Difference between revisions of "Wireguard"

From VyOS Wiki
Jump to: navigation, search
Line 33: Line 33:
 
Setting up a connection between a client and server.
 
Setting up a connection between a client and server.
 
We need to create an interface for Wireguard, '''(in this example we call it wg01)'''<br>
 
We need to create an interface for Wireguard, '''(in this example we call it wg01)'''<br>
 +
Notice that In the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.<br>
  
 
'''On server:'''<br>
 
'''On server:'''<br>
Line 39: Line 40:
 
   vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
 
   vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
 
   vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
 
   vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
   vyos@vyos# set interfaces wireguard wg01 peer <pubkey client 1> allowed-ips 10.0.0.0/24
+
   vyos@vyos# set interfaces wireguard wg01 peer '<pubkey client 1>' allowed-ips '10.0.0.0/24'
   vyos@vyos# set protocols static interface-route 10.0.0.0/24 next-hop-interface wg01
+
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey client 1>' persistent-keepalive 15
 +
   vyos@vyos# set protocols static interface-route '10.0.0.0/24' next-hop-interface wg01
 
   vyos@vyos# commit
 
   vyos@vyos# commit
 
   vyos@vyos# save
 
   vyos@vyos# save
Line 50: Line 52:
 
   vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
 
   vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
 
   vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
 
   vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
   vyos@vyos# set interfaces wireguard wg01 peer <pubkey server> allowed-ips '10.1.0.0/24'
+
   vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' allowed-ips '10.1.0.0/24'
   vyos@vyos# set interfaces wireguard wg01 peer <pubkey server> endpoint '192.168.0.115:12345'
+
   vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' endpoint '192.168.0.115:12345'
   vyos@vyos# set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01
+
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' persistent-keepalive 15
 +
   vyos@vyos# set protocols static interface-route '10.1.0.0/24' next-hop-interface wg01
 
   vyos@vyos# commit
 
   vyos@vyos# commit
 
   vyos@vyos# save
 
   vyos@vyos# save
 
</pre>
 
</pre>
 
<br>
 
<br>
 +
set interfaces wireguard wg01 peer '<pubkey server>' persistent-keepalive 15
 +
set interfaces wireguard wg01 peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg=' persistent-keepalive 15
  
  
Line 74: Line 79:
 
<pre style="color: silver; background: black;">
 
<pre style="color: silver; background: black;">
 
Possible completions:
 
Possible completions:
+  address      IPv4/IPv6 address and prefix length <x.x.x.x/x>/<h:h:h:h:h:h:h:h/x>
+
+  address      IPv4/IPv6 address and prefix length '<x.x.x.x/x>'/'<h:h:h:h:h:h:h:h/x>'
 
   description  description
 
   description  description
 
   listen-port  Local port number to accept connections
 
   listen-port  Local port number to accept connections
Line 80: Line 85:
 
+  allowed-ips  IP addresses allowed to traverse the peer
 
+  allowed-ips  IP addresses allowed to traverse the peer
 
   endpoint    Remote endpoint
 
   endpoint    Remote endpoint
 +
  persistent-keepalive
 +
                how often send keep alives in seconds
 
</pre>
 
</pre>

Revision as of 22:08, 20 August 2018

Wireguard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache.
It intends to be considerably more performant than OpenVPN.
WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
Initially released for the Linux kernel, it is now cross-platform and widely deployable.
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.


Getting started with Wireguard

This is under construction!

Each client/server needs a private and public key combo. You can view/generate them within the vbash (append "run" if you are in configuration mode):

  generate wireguard keypair           - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
                                       it is stored permanently under /config/auth/wireguard/
  show wireguard privkey               - shows the private key
  show wireguard pubkey                - shows the public key

planned:

  show wireguard status                - show status for all wg interfaces
  show wireguard status <wgN>          - status for a specific interface
  show wireguard status peer [peerkey] - status for a specific peer



Setting up a connection between a client and server. We need to create an interface for Wireguard, (in this example we call it wg01)
Notice that In the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.

On server:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey client 1>' allowed-ips '10.0.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey client 1>' persistent-keepalive 15
  vyos@vyos# set protocols static interface-route '10.0.0.0/24' next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save


On client 1:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' allowed-ips '10.1.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' endpoint '192.168.0.115:12345'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' persistent-keepalive 15
  vyos@vyos# set protocols static interface-route '10.1.0.0/24' next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save


set interfaces wireguard wg01 peer '<pubkey server>' persistent-keepalive 15 set interfaces wireguard wg01 peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg=' persistent-keepalive 15


Wireguard commands and parameters

Wireguard commands

  vyos@vyos:~$ generate wireguard
  Possible completions:
    keypair       generate a wireguard keypair

  vyos@vyos:~$ show wireguard
  Possible completions:
    privkey       show wireguard private key
    pubkey        show wireguard public key

Wireguard parameters

Possible completions:
+  address      IPv4/IPv6 address and prefix length '<x.x.x.x/x>'/'<h:h:h:h:h:h:h:h/x>'
   description  description
   listen-port  Local port number to accept connections
+> peer         Base64 encoded public key
+  allowed-ips  IP addresses allowed to traverse the peer
   endpoint     Remote endpoint
   persistent-keepalive
                 how often send keep alives in seconds