Difference between revisions of "Wireguard"

From VyOS Wiki
Jump to: navigation, search
Line 15: Line 15:
 
<span style="color:red">This is under construction!</span>
 
<span style="color:red">This is under construction!</span>
  
Each client/server needs a private and public key combo.
+
'''Each client/server needs a private and public key combo.'''
You can view/generate them within the vbash (append "run" if you are in configuration mode):
+
'''You can view/generate them within the vbash (append "run" if you are in configuration mode):'''
 
<pre style="color: silver; background: black;">
 
<pre style="color: silver; background: black;">
 
   generate wireguard keypair          - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
 
   generate wireguard keypair          - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
Line 23: Line 23:
 
   show wireguard pubkey                - shows the public key
 
   show wireguard pubkey                - shows the public key
 
</pre>
 
</pre>
planned:
+
'''To view status of an interface:'''
 +
  show interfaces wireguard <tab completion> [<enter>]
 +
 
 +
  allowed-ips show all allowed-ips for the specified interface
 +
  endpoints show all endpoints for the specified interface
 +
  peers show all peer IDs for the specified interface
 +
 
 +
The tab completion shows you the interface which are setup on the system, so if you have more than 1 it shows them as a list you can chose from.<br>
 +
If you just hit enter you get a full statistic for the interface.
 +
Example:
 +
<pre style="color: silver; background: black;">
 +
  vyos@vyos:~$ show interfaces wireguard wg01
 +
  public key: ABh3lEPhgjifR7eKHYxlV0gL58DZTNXqzWLteLBuK3E=
 +
  private key: (hidden)
 +
  listening port: 12345
 +
 
 +
 
 +
  vyos@vyos:~$ show interfaces wireguard peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg='
 +
  allowed ips: 10.200.0.0/24
 +
</pre>
 +
The sub commands like allowed-ips shows the peer and the configured allowed-ips for it. If you have multiple peers, they show up as a list:
 
<pre style="color: silver; background: black;">
 
<pre style="color: silver; background: black;">
   show wireguard status                - show status for all wg interfaces
+
   vyos@vyos:~$ show interfaces wireguard wg01 allowed-ips
  show wireguard status <wgN>          - status for a specific interface
+
   kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg= 10.200.0.0/24
   show wireguard status peer [peerkey] - status for a specific peer
 
 
</pre>
 
</pre>
 
<br>
 
<br>
 
<br>
 
<br>
Setting up a connection between a client and server.
+
'''An example on setting up a connection between a client and server.'''
 
We need to create an interface for Wireguard, '''(in this example we call it wg01)'''<br>
 
We need to create an interface for Wireguard, '''(in this example we call it wg01)'''<br>
 
Notice that In the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.<br>
 
Notice that In the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.<br>
Line 75: Line 94:
 
     privkey      show wireguard private key
 
     privkey      show wireguard private key
 
     pubkey        show wireguard public key
 
     pubkey        show wireguard public key
 +
 +
  vyos@vyos:~$ show interfaces wireguard
 +
  Possible completions:
 +
    allowed-ips  show all allowed-ips for the specified interface
 +
    endpoints    show all endpoints for the specified interface
 +
    peers        show all peer IDs for the specified interface
 
</pre>
 
</pre>
 
=== Wireguard parameters ===
 
=== Wireguard parameters ===

Revision as of 23:00, 20 August 2018

Wireguard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache.
It intends to be considerably more performant than OpenVPN.
WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
Initially released for the Linux kernel, it is now cross-platform and widely deployable.
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.


Getting started with Wireguard

This is under construction!

Each client/server needs a private and public key combo. You can view/generate them within the vbash (append "run" if you are in configuration mode):

  generate wireguard keypair           - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
                                       it is stored permanently under /config/auth/wireguard/
  show wireguard privkey               - shows the private key
  show wireguard pubkey                - shows the public key

To view status of an interface:

 show interfaces wireguard <tab completion> [<enter>]
 allowed-ips show all allowed-ips for the specified interface
 endpoints show all endpoints for the specified interface
 peers show all peer IDs for the specified interface

The tab completion shows you the interface which are setup on the system, so if you have more than 1 it shows them as a list you can chose from.
If you just hit enter you get a full statistic for the interface. Example:

  vyos@vyos:~$ show interfaces wireguard wg01
  public key: ABh3lEPhgjifR7eKHYxlV0gL58DZTNXqzWLteLBuK3E=
  private key: (hidden)
  listening port: 12345


  vyos@vyos:~$ show interfaces wireguard peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg='
  allowed ips: 10.200.0.0/24

The sub commands like allowed-ips shows the peer and the configured allowed-ips for it. If you have multiple peers, they show up as a list:

  vyos@vyos:~$ show interfaces wireguard wg01 allowed-ips 
  kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg= 10.200.0.0/24



An example on setting up a connection between a client and server. We need to create an interface for Wireguard, (in this example we call it wg01)
Notice that In the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.

On server:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey client 1>' allowed-ips '10.0.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey client 1>' persistent-keepalive 15
  vyos@vyos# set protocols static interface-route '10.0.0.0/24' next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save


On client 1:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' allowed-ips '10.1.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' endpoint '192.168.0.115:12345'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' persistent-keepalive 15
  vyos@vyos# set protocols static interface-route '10.1.0.0/24' next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save


set interfaces wireguard wg01 peer '<pubkey server>' persistent-keepalive 15 set interfaces wireguard wg01 peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg=' persistent-keepalive 15


Wireguard commands and parameters

Wireguard commands

  vyos@vyos:~$ generate wireguard
  Possible completions:
    keypair       generate a wireguard keypair

  vyos@vyos:~$ show wireguard
  Possible completions:
    privkey       show wireguard private key
    pubkey        show wireguard public key

  vyos@vyos:~$ show interfaces wireguard
  Possible completions:
    allowed-ips   show all allowed-ips for the specified interface
    endpoints     show all endpoints for the specified interface
    peers         show all peer IDs for the specified interface

Wireguard parameters

Possible completions:
+  address      IPv4/IPv6 address and prefix length '<x.x.x.x/x>'/'<h:h:h:h:h:h:h:h/x>'
   description  description
   listen-port  Local port number to accept connections
+> peer         Base64 encoded public key
+  allowed-ips  IP addresses allowed to traverse the peer
   endpoint     Remote endpoint
   persistent-keepalive
                 how often send keep alives in seconds