Difference between revisions of "Wireguard"

From VyOS Wiki
Jump to: navigation, search
(Created page with "= Wireguard = WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art [https://www.wireguard.com/protocol/ cryptography].<br> * [https://w...")
 
 
(12 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= Wireguard =  
+
{{ Migrate progress | url = https://vyos.readthedocs.io/en/latest/vpn/wireguard.html }}
 +
 
 +
= WireGuard =  
  
 
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art [https://www.wireguard.com/protocol/ cryptography].<br>
 
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art [https://www.wireguard.com/protocol/ cryptography].<br>
  
* [https://www.wireguard.com/ Wireguard]
+
* [https://www.wireguard.com/ WireGuard]
  
 
It aims to be [https://www.wireguard.com/performance/ faster], [https://www.wireguard.com/quickstart/ simpler], leaner, and more useful than IPSec, while avoiding the massive headache.<br>
 
It aims to be [https://www.wireguard.com/performance/ faster], [https://www.wireguard.com/quickstart/ simpler], leaner, and more useful than IPSec, while avoiding the massive headache.<br>
It intends to be considerably more performant than OpenVPN.<br>
+
It intends to be considerably more performant than OpenVPN.
WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.<br>
+
WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
 
Initially released for the Linux kernel, it is now cross-platform and widely deployable.<br>
 
Initially released for the Linux kernel, it is now cross-platform and widely deployable.<br>
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br>
+
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
<br><br>
+
 
== Getting started with Wireguard ==
+
== Getting started with WireGuard ==
 +
 
 +
Each client/server needs a private and public key combo.
 +
You can view/generate them within the vbash (append "run" if you are in configuration mode):
 +
 
 +
<pre>
 +
  generate wireguard keypair          - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
 +
                                      it is stored permanently under /config/auth/wireguard/
 +
  show wireguard privkey              - shows the private key
 +
  show wireguard pubkey                - shows the public key
 +
</pre>
 +
 
 +
To view status of an interface:
 +
  show interfaces wireguard <tab completion> [<enter>]
 +
 
 +
  allowed-ips show all allowed-ips for the specified interface
 +
  endpoints show all endpoints for the specified interface
 +
  peers show all peer IDs for the specified interface
 +
 
 +
The tab completion shows you the interface which are setup on the system, so if you have more than 1 it shows them as a list you can chose from.<br>
 +
If you just hit enter you get a full statistic for the interface.
 +
Example:
 +
<pre>
 +
  vyos@vyos:~$ show interfaces wireguard wg01
 +
  public key: ABh3lEPhgjifR7eKHYxlV0gL58DZTNXqzWLteLBuK3E=
 +
  private key: (hidden)
 +
  listening port: 12345
 +
 
 +
 
 +
  vyos@vyos:~$ show interfaces wireguard peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg='
 +
  allowed ips: 10.200.0.0/24
 +
</pre>
 +
The sub commands like allowed-ips shows the peer and the configured allowed-ips for it. If you have multiple peers, they show up as a list:
 +
<pre>
 +
  vyos@vyos:~$ show interfaces wireguard wg01 allowed-ips
 +
  kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg= 10.200.0.0/24
 +
</pre>
 +
 
 +
=== An example of setting up a connection between a client and server. ===
 +
 
 +
We need to create an interface for WireGuard, in this example we call it wg01.
 +
Notice that in the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.
 +
 
 +
'''On server:'''
 +
 
 +
<pre>
 +
  vyos@vyos# configure
 +
  vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
 +
  vyos@vyos# set interfaces wireguard wg01 port '12345'
 +
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 allowed-ips '10.0.0.0/24'
 +
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 persistent-keepalive 15
 +
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 pubkey '<pubkey client1>'
 +
  vyos@vyos# set protocols static interface-route '10.0.0.0/24' next-hop-interface wg01
 +
  vyos@vyos# commit
 +
  vyos@vyos# save
 +
</pre>
  
<span style="color:red">This is under construction!</span>
+
'''On client 1:'''
  
Each host needs a private and public key combo that you can generate with these commands:
+
<pre>
wg genkey '''(generates a private key)'''<br>
+
  vyos@vyos# configure
wg pubkey '''(generates a public key using the private key, for example: wg pubkey < "private key here")'''<br>
+
  vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
<br>
+
  vyos@vyos# set interfaces wireguard wg01 port '12345'
For extra security you can also use a pre-shared key that can be generate with this command:<br>
+
  vyos@vyos# set interfaces wireguard wg01 peer SERVER allowed-ips '10.1.0.0/24'
wg genpsk '''(this is optional, and the same pre-shared key should be used on both hosts)'''<br>
+
  vyos@vyos# set interfaces wireguard wg01 peer SERVER endpoint '192.168.0.115:12345'
<br>
+
  vyos@vyos# set interfaces wireguard wg01 peer SERVER persistent-keepalive 15
We need to create an interface for Wireguard, '''(in this example we call it wg0)'''<br>
+
  vyos@vyos# set interfaces wireguard wg01 peer SERVER pubkey '<pubkey server>'
set interface wireguard wg0<br>
+
  vyos@vyos# set protocols static interface-route '10.1.0.0/24' next-hop-interface wg01
 +
  vyos@vyos# commit
 +
  vyos@vyos# save
 +
</pre>
 
<br>
 
<br>
  
'''On host 1:'''<br>
+
== WireGuard commands and parameters ==
  configure<br>
+
=== WireGuard commands ===
  set interfaces wireguard wg0 address 10.2.2.1/24 '''(ipv4/ipv6 address of this host, including cidr/prefix)'''
+
<pre>
  set interfaces wireguard wg0 description wg02-test '''(optional)'''
+
  vyos@vyos:~$ generate wireguard
  set interfaces wireguard wg0 listen-port 51820 '''(this is an UDP port and it is optional, but one of the hosts must specify this for one to know what port to connect to)'''
+
  Possible completions:
  set interfaces wireguard wg0 peer <public key of host 2> allowed-ips 10.1.1.0/24 '''(IP/CIDR that should pass through the wg0 interface)'''
+
    keypair      generate a wireguard keypair
  set interfaces wireguard wg0 peer <public key of host 2> endpoint 216.33.14.41:51820 '''(optional, but one of the hosts must specify this for one to be able to find the other)'''
+
 
  set protocols static interface-route 10.1.1.0/24 next-hop-interface wg0
+
  vyos@vyos:~$ show wireguard
  commit
+
  Possible completions:
  save
+
    privkey      show wireguard private key
<br>
+
    pubkey        show wireguard public key
'''On host 2:'''<br>
+
 
  configure<br>
+
  vyos@vyos:~$ show interfaces wireguard
  set interfaces wireguard wg0 address 10.1.1.1/24 '''(ipv4/ipv6 address of this host, including cidr/prefix)'''
+
  Possible completions:
  set interfaces wireguard wg0 description wg01-test '''(optional)'''
+
    allowed-ips  show all allowed-ips for the specified interface
  set interfaces wireguard wg0 listen-port 51820 '''(this is an UDP port and it is optional, but one of the hosts must specify this for one to know what port to connect to)'''
+
    endpoints    show all endpoints for the specified interface
  set interfaces wireguard wg0 peer <public key of host 1> allowed-ips 10.2.2.0/24 '''(IP/CIDR range that should pass through the wg0 interface)'''
+
    peers        show all peer IDs for the specified interface
  set interfaces wireguard wg0 peer <public key of host 1> endpoint 96.24.215.191:51820 '''(optional, but one of the hosts must specify this for one to be able to find the other)'''
+
</pre>
  set protocols static interface-route 10.2.2.0/24 next-hop-interface wg0
+
=== WireGuard parameters ===
  commit
+
<pre>
  save
+
Possible completions:
<br>
+
+  address      IPv4/IPv6 address and prefix length '<x.x.x.x/x>'/'<h:h:h:h:h:h:h:h/x>'
 +
  description  Description
 +
  port        Local port number to accept connections
 +
+> peer        Base64 encoded public key
 +
+  allowed-ips  IP addresses allowed to traverse the peer
 +
  endpoint    Remote endpoint
 +
  persistent-keepalive
 +
                How often to send keep alives in seconds
 +
</pre>
 +
 
 +
= WireGuard with OSPF =
 +
 
 +
If you want to pass OSPF traffic over a WireGuard Interface, note that you have to allow multicast traffic through it with the command <tt>allowed-ips '224.0.0.0/8'</tt>. An example configuration is below.
 +
 
 +
<strong>Warning:</strong> The protocol design of WireGuard requires that 'allowed-ips' must not overlap on a single interface. To add another OSPF link to the server, you will need to create wg02 on a different port.
 +
 
 +
== WireGuard Server ==
 +
<pre>
 +
set interfaces wireguard wg01 address '10.55.55.1/30'
 +
set interfaces wireguard wg01 ip ospf authentication md5 key-id 1 md5-key 'n2o2yaesj31p'
 +
set interfaces wireguard wg01 ip ospf dead-interval '30'
 +
set interfaces wireguard wg01 ip ospf hello-interval '10'
 +
set interfaces wireguard wg01 ip ospf network 'point-to-point'
 +
set interfaces wireguard wg01 ip ospf priority '100'
 +
set interfaces wireguard wg01 ip ospf retransmit-interval '5'
 +
set interfaces wireguard wg01 ip ospf transmit-delay '1'
 +
set interfaces wireguard wg01 peer CLIENT1 allowed-ips '10.0.0.0/8'
 +
set interfaces wireguard wg01 peer CLIENT1 allowed-ips '224.0.0.0/8'
 +
set interfaces wireguard wg01 peer CLIENT1 persistent-keepalive '15'
 +
set interfaces wireguard wg01 peer CLIENT1 pubkey 'doUmjfR0xSHvVDs5bsfhUDcPQvOKdBBqEA2Iq5fw4zY='
 +
set interfaces wireguard wg01 port '5555'
 +
set protocols ospf area 0 authentication 'md5'
 +
set protocols ospf area 0 network '10.55.55.0/24'
 +
set protocols ospf default-information
 +
set protocols ospf log-adjacency-changes
 +
set protocols ospf parameters abr-type 'cisco'
 +
set protocols ospf parameters router-id '10.55.55.1'
 +
set protocols ospf redistribute static metric-type '2'
 +
</pre>
 +
 
 +
== WireGuard Client ==
 +
<pre>
 +
set interfaces wireguard wg01 address '10.55.55.2/30'
 +
set interfaces wireguard wg01 ip ospf authentication md5 key-id 1 md5-key 'n2o2yaesj31p'
 +
set interfaces wireguard wg01 ip ospf dead-interval '30'
 +
set interfaces wireguard wg01 ip ospf hello-interval '10'
 +
set interfaces wireguard wg01 ip ospf network 'point-to-point'
 +
set interfaces wireguard wg01 ip ospf priority '1'
 +
set interfaces wireguard wg01 ip ospf retransmit-interval '5'
 +
set interfaces wireguard wg01 ip ospf transmit-delay '1'
 +
set interfaces wireguard wg01 peer SERVER1 allowed-ips '10.0.0.0/8'
 +
set interfaces wireguard wg01 peer SERVER1 allowed-ips '224.0.0.0/8'
 +
set interfaces wireguard wg01 peer SERVER1 endpoint 'XX.XX.XX.XX:5555'
 +
set interfaces wireguard wg01 peer SERVER1 persistent-keepalive '15'
 +
set interfaces wireguard wg01 peer SERVER1 pubkey 'NP2LbrzjwD6U1IqTC7daVaf1XBEmKCv4cRMy7Medj2w='
 +
set interfaces wireguard wg01 port '5555'
 +
set protocols ospf area 0 authentication 'md5'
 +
set protocols ospf area 0 network '10.55.55.0/24'
 +
set protocols ospf log-adjacency-changes
 +
set protocols ospf parameters abr-type 'cisco'
 +
set protocols ospf parameters router-id '10.55.55.2'
 +
set protocols ospf redistribute connected metric-type '2'
 +
</pre>
  
  
== Wireguard parameters ==
 
  
Possible completetions:
+
[[Category: User documentation]]
  + address
+
[[Category: VPN]]
    description
 
    listen-port
 
+> peer
 
+ allowed-ips
 
    endpoint
 
    preshared-key (not implemented yet)
 
    private-key
 
    public-key
 

Latest revision as of 22:53, 22 June 2019

Warning sign.png This page is migrated to Readthedocs .
Information found on this page is in progress of being migrated to readthedocs. https://vyos.readthedocs.io/en/latest/vpn/wireguard.html


WireGuard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache.
It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployable.
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Getting started with WireGuard

Each client/server needs a private and public key combo. You can view/generate them within the vbash (append "run" if you are in configuration mode):

  generate wireguard keypair           - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
                                       it is stored permanently under /config/auth/wireguard/
  show wireguard privkey               - shows the private key
  show wireguard pubkey                - shows the public key

To view status of an interface:

 show interfaces wireguard <tab completion> [<enter>]
 allowed-ips show all allowed-ips for the specified interface
 endpoints show all endpoints for the specified interface
 peers show all peer IDs for the specified interface

The tab completion shows you the interface which are setup on the system, so if you have more than 1 it shows them as a list you can chose from.
If you just hit enter you get a full statistic for the interface. Example:

  vyos@vyos:~$ show interfaces wireguard wg01
  public key: ABh3lEPhgjifR7eKHYxlV0gL58DZTNXqzWLteLBuK3E=
  private key: (hidden)
  listening port: 12345


  vyos@vyos:~$ show interfaces wireguard peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg='
  allowed ips: 10.200.0.0/24

The sub commands like allowed-ips shows the peer and the configured allowed-ips for it. If you have multiple peers, they show up as a list:

  vyos@vyos:~$ show interfaces wireguard wg01 allowed-ips 
  kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg= 10.200.0.0/24

An example of setting up a connection between a client and server.

We need to create an interface for WireGuard, in this example we call it wg01. Notice that in the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.

On server:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 allowed-ips '10.0.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 persistent-keepalive 15
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 pubkey '<pubkey client1>'
  vyos@vyos# set protocols static interface-route '10.0.0.0/24' next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save

On client 1:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer SERVER allowed-ips '10.1.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer SERVER endpoint '192.168.0.115:12345'
  vyos@vyos# set interfaces wireguard wg01 peer SERVER persistent-keepalive 15
  vyos@vyos# set interfaces wireguard wg01 peer SERVER pubkey '<pubkey server>'
  vyos@vyos# set protocols static interface-route '10.1.0.0/24' next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save


WireGuard commands and parameters

WireGuard commands

  vyos@vyos:~$ generate wireguard
  Possible completions:
    keypair       generate a wireguard keypair

  vyos@vyos:~$ show wireguard
  Possible completions:
    privkey       show wireguard private key
    pubkey        show wireguard public key

  vyos@vyos:~$ show interfaces wireguard
  Possible completions:
    allowed-ips   show all allowed-ips for the specified interface
    endpoints     show all endpoints for the specified interface
    peers         show all peer IDs for the specified interface

WireGuard parameters

Possible completions:
+  address      IPv4/IPv6 address and prefix length '<x.x.x.x/x>'/'<h:h:h:h:h:h:h:h/x>'
   description  Description
   port         Local port number to accept connections
+> peer         Base64 encoded public key
+  allowed-ips  IP addresses allowed to traverse the peer
   endpoint     Remote endpoint
   persistent-keepalive
                How often to send keep alives in seconds

WireGuard with OSPF

If you want to pass OSPF traffic over a WireGuard Interface, note that you have to allow multicast traffic through it with the command allowed-ips '224.0.0.0/8'. An example configuration is below.

Warning: The protocol design of WireGuard requires that 'allowed-ips' must not overlap on a single interface. To add another OSPF link to the server, you will need to create wg02 on a different port.

WireGuard Server

set interfaces wireguard wg01 address '10.55.55.1/30'
set interfaces wireguard wg01 ip ospf authentication md5 key-id 1 md5-key 'n2o2yaesj31p'
set interfaces wireguard wg01 ip ospf dead-interval '30'
set interfaces wireguard wg01 ip ospf hello-interval '10'
set interfaces wireguard wg01 ip ospf network 'point-to-point'
set interfaces wireguard wg01 ip ospf priority '100'
set interfaces wireguard wg01 ip ospf retransmit-interval '5'
set interfaces wireguard wg01 ip ospf transmit-delay '1'
set interfaces wireguard wg01 peer CLIENT1 allowed-ips '10.0.0.0/8'
set interfaces wireguard wg01 peer CLIENT1 allowed-ips '224.0.0.0/8'
set interfaces wireguard wg01 peer CLIENT1 persistent-keepalive '15'
set interfaces wireguard wg01 peer CLIENT1 pubkey 'doUmjfR0xSHvVDs5bsfhUDcPQvOKdBBqEA2Iq5fw4zY='
set interfaces wireguard wg01 port '5555'
set protocols ospf area 0 authentication 'md5'
set protocols ospf area 0 network '10.55.55.0/24'
set protocols ospf default-information
set protocols ospf log-adjacency-changes
set protocols ospf parameters abr-type 'cisco'
set protocols ospf parameters router-id '10.55.55.1'
set protocols ospf redistribute static metric-type '2'

WireGuard Client

set interfaces wireguard wg01 address '10.55.55.2/30'
set interfaces wireguard wg01 ip ospf authentication md5 key-id 1 md5-key 'n2o2yaesj31p'
set interfaces wireguard wg01 ip ospf dead-interval '30'
set interfaces wireguard wg01 ip ospf hello-interval '10'
set interfaces wireguard wg01 ip ospf network 'point-to-point'
set interfaces wireguard wg01 ip ospf priority '1'
set interfaces wireguard wg01 ip ospf retransmit-interval '5'
set interfaces wireguard wg01 ip ospf transmit-delay '1'
set interfaces wireguard wg01 peer SERVER1 allowed-ips '10.0.0.0/8'
set interfaces wireguard wg01 peer SERVER1 allowed-ips '224.0.0.0/8'
set interfaces wireguard wg01 peer SERVER1 endpoint 'XX.XX.XX.XX:5555'
set interfaces wireguard wg01 peer SERVER1 persistent-keepalive '15'
set interfaces wireguard wg01 peer SERVER1 pubkey 'NP2LbrzjwD6U1IqTC7daVaf1XBEmKCv4cRMy7Medj2w='
set interfaces wireguard wg01 port '5555'
set protocols ospf area 0 authentication 'md5'
set protocols ospf area 0 network '10.55.55.0/24'
set protocols ospf log-adjacency-changes
set protocols ospf parameters abr-type 'cisco'
set protocols ospf parameters router-id '10.55.55.2'
set protocols ospf redistribute connected metric-type '2'