allowed-ips 10.0.0.0/24
  set interfaces wireguard wg0 peer <public key of host 2> endpoint 216.33.14.41:51820 '''(optional, but one of the hosts must specify this for one to be able to find the other)'''
+
   vyos@vyos# set protocols static interface-route 10.0.0.0/24 next-hop-interface wg01
   set protocols static interface-route 10.1.1.0/24 next-hop-interface wg0
+
   vyos@vyos# commit
   commit
+
   vyos@vyos# save
   save
+
</pre>
 
<br>
 
<br>
'''On host 2:'''<br>
+
'''On client 1:'''<br>
  configure<br>
+
<pre style="color: silver; background: black;">
   set interfaces wireguard wg0 address 10.1.1.1/24 '''(ipv4/ipv6 address of this host, including cidr/prefix)'''
+
   vyos@vyos# configure
   set interfaces wireguard wg0 description wg01-test '''(optional)'''
+
   vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
  set interfaces wireguard wg0 listen-port 51820 '''(this is an UDP port and it is optional, but one of the hosts must specify this for one to know what port to connect to)'''
+
   vyos@vyos# set interfaces wireguard wg01 peer <pubkey server> allowed-ips '10.1.0.0/24'
   set interfaces wireguard wg0 peer <public key of host 1> allowed-ips 10.2.2.0/24 '''(IP/CIDR range that should pass through the wg0 interface)'''
+
   vyos@vyos# set interfaces wireguard wg01 peer <pubkey server> endpoint '192.168.0.115:12345'
   set interfaces wireguard wg0 peer <public key of host 1> endpoint 96.24.215.191:51820 '''(optional, but one of the hosts must specify this for one to be able to find the other)'''
+
   vyos@vyos# set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01
   set protocols static interface-route 10.2.2.0/24 next-hop-interface wg0
+
   vyos@vyos# commit
   commit
+
   vyos@vyos# save
   save
+
</pre>
 
<br>
 
<br>
  
  
== Wireguard parameters ==
+
== Wireguard commands and parameters ==
 +
=== Wireguard commands ===
 +
<pre style="color: silver; background: black;">
 +
  vyos@vyos:~$ generate wireguard
 +
  Possible completions:
 +
    keypair      generate a wireguard keypair
  
Possible completetions:
+
  vyos@vyos:~$ show wireguard
  + address
+
  Possible completions:
    description
+
    privkey      show wireguard private key
    listen-port
+
    pubkey        show wireguard public key
+> peer
+
</pre>
  + allowed-ips
+
=== Wireguard parameters ===
     endpoint
+
<pre style="color: silver; background: black;">
    preshared-key (not implemented yet)
+
Possible completions:
    private-key
+
+ address      IPv4/IPv6 address and prefix length <x.x.x.x/x>/<h:h:h:h:h:h:h:h/x>
    public-key
+
  description  description
 +
  listen-port Local port number to accept connections
 +
+> peer         Base64 encoded public key
 +
+ allowed-ips IP addresses allowed to traverse the peer
 +
  endpoint     Remote endpoint
 +
</pre>

Revision as of 21:06, 19 August 2018

Wireguard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache.
It intends to be considerably more performant than OpenVPN.
WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
Initially released for the Linux kernel, it is now cross-platform and widely deployable.
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.


Getting started with Wireguard

This is under construction!

Each client/server needs a private and public key combo. You can view/generate them within the vbash (append "run" if you are in configuration mode):

  generate wireguard keypair           - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
                                       it is stored permanently under /config/auth/wireguard/
  show wireguard privkey               - shows the private key
  show wireguard pubkey                - shows the public key

planned:

  show wireguard status                - show status for all wg interfaces
  show wireguard status <wgN>          - status for a specific interface
  show wireguard status peer [peerkey] - status for a specific peer



We need to create an interface for Wireguard, (in this example we call it wg01)

On server:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer <pubkey client 1> allowed-ips 10.0.0.0/24
  vyos@vyos# set protocols static interface-route 10.0.0.0/24 next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save


On client 1:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer <pubkey server> allowed-ips '10.1.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer <pubkey server> endpoint '192.168.0.115:12345'
  vyos@vyos# set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save



Wireguard commands and parameters

Wireguard commands

  vyos@vyos:~$ generate wireguard
  Possible completions:
    keypair       generate a wireguard keypair

  vyos@vyos:~$ show wireguard
  Possible completions:
    privkey       show wireguard private key
    pubkey        show wireguard public key

Wireguard parameters

Possible completions:
+  address      IPv4/IPv6 address and prefix length <x.x.x.x/x>/<h:h:h:h:h:h:h:h/x>
   description  description
   listen-port  Local port number to accept connections
+> peer         Base64 encoded public key
+  allowed-ips  IP addresses allowed to traverse the peer
   endpoint     Remote endpoint