WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.
It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache.
It intends to be considerably more performant than OpenVPN.
WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
Initially released for the Linux kernel, it is now cross-platform and widely deployable.
It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
Getting started with Wireguard
This is under construction!
Each client/server needs a private and public key combo. You can view/generate them within the vbash (append "run" if you are in configuration mode):
generate wireguard keypair - generates a new keypair, if one exists already it asks you if you want to overwrite the existing one. it is stored permanently under /config/auth/wireguard/ show wireguard privkey - shows the private key show wireguard pubkey - shows the public key
show wireguard status - show status for all wg interfaces show wireguard status <wgN> - status for a specific interface show wireguard status peer [peerkey] - status for a specific peer
Setting up a connection between a client and server. We need to create an interface for Wireguard, (in this example we call it wg01)
vyos@vyos# configure vyos@vyos# set interfaces wireguard wg01 address '10.1.0.1/24' vyos@vyos# set interfaces wireguard wg01 listen-port '12345' vyos@vyos# set interfaces wireguard wg01 peer <pubkey client 1> allowed-ips 10.0.0.0/24 vyos@vyos# set protocols static interface-route 10.0.0.0/24 next-hop-interface wg01 vyos@vyos# commit vyos@vyos# save
On client 1:
vyos@vyos# configure vyos@vyos# set interfaces wireguard wg01 address '10.0.0.1/24' vyos@vyos# set interfaces wireguard wg01 listen-port '12345' vyos@vyos# set interfaces wireguard wg01 peer <pubkey server> allowed-ips '10.1.0.0/24' vyos@vyos# set interfaces wireguard wg01 peer <pubkey server> endpoint '192.168.0.115:12345' vyos@vyos# set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01 vyos@vyos# commit vyos@vyos# save
Wireguard commands and parameters
vyos@vyos:~$ generate wireguard Possible completions: keypair generate a wireguard keypair vyos@vyos:~$ show wireguard Possible completions: privkey show wireguard private key pubkey show wireguard public key
Possible completions: + address IPv4/IPv6 address and prefix length <x.x.x.x/x>/<h:h:h:h:h:h:h:h/x> description description listen-port Local port number to accept connections +> peer Base64 encoded public key + allowed-ips IP addresses allowed to traverse the peer endpoint Remote endpoint