Wireguard

From VyOS Wiki
Revision as of 17:02, 19 August 2018 by Mrjones (talk | contribs) (Created page with "= Wireguard = WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art [https://www.wireguard.com/protocol/ cryptography].<br> * [https://w...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Wireguard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache.
It intends to be considerably more performant than OpenVPN.
WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
Initially released for the Linux kernel, it is now cross-platform and widely deployable.
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.


Getting started with Wireguard

This is under construction!

Each host needs a private and public key combo that you can generate with these commands: wg genkey (generates a private key)
wg pubkey (generates a public key using the private key, for example: wg pubkey < "private key here")

For extra security you can also use a pre-shared key that can be generate with this command:
wg genpsk (this is optional, and the same pre-shared key should be used on both hosts)

We need to create an interface for Wireguard, (in this example we call it wg0)
set interface wireguard wg0

On host 1:

 configure
set interfaces wireguard wg0 address 10.2.2.1/24 (ipv4/ipv6 address of this host, including cidr/prefix) set interfaces wireguard wg0 description wg02-test (optional) set interfaces wireguard wg0 listen-port 51820 (this is an UDP port and it is optional, but one of the hosts must specify this for one to know what port to connect to) set interfaces wireguard wg0 peer <public key of host 2> allowed-ips 10.1.1.0/24 (IP/CIDR that should pass through the wg0 interface) set interfaces wireguard wg0 peer <public key of host 2> endpoint 216.33.14.41:51820 (optional, but one of the hosts must specify this for one to be able to find the other) set protocols static interface-route 10.1.1.0/24 next-hop-interface wg0 commit save


On host 2:

 configure
set interfaces wireguard wg0 address 10.1.1.1/24 (ipv4/ipv6 address of this host, including cidr/prefix) set interfaces wireguard wg0 description wg01-test (optional) set interfaces wireguard wg0 listen-port 51820 (this is an UDP port and it is optional, but one of the hosts must specify this for one to know what port to connect to) set interfaces wireguard wg0 peer <public key of host 1> allowed-ips 10.2.2.0/24 (IP/CIDR range that should pass through the wg0 interface) set interfaces wireguard wg0 peer <public key of host 1> endpoint 96.24.215.191:51820 (optional, but one of the hosts must specify this for one to be able to find the other) set protocols static interface-route 10.2.2.0/24 next-hop-interface wg0 commit save



Wireguard parameters

Possible completetions:
 + address
   description
   listen-port
+> peer
+ allowed-ips
   endpoint
   preshared-key (not implemented yet)
   private-key
   public-key