Difference between revisions of "Wireguard"

From VyOS Wiki
Jump to: navigation, search
(An example on setting up a connection between a client and server.)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Wireguard =  
+
{{ Migrate progress | url = https://vyos.readthedocs.io/en/latest/vpn/wireguard.html }}
 +
 
 +
= WireGuard =  
  
 
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art [https://www.wireguard.com/protocol/ cryptography].<br>
 
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art [https://www.wireguard.com/protocol/ cryptography].<br>
  
* [https://www.wireguard.com/ Wireguard]
+
* [https://www.wireguard.com/ WireGuard]
  
 
It aims to be [https://www.wireguard.com/performance/ faster], [https://www.wireguard.com/quickstart/ simpler], leaner, and more useful than IPSec, while avoiding the massive headache.<br>
 
It aims to be [https://www.wireguard.com/performance/ faster], [https://www.wireguard.com/quickstart/ simpler], leaner, and more useful than IPSec, while avoiding the massive headache.<br>
Line 11: Line 13:
 
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
 
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
  
== Getting started with Wireguard ==
+
== Getting started with WireGuard ==
  
 
Each client/server needs a private and public key combo.
 
Each client/server needs a private and public key combo.
Line 51: Line 53:
 
=== An example of setting up a connection between a client and server. ===
 
=== An example of setting up a connection between a client and server. ===
  
We need to create an interface for Wireguard, in this example we call it wg01.
+
We need to create an interface for WireGuard, in this example we call it wg01.
 
Notice that in the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.
 
Notice that in the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.
  
Line 60: Line 62:
 
   vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
 
   vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
 
   vyos@vyos# set interfaces wireguard wg01 port '12345'
 
   vyos@vyos# set interfaces wireguard wg01 port '12345'
   vyos@vyos# set interfaces wireguard wg01 peer '<pubkey client 1>' allowed-ips '10.0.0.0/24'
+
   vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 allowed-ips '10.0.0.0/24'
   vyos@vyos# set interfaces wireguard wg01 peer '<pubkey client 1>' persistent-keepalive 15
+
   vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 persistent-keepalive 15
 +
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 pubkey '<pubkey client1>'
 
   vyos@vyos# set protocols static interface-route '10.0.0.0/24' next-hop-interface wg01
 
   vyos@vyos# set protocols static interface-route '10.0.0.0/24' next-hop-interface wg01
 
   vyos@vyos# commit
 
   vyos@vyos# commit
Line 73: Line 76:
 
   vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
 
   vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
 
   vyos@vyos# set interfaces wireguard wg01 port '12345'
 
   vyos@vyos# set interfaces wireguard wg01 port '12345'
   vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' allowed-ips '10.1.0.0/24'
+
   vyos@vyos# set interfaces wireguard wg01 peer SERVER allowed-ips '10.1.0.0/24'
   vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' endpoint '192.168.0.115:12345'
+
   vyos@vyos# set interfaces wireguard wg01 peer SERVER endpoint '192.168.0.115:12345'
   vyos@vyos# set interfaces wireguard wg01 peer '<pubkey server>' persistent-keepalive 15
+
   vyos@vyos# set interfaces wireguard wg01 peer SERVER persistent-keepalive 15
 +
  vyos@vyos# set interfaces wireguard wg01 peer SERVER pubkey '<pubkey server>'
 
   vyos@vyos# set protocols static interface-route '10.1.0.0/24' next-hop-interface wg01
 
   vyos@vyos# set protocols static interface-route '10.1.0.0/24' next-hop-interface wg01
 
   vyos@vyos# commit
 
   vyos@vyos# commit
Line 81: Line 85:
 
</pre>
 
</pre>
 
<br>
 
<br>
set interfaces wireguard wg01 peer '<pubkey server>' persistent-keepalive 15
 
set interfaces wireguard wg01 peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg=' persistent-keepalive 15
 
  
== Wireguard commands and parameters ==
+
== WireGuard commands and parameters ==
=== Wireguard commands ===
+
=== WireGuard commands ===
 
<pre>
 
<pre>
 
   vyos@vyos:~$ generate wireguard
 
   vyos@vyos:~$ generate wireguard
Line 102: Line 104:
 
     peers        show all peer IDs for the specified interface
 
     peers        show all peer IDs for the specified interface
 
</pre>
 
</pre>
=== Wireguard parameters ===
+
=== WireGuard parameters ===
 
<pre>
 
<pre>
 
Possible completions:
 
Possible completions:
 
+  address      IPv4/IPv6 address and prefix length '<x.x.x.x/x>'/'<h:h:h:h:h:h:h:h/x>'
 
+  address      IPv4/IPv6 address and prefix length '<x.x.x.x/x>'/'<h:h:h:h:h:h:h:h/x>'
   description  description
+
   description  Description
   listen-port Local port number to accept connections
+
   port         Local port number to accept connections
 
+> peer        Base64 encoded public key
 
+> peer        Base64 encoded public key
 
+  allowed-ips  IP addresses allowed to traverse the peer
 
+  allowed-ips  IP addresses allowed to traverse the peer
 
   endpoint    Remote endpoint
 
   endpoint    Remote endpoint
 
   persistent-keepalive
 
   persistent-keepalive
                how often send keep alives in seconds
+
                How often to send keep alives in seconds
 +
</pre>
 +
 
 +
= WireGuard with OSPF =
 +
 
 +
If you want to pass OSPF traffic over a WireGuard Interface, note that you have to allow multicast traffic through it with the command <tt>allowed-ips '224.0.0.0/8'</tt>. An example configuration is below.
 +
 
 +
<strong>Warning:</strong> The protocol design of WireGuard requires that 'allowed-ips' must not overlap on a single interface. To add another OSPF link to the server, you will need to create wg02 on a different port.
 +
 
 +
== WireGuard Server ==
 +
<pre>
 +
set interfaces wireguard wg01 address '10.55.55.1/30'
 +
set interfaces wireguard wg01 ip ospf authentication md5 key-id 1 md5-key 'n2o2yaesj31p'
 +
set interfaces wireguard wg01 ip ospf dead-interval '30'
 +
set interfaces wireguard wg01 ip ospf hello-interval '10'
 +
set interfaces wireguard wg01 ip ospf network 'point-to-point'
 +
set interfaces wireguard wg01 ip ospf priority '100'
 +
set interfaces wireguard wg01 ip ospf retransmit-interval '5'
 +
set interfaces wireguard wg01 ip ospf transmit-delay '1'
 +
set interfaces wireguard wg01 peer CLIENT1 allowed-ips '10.0.0.0/8'
 +
set interfaces wireguard wg01 peer CLIENT1 allowed-ips '224.0.0.0/8'
 +
set interfaces wireguard wg01 peer CLIENT1 persistent-keepalive '15'
 +
set interfaces wireguard wg01 peer CLIENT1 pubkey 'doUmjfR0xSHvVDs5bsfhUDcPQvOKdBBqEA2Iq5fw4zY='
 +
set interfaces wireguard wg01 port '5555'
 +
set protocols ospf area 0 authentication 'md5'
 +
set protocols ospf area 0 network '10.55.55.0/24'
 +
set protocols ospf default-information
 +
set protocols ospf log-adjacency-changes
 +
set protocols ospf parameters abr-type 'cisco'
 +
set protocols ospf parameters router-id '10.55.55.1'
 +
set protocols ospf redistribute static metric-type '2'
 +
</pre>
 +
 
 +
== WireGuard Client ==
 +
<pre>
 +
set interfaces wireguard wg01 address '10.55.55.2/30'
 +
set interfaces wireguard wg01 ip ospf authentication md5 key-id 1 md5-key 'n2o2yaesj31p'
 +
set interfaces wireguard wg01 ip ospf dead-interval '30'
 +
set interfaces wireguard wg01 ip ospf hello-interval '10'
 +
set interfaces wireguard wg01 ip ospf network 'point-to-point'
 +
set interfaces wireguard wg01 ip ospf priority '1'
 +
set interfaces wireguard wg01 ip ospf retransmit-interval '5'
 +
set interfaces wireguard wg01 ip ospf transmit-delay '1'
 +
set interfaces wireguard wg01 peer SERVER1 allowed-ips '10.0.0.0/8'
 +
set interfaces wireguard wg01 peer SERVER1 allowed-ips '224.0.0.0/8'
 +
set interfaces wireguard wg01 peer SERVER1 endpoint 'XX.XX.XX.XX:5555'
 +
set interfaces wireguard wg01 peer SERVER1 persistent-keepalive '15'
 +
set interfaces wireguard wg01 peer SERVER1 pubkey 'NP2LbrzjwD6U1IqTC7daVaf1XBEmKCv4cRMy7Medj2w='
 +
set interfaces wireguard wg01 port '5555'
 +
set protocols ospf area 0 authentication 'md5'
 +
set protocols ospf area 0 network '10.55.55.0/24'
 +
set protocols ospf log-adjacency-changes
 +
set protocols ospf parameters abr-type 'cisco'
 +
set protocols ospf parameters router-id '10.55.55.2'
 +
set protocols ospf redistribute connected metric-type '2'
 
</pre>
 
</pre>
 +
 +
  
 
[[Category: User documentation]]
 
[[Category: User documentation]]
 
[[Category: VPN]]
 
[[Category: VPN]]

Latest revision as of 22:53, 22 June 2019

Warning sign.png This page is migrated to Readthedocs .
Information found on this page is in progress of being migrated to readthedocs. https://vyos.readthedocs.io/en/latest/vpn/wireguard.html


WireGuard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache.
It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployable.
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Getting started with WireGuard

Each client/server needs a private and public key combo. You can view/generate them within the vbash (append "run" if you are in configuration mode):

  generate wireguard keypair           - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
                                       it is stored permanently under /config/auth/wireguard/
  show wireguard privkey               - shows the private key
  show wireguard pubkey                - shows the public key

To view status of an interface:

 show interfaces wireguard <tab completion> [<enter>]
 allowed-ips show all allowed-ips for the specified interface
 endpoints show all endpoints for the specified interface
 peers show all peer IDs for the specified interface

The tab completion shows you the interface which are setup on the system, so if you have more than 1 it shows them as a list you can chose from.
If you just hit enter you get a full statistic for the interface. Example:

  vyos@vyos:~$ show interfaces wireguard wg01
  public key: ABh3lEPhgjifR7eKHYxlV0gL58DZTNXqzWLteLBuK3E=
  private key: (hidden)
  listening port: 12345


  vyos@vyos:~$ show interfaces wireguard peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg='
  allowed ips: 10.200.0.0/24

The sub commands like allowed-ips shows the peer and the configured allowed-ips for it. If you have multiple peers, they show up as a list:

  vyos@vyos:~$ show interfaces wireguard wg01 allowed-ips 
  kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg= 10.200.0.0/24

An example of setting up a connection between a client and server.

We need to create an interface for WireGuard, in this example we call it wg01. Notice that in the example the 'persistent-keepalive' parameter is set (the value is in seconds) and it is optional.

On server:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 allowed-ips '10.0.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 persistent-keepalive 15
  vyos@vyos# set interfaces wireguard wg01 peer CLIENT1 pubkey '<pubkey client1>'
  vyos@vyos# set protocols static interface-route '10.0.0.0/24' next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save

On client 1:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer SERVER allowed-ips '10.1.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer SERVER endpoint '192.168.0.115:12345'
  vyos@vyos# set interfaces wireguard wg01 peer SERVER persistent-keepalive 15
  vyos@vyos# set interfaces wireguard wg01 peer SERVER pubkey '<pubkey server>'
  vyos@vyos# set protocols static interface-route '10.1.0.0/24' next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save


WireGuard commands and parameters

WireGuard commands

  vyos@vyos:~$ generate wireguard
  Possible completions:
    keypair       generate a wireguard keypair

  vyos@vyos:~$ show wireguard
  Possible completions:
    privkey       show wireguard private key
    pubkey        show wireguard public key

  vyos@vyos:~$ show interfaces wireguard
  Possible completions:
    allowed-ips   show all allowed-ips for the specified interface
    endpoints     show all endpoints for the specified interface
    peers         show all peer IDs for the specified interface

WireGuard parameters

Possible completions:
+  address      IPv4/IPv6 address and prefix length '<x.x.x.x/x>'/'<h:h:h:h:h:h:h:h/x>'
   description  Description
   port         Local port number to accept connections
+> peer         Base64 encoded public key
+  allowed-ips  IP addresses allowed to traverse the peer
   endpoint     Remote endpoint
   persistent-keepalive
                How often to send keep alives in seconds

WireGuard with OSPF

If you want to pass OSPF traffic over a WireGuard Interface, note that you have to allow multicast traffic through it with the command allowed-ips '224.0.0.0/8'. An example configuration is below.

Warning: The protocol design of WireGuard requires that 'allowed-ips' must not overlap on a single interface. To add another OSPF link to the server, you will need to create wg02 on a different port.

WireGuard Server

set interfaces wireguard wg01 address '10.55.55.1/30'
set interfaces wireguard wg01 ip ospf authentication md5 key-id 1 md5-key 'n2o2yaesj31p'
set interfaces wireguard wg01 ip ospf dead-interval '30'
set interfaces wireguard wg01 ip ospf hello-interval '10'
set interfaces wireguard wg01 ip ospf network 'point-to-point'
set interfaces wireguard wg01 ip ospf priority '100'
set interfaces wireguard wg01 ip ospf retransmit-interval '5'
set interfaces wireguard wg01 ip ospf transmit-delay '1'
set interfaces wireguard wg01 peer CLIENT1 allowed-ips '10.0.0.0/8'
set interfaces wireguard wg01 peer CLIENT1 allowed-ips '224.0.0.0/8'
set interfaces wireguard wg01 peer CLIENT1 persistent-keepalive '15'
set interfaces wireguard wg01 peer CLIENT1 pubkey 'doUmjfR0xSHvVDs5bsfhUDcPQvOKdBBqEA2Iq5fw4zY='
set interfaces wireguard wg01 port '5555'
set protocols ospf area 0 authentication 'md5'
set protocols ospf area 0 network '10.55.55.0/24'
set protocols ospf default-information
set protocols ospf log-adjacency-changes
set protocols ospf parameters abr-type 'cisco'
set protocols ospf parameters router-id '10.55.55.1'
set protocols ospf redistribute static metric-type '2'

WireGuard Client

set interfaces wireguard wg01 address '10.55.55.2/30'
set interfaces wireguard wg01 ip ospf authentication md5 key-id 1 md5-key 'n2o2yaesj31p'
set interfaces wireguard wg01 ip ospf dead-interval '30'
set interfaces wireguard wg01 ip ospf hello-interval '10'
set interfaces wireguard wg01 ip ospf network 'point-to-point'
set interfaces wireguard wg01 ip ospf priority '1'
set interfaces wireguard wg01 ip ospf retransmit-interval '5'
set interfaces wireguard wg01 ip ospf transmit-delay '1'
set interfaces wireguard wg01 peer SERVER1 allowed-ips '10.0.0.0/8'
set interfaces wireguard wg01 peer SERVER1 allowed-ips '224.0.0.0/8'
set interfaces wireguard wg01 peer SERVER1 endpoint 'XX.XX.XX.XX:5555'
set interfaces wireguard wg01 peer SERVER1 persistent-keepalive '15'
set interfaces wireguard wg01 peer SERVER1 pubkey 'NP2LbrzjwD6U1IqTC7daVaf1XBEmKCv4cRMy7Medj2w='
set interfaces wireguard wg01 port '5555'
set protocols ospf area 0 authentication 'md5'
set protocols ospf area 0 network '10.55.55.0/24'
set protocols ospf log-adjacency-changes
set protocols ospf parameters abr-type 'cisco'
set protocols ospf parameters router-id '10.55.55.2'
set protocols ospf redistribute connected metric-type '2'