Difference between revisions of "Wireguard"

From VyOS Wiki
Jump to: navigation, search
Line 6: Line 6:
  
 
It aims to be [https://www.wireguard.com/performance/ faster], [https://www.wireguard.com/quickstart/ simpler], leaner, and more useful than IPSec, while avoiding the massive headache.<br>
 
It aims to be [https://www.wireguard.com/performance/ faster], [https://www.wireguard.com/quickstart/ simpler], leaner, and more useful than IPSec, while avoiding the massive headache.<br>
It intends to be considerably more performant than OpenVPN.<br>
+
It intends to be considerably more performant than OpenVPN.
WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.<br>
+
WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
 
Initially released for the Linux kernel, it is now cross-platform and widely deployable.<br>
 
Initially released for the Linux kernel, it is now cross-platform and widely deployable.<br>
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br>
+
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
<br><br>
+
 
 
== Getting started with Wireguard ==
 
== Getting started with Wireguard ==
  
<span style="color:red">This is under construction!</span>
+
Each client/server needs a private and public key combo.
 +
You can view/generate them within the vbash (append "run" if you are in configuration mode):
  
'''Each client/server needs a private and public key combo.'''
+
<pre>
'''You can view/generate them within the vbash (append "run" if you are in configuration mode):'''
 
<pre style="color: silver; background: black;">
 
 
   generate wireguard keypair          - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
 
   generate wireguard keypair          - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
 
                                       it is stored permanently under /config/auth/wireguard/
 
                                       it is stored permanently under /config/auth/wireguard/
Line 23: Line 22:
 
   show wireguard pubkey                - shows the public key
 
   show wireguard pubkey                - shows the public key
 
</pre>
 
</pre>
'''To view status of an interface:'''
+
 
 +
To view status of an interface:
 
   show interfaces wireguard <tab completion> [<enter>]
 
   show interfaces wireguard <tab completion> [<enter>]
  
Line 33: Line 33:
 
If you just hit enter you get a full statistic for the interface.
 
If you just hit enter you get a full statistic for the interface.
 
Example:
 
Example:
<pre style="color: silver; background: black;">
+
<pre>
 
   vyos@vyos:~$ show interfaces wireguard wg01
 
   vyos@vyos:~$ show interfaces wireguard wg01
 
   public key: ABh3lEPhgjifR7eKHYxlV0gL58DZTNXqzWLteLBuK3E=
 
   public key: ABh3lEPhgjifR7eKHYxlV0gL58DZTNXqzWLteLBuK3E=
Line 44: Line 44:
 
</pre>
 
</pre>
 
The sub commands like allowed-ips shows the peer and the configured allowed-ips for it. If you have multiple peers, they show up as a list:
 
The sub commands like allowed-ips shows the peer and the configured allowed-ips for it. If you have multiple peers, they show up as a list:
<pre style="color: silver; background: black;">
+
<pre>
 
   vyos@vyos:~$ show interfaces wireguard wg01 allowed-ips  
 
   vyos@vyos:~$ show interfaces wireguard wg01 allowed-ips  
 
   kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg= 10.200.0.0/24
 
   kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg= 10.200.0.0/24
 
</pre>
 
</pre>
<br>
 
<br>
 
'''An example on setting up a connection between a client and server.'''
 
We need to create an interface for Wireguard, '''(in this example we call it wg01)'''<br>
 
Notice that In the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.<br>
 
  
'''On server:'''<br>
+
=== An example on setting up a connection between a client and server. ===
<pre style="color: silver; background: black;">
+
 
 +
We need to create an interface for Wireguard, in this example we call it wg01.
 +
Notice that in the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.
 +
 
 +
'''On server:'''
 +
 
 +
<pre>
 
   vyos@vyos# configure
 
   vyos@vyos# configure
 
   vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
 
   vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
Line 65: Line 66:
 
   vyos@vyos# save
 
   vyos@vyos# save
 
</pre>
 
</pre>
<br>
+
 
'''On client 1:'''<br>
+
'''On client 1:'''
<pre style="color: silver; background: black;">
+
 
 +
<pre>
 
   vyos@vyos# configure
 
   vyos@vyos# configure
 
   vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
 
   vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
Line 85: Line 87:
 
== Wireguard commands and parameters ==
 
== Wireguard commands and parameters ==
 
=== Wireguard commands ===
 
=== Wireguard commands ===
<pre style="color: silver; background: black;">
+
<pre>
 
   vyos@vyos:~$ generate wireguard
 
   vyos@vyos:~$ generate wireguard
 
   Possible completions:
 
   Possible completions:
Line 102: Line 104:
 
</pre>
 
</pre>
 
=== Wireguard parameters ===
 
=== Wireguard parameters ===
<pre style="color: silver; background: black;">
+
<pre>
 
Possible completions:
 
Possible completions:
 
+  address      IPv4/IPv6 address and prefix length '<x.x.x.x/x>'/'<h:h:h:h:h:h:h:h/x>'
 
+  address      IPv4/IPv6 address and prefix length '<x.x.x.x/x>'/'<h:h:h:h:h:h:h:h/x>'
Line 113: Line 115:
 
                 how often send keep alives in seconds
 
                 how often send keep alives in seconds
 
</pre>
 
</pre>
 +
 +
[[Category: User documentation]]
 +
[[Category: VPN]]

Revision as of 18:13, 2 October 2018

Wireguard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache.
It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployable.
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Getting started with Wireguard

Each client/server needs a private and public key combo. You can view/generate them within the vbash (append "run" if you are in configuration mode):

  generate wireguard keypair           - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
                                       it is stored permanently under /config/auth/wireguard/
  show wireguard privkey               - shows the private key
  show wireguard pubkey                - shows the public key

To view status of an interface:

 show interfaces wireguard <tab completion> [<enter>]
 allowed-ips show all allowed-ips for the specified interface
 endpoints show all endpoints for the specified interface
 peers show all peer IDs for the specified interface

The tab completion shows you the interface which are setup on the system, so if you have more than 1 it shows them as a list you can chose from.
If you just hit enter you get a full statistic for the interface. Example:

  vyos@vyos:~$ show interfaces wireguard wg01
  public key: ABh3lEPhgjifR7eKHYxlV0gL58DZTNXqzWLteLBuK3E=
  private key: (hidden)
  listening port: 12345


  vyos@vyos:~$ show interfaces wireguard peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg='
  allowed ips: 10.200.0.0/24

The sub commands like allowed-ips shows the peer and the configured allowed-ips for it. If you have multiple peers, they show up as a list:

  vyos@vyos:~$ show interfaces wireguard wg01 allowed-ips 
  kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg= 10.200.0.0/24

An example on setting up a connection between a client and server.

We need to create an interface for Wireguard, in this example we call it wg01. Notice that in the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.

On server:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey client 1>' allowed-ips '10.0.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey client 1>' persistent-keepalive 15
  vyos@vyos# set protocols static interface-route '10.0.0.0/24' next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save

On client 1:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' allowed-ips '10.1.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' endpoint '192.168.0.115:12345'
  vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' persistent-keepalive 15
  vyos@vyos# set protocols static interface-route '10.1.0.0/24' next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save


set interfaces wireguard wg01 peer '<pubkey server>' persistent-keepalive 15 set interfaces wireguard wg01 peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg=' persistent-keepalive 15


Wireguard commands and parameters

Wireguard commands

  vyos@vyos:~$ generate wireguard
  Possible completions:
    keypair       generate a wireguard keypair

  vyos@vyos:~$ show wireguard
  Possible completions:
    privkey       show wireguard private key
    pubkey        show wireguard public key

  vyos@vyos:~$ show interfaces wireguard
  Possible completions:
    allowed-ips   show all allowed-ips for the specified interface
    endpoints     show all endpoints for the specified interface
    peers         show all peer IDs for the specified interface

Wireguard parameters

Possible completions:
+  address      IPv4/IPv6 address and prefix length '<x.x.x.x/x>'/'<h:h:h:h:h:h:h:h/x>'
   description  description
   listen-port  Local port number to accept connections
+> peer         Base64 encoded public key
+  allowed-ips  IP addresses allowed to traverse the peer
   endpoint     Remote endpoint
   persistent-keepalive
                 how often send keep alives in seconds