vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #575 from usman-umer/equuleus

Browse Source 
updated wireguard docs for equuleus branch
This commit is contained in:
Robert Göhler 2021-07-21 20:43:52 +02:00 committed by GitHub
commit 4f892a94ef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 105 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/_static/images/wireguard_site2site_diagram.jpg vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

143
docs/configuration/interfaces/wireguard.rst
View File

@ -1,7 +1,5 @@
.. _wireguard: .. _wireguard:
.. include:: /_include/need_improvement.txt
######### #########
WireGuard WireGuard
######### #########
@ -10,10 +8,24 @@ WireGuard is an extremely simple yet fast and modern VPN that utilizes
state-of-the-art cryptography. See https://www.wireguard.com for more state-of-the-art cryptography. See https://www.wireguard.com for more
information. information.
****************
Site to Site VPN
****************
This diagram corresponds with the example site to site configuration below.
.. figure:: /_static/images/wireguard_site2site_diagram.jpg
************* *************
Configuration Configuration
************* *************
********
Keypairs
********
WireGuard requires the generation of a keypair, which includes a private WireGuard requires the generation of a keypair, which includes a private
key to decrypt incoming traffic, and a public key for peer(s) to encrypt key to decrypt incoming traffic, and a public key for peer(s) to encrypt
traffic. traffic.
@ -55,8 +67,9 @@ own keypairs.
vyos@vyos:~$ generate wireguard named-keypairs KP02 vyos@vyos:~$ generate wireguard named-keypairs KP02
***********************
Interface configuration Interface configuration
======================= ***********************
The next step is to configure your local side as well as the policy The next step is to configure your local side as well as the policy
based trusted destination addresses. If you only initiate a connection, based trusted destination addresses. If you only initiate a connection,
@ -71,18 +84,31 @@ you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The
public key below is always the public key from your peer, not your local public key below is always the public key from your peer, not your local
one. one.
**local side** **local side - commands**
.. code-block:: none .. code-block:: none
set interfaces wireguard wg01 address '10.1.0.1/24' set interfaces wireguard wg01 address '10.1.0.1/30'
set interfaces wireguard wg01 description 'VPN-to-wg02' set interfaces wireguard wg01 description 'VPN-to-wg02'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.2.0.0/24' set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24'
set interfaces wireguard wg01 peer to-wg02 address '192.168.0.142' set interfaces wireguard wg01 peer to-wg02 address '<Site1 Pub IP>'
set interfaces wireguard wg01 peer to-wg02 port '12345' set interfaces wireguard wg01 peer to-wg02 port '51820'
set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI=' set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
set interfaces wireguard wg01 port '12345' set interfaces wireguard wg01 port '51820'
set protocols static route 10.2.0.0/24 interface wg01 set protocols static route 192.168.2.0/24 interface wg01
**local side - annotated commands**
.. code-block:: none
set interfaces wireguard wg01 address '10.1.0.1/30' # Address of the wg01 tunnel interface.
set interfaces wireguard wg01 description 'VPN-to-wg02'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24' # Subnets that are allowed to travel over the tunnel
set interfaces wireguard wg01 peer to-wg02 address '<Site2 Pub IP>' # Public IP of the peer
set interfaces wireguard wg01 peer to-wg02 port '58120' # Port of the Peer
set interfaces wireguard wg01 peer to-wg02 pubkey '<pubkey>' # Public Key of the Peer
set interfaces wireguard wg01 port '51820' # Port of own server
set protocols static route 192.168.2.0/24 interface wg01 # Static route to remote subnet
The last step is to define an interface route for 10.2.0.0/24 to get The last step is to define an interface route for 10.2.0.0/24 to get
through the WireGuard interface `wg01`. Multiple IPs or networks can be through the WireGuard interface `wg01`. Multiple IPs or networks can be
@ -90,7 +116,7 @@ defined and routed. The last check is allowed-ips which either prevents
or allows the traffic. or allows the traffic.
.. note:: You can not assign the same allowed-ips statement to multiple .. note:: You can not assign the same allowed-ips statement to multiple
WireGuard peers. This a a design decission. For more information please WireGuard peers. This a a design decision. For more information please
check the `WireGuard mailing list`_. check the `WireGuard mailing list`_.
.. cfgcmd:: set interfaces wireguard <interface> private-key <name> .. cfgcmd:: set interfaces wireguard <interface> private-key <name>
@ -106,33 +132,70 @@ or allows the traffic.
public key, which needs to be shared with the peer. public key, which needs to be shared with the peer.
**remote side** **remote side - commands**
.. code-block:: none .. code-block:: none
set interfaces wireguard wg01 address '10.2.0.1/24' set interfaces wireguard wg01 address '10.1.0.2/30'
set interfaces wireguard wg01 description 'VPN-to-wg01' set interfaces wireguard wg01 description 'VPN-to-wg01'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.1.0.0/24' set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.1.0/24'
set interfaces wireguard wg01 peer to-wg02 address '192.168.0.124' set interfaces wireguard wg01 peer to-wg02 address '<Site1 Pub IP>'
set interfaces wireguard wg01 peer to-wg02 port '12345' set interfaces wireguard wg01 peer to-wg02 port '51820'
set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=' set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='
set interfaces wireguard wg01 port '12345' set interfaces wireguard wg01 port '51820'
set protocols static route 10.1.0.0/24 interface wg01 set protocols static route 192.168.1.0/24 interface wg01
Assure that your firewall rules allow the traffic, in which case you **remote side - annotated commands**
have a working VPN using WireGuard.
.. code-block:: none .. code-block:: none
wg01# ping 10.2.0.1 set interfaces wireguard wg01 address '10.1.0.2/30' # Address of the wg01 tunnel interface.
PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data. set interfaces wireguard wg01 description 'VPN-to-wg01'
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=1.16 ms set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.1.0/24' # Subnets that are allowed to travel over the tunnel
64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.77 ms set interfaces wireguard wg01 peer to-wg02 address 'Site1 Pub IP' # Public IP address of the Peer
set interfaces wireguard wg01 peer to-wg02 port '51820' # Port of the Peer
set interfaces wireguard wg01 peer to-wg02 pubkey '<pubkey>' # Public key of the Peer
set interfaces wireguard wg01 port '51820' # Port of own server
set protocols static route 192.168.1.0/24 interface wg01 # Static route to remote subnet
wg02# ping 10.1.0.1 *******************
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data. Firewall Exceptions
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=4.40 ms *******************
64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms
For the WireGuard traffic to pass through the WAN interface, you must create a firewall exception.
.. code-block:: none
set firewall name OUTSIDE_LOCAL rule 10 action accept
set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related'
set firewall name OUTSIDE_LOCAL rule 10 state established enable
set firewall name OUTSIDE_LOCAL rule 10 state related enable
set firewall name OUTSIDE_LOCAL rule 20 action accept
set firewall name OUTSIDE_LOCAL rule 20 description WireGuard_IN
set firewall name OUTSIDE_LOCAL rule 20 destination port 51820
set firewall name OUTSIDE_LOCAL rule 20 log enable
set firewall name OUTSIDE_LOCAL rule 20 protocol udp
set firewall name OUTSIDE_LOCAL rule 20 source
You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local).
.. code-block:: none
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
Assure that your firewall rules allow the traffic, in which case you have a working VPN using WireGuard.
.. code-block:: none
wg01# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.16 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=1.77 ms
wg02# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=4.40 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=1.02 ms
An additional layer of symmetric-key crypto can be used on top of the An additional layer of symmetric-key crypto can be used on top of the
asymmetric crypto. This is optional. asymmetric crypto. This is optional.
@ -151,8 +214,10 @@ its content. Make sure you distribute the key in a safe manner,
wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
Road Warrior Example
-------------------- ***********************************
Remote Access "RoadWarrior" Example
***********************************
With WireGuard, a Road Warrior VPN config is similar to a site-to-site With WireGuard, a Road Warrior VPN config is similar to a site-to-site
VPN. It just lacks the ``address`` and ``port`` statements. VPN. It just lacks the ``address`` and ``port`` statements.
@ -182,7 +247,7 @@ the peers. This allows the peers to interact with one another.
} }
The following is the config for the iPhone peer above. It's important to The following is the config for the iPhone peer above. It's important to
note that the ``AllowedIPs`` setting directs all IPv4 and IPv6 traffic note that the ``AllowedIPs`` wildcard setting directs all IPv4 and IPv6 traffic
through the connection. through the connection.
.. code-block:: none .. code-block:: none
@ -198,9 +263,9 @@ through the connection.
Endpoint = 192.0.2.1:2224 Endpoint = 192.0.2.1:2224
PersistentKeepalive = 25 PersistentKeepalive = 25
However, split-tunneling can be achieved by specifing the remote subnets.
This MacBook peer is doing split-tunneling, where only the subnets local This ensures that only traffic destined for the remote site is sent over the tunnel.
to the server go over the connection. All other traffic is unaffected.
.. code-block:: none .. code-block:: none
@ -252,8 +317,9 @@ Status
TX: bytes packets errors dropped carrier collisions TX: bytes packets errors dropped carrier collisions
0 0 0 0 0 0 0 0 0 0 0 0
***************
Encryption Keys Encryption Keys
=============== ***************
.. opcmd:: show wireguard keypair pubkey <name> .. opcmd:: show wireguard keypair pubkey <name>
@ -284,15 +350,16 @@ Encryption Keys
vyos@vyos:~$ delete wireguard keypair default vyos@vyos:~$ delete wireguard keypair default
Mobile "RoadWarrior" clients ***********************************
============================ Remote Access "RoadWarrior" clients
***********************************
Some users tend to connect their mobile devices using WireGuard to their VyOS Some users tend to connect their mobile devices using WireGuard to their VyOS
router. To ease deployment one can generate a "per mobile" configuration from router. To ease deployment one can generate a "per mobile" configuration from
the VyOS CLI. the VyOS CLI.
.. warning:: From a security perspective it is not recommended to let a third .. warning:: From a security perspective it is not recommended to let a third
party create the private key for a secured connection. You should create the party create and share the private key for a secured connection. You should create the
private portion on your own and only hand out the public key. Please keep this private portion on your own and only hand out the public key. Please keep this
in mind when using this convenience feature. in mind when using this convenience feature.