Wireguard

From VyOS Wiki
Revision as of 21:36, 19 August 2018 by Mrjones (talk | contribs)
Jump to: navigation, search

Wireguard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache.
It intends to be considerably more performant than OpenVPN.
WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
Initially released for the Linux kernel, it is now cross-platform and widely deployable.
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.


Getting started with Wireguard

This is under construction!

Each client/server needs a private and public key combo. You can view/generate them within the vbash (append "run" if you are in configuration mode):

  generate wireguard keypair           - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one.
                                       it is stored permanently under /config/auth/wireguard/
  show wireguard privkey               - shows the private key
  show wireguard pubkey                - shows the public key

planned:

  show wireguard status                - show status for all wg interfaces
  show wireguard status <wgN>          - status for a specific interface
  show wireguard status peer [peerkey] - status for a specific peer



Setting up a connection between a client and server. We need to create an interface for Wireguard, (in this example we call it wg01)

On server:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer <pubkey client 1> allowed-ips 10.0.0.0/24
  vyos@vyos# set protocols static interface-route 10.0.0.0/24 next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save


On client 1:

  vyos@vyos# configure
  vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24'
  vyos@vyos# set interfaces wireguard wg01 listen-port '12345'
  vyos@vyos# set interfaces wireguard wg01 peer <pubkey server> allowed-ips '10.1.0.0/24'
  vyos@vyos# set interfaces wireguard wg01 peer <pubkey server> endpoint '192.168.0.115:12345'
  vyos@vyos# set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01
  vyos@vyos# commit
  vyos@vyos# save



Wireguard commands and parameters

Wireguard commands

  vyos@vyos:~$ generate wireguard
  Possible completions:
    keypair       generate a wireguard keypair

  vyos@vyos:~$ show wireguard
  Possible completions:
    privkey       show wireguard private key
    pubkey        show wireguard public key

Wireguard parameters

Possible completions:
+  address      IPv4/IPv6 address and prefix length <x.x.x.x/x>/<h:h:h:h:h:h:h:h/x>
   description  description
   listen-port  Local port number to accept connections
+> peer         Base64 encoded public key
+  allowed-ips  IP addresses allowed to traverse the peer
   endpoint     Remote endpoint