vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Style changes to wireguard documentation

Browse Source
This commit is contained in:
Ricky Pai 2021-04-04 17:41:15 -07:00 committed by GitHub
parent 42efe273dc
commit 4d92dd0a7b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
docs/configuration/interfaces/wireguard.rst
View File

@ -11,9 +11,9 @@ information.
Configuration Configuration
============= =============
WireGuard requires the generation of a keypair, a private key which will WireGuard requires the generation of a keypair, which includes a private
decrypt incoming traffic and a public key, which the peer(s) will use to key to decrypt incoming traffic, and a public key for peer(s) to encrypt
encrypt traffic. traffic.
Generate keypair Generate keypair
---------------- ----------------
@ -26,8 +26,8 @@ Generate keypair
.. opcmd:: show wireguard keypairs pubkey default .. opcmd:: show wireguard keypairs pubkey default
It shows the public key which needs to be shared with your peer(s). Your It shows the public key to be shared with your peer(s). Your peer will
peer will encrypt all traffic to your system using this public key. encrypt all traffic to your system using this public key.
.. code-block:: none .. code-block:: none
@ -38,12 +38,11 @@ Generate keypair
Generate named keypair Generate named keypair
---------------------- ----------------------
Named keypairs can be used on a interface basis, if configured. If Named keypairs can be used on a interface basis when configured. If
multiple WireGuard interfaces are being configured, each can have their multiple WireGuard interfaces are being configured, each can have their
own keypairs. own keypairs.
The commands below will generate 2 keypairs, which are not related to The commands below generates 2 keypairs unrelated to each other.
each other.
.. code-block:: none .. code-block:: none
@ -56,11 +55,11 @@ Interface configuration
The next step is to configure your local side as well as the policy The next step is to configure your local side as well as the policy
based trusted destination addresses. If you only initiate a connection, based trusted destination addresses. If you only initiate a connection,
the listen port and address/port is optional, if you however act as a server the listen port and address/port is optional; however, if you act as a
and endpoints initiate the connections to your system, you need to server and endpoints initiate the connections to your system, you need to
define a port your clients can connect to, otherwise it's randomly define a port your clients can connect to, otherwise the port is randomly
chosen and may make it difficult with firewall rules, since the port may chosen and may make connection difficult with firewall rules, since the port
be a different one when you reboot your system. may be different each time the system is rebooted.
You will also need the public key of your peer as well as the network(s) You will also need the public key of your peer as well as the network(s)
you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The
@ -82,7 +81,7 @@ one.
The last step is to define an interface route for 10.2.0.0/24 to get The last step is to define an interface route for 10.2.0.0/24 to get
through the WireGuard interface `wg01`. Multiple IPs or networks can be through the WireGuard interface `wg01`. Multiple IPs or networks can be
defined and routed, the last check is allowed-ips which either prevents defined and routed. The last check is allowed-ips which either prevents
or allows the traffic. or allows the traffic.
.. note:: You can not assign the same allowed-ips statement to multiple .. note:: You can not assign the same allowed-ips statement to multiple
@ -116,7 +115,7 @@ the public key, which needs to be shared with the peer.
set protocols static route 10.1.0.0/24 interface wg01 set protocols static route 10.1.0.0/24 interface wg01
Assure that your firewall rules allow the traffic, in which case you Assure that your firewall rules allow the traffic, in which case you
have a working VPN using WireGuard have a working VPN using WireGuard.
.. code-block:: none .. code-block:: none
@ -131,16 +130,16 @@ have a working VPN using WireGuard
64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms 64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms
An additional layer of symmetric-key crypto can be used on top of the An additional layer of symmetric-key crypto can be used on top of the
asymmetric crypto, which is optional. asymmetric crypto. This is optional.
.. code-block:: none .. code-block:: none
wg01# run generate wireguard preshared-key wg01# run generate wireguard preshared-key
rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc= rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=
Copy the key, as it is not stored on the local file system. Make sure Copy the key, as it is not stored on the local filesystem. Because it
you distribute that key in a safe manner, it's a symmetric key, so only is a symmetric key, only you and your peer should have knowledge of
you and your peer should have knowledge of its content. its content. Make sure you distribute the key in a safe manner,
.. code-block:: none .. code-block:: none
@ -154,7 +153,7 @@ With WireGuard, a Road Warrior VPN config is similar to a site-to-site
VPN. It just lacks the ``address`` and ``port`` statements. VPN. It just lacks the ``address`` and ``port`` statements.
In the following example, the IPs for the remote clients are defined in In the following example, the IPs for the remote clients are defined in
the peers. This would allow the peers to interact with one another. the peers. This allows the peers to interact with one another.
.. code-block:: none .. code-block:: none