vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

WireGuard (Interfaces) page improvements

Browse Source 
- Fixing named private key command, not working in the latest version of Vyos
(tested with 1.4-rolling-g7c82c5c7104-20220217). It needs to be the private key.
- Updating the public key in the example to match the private key example, as
generated in the previous section.
- Explaining the persistent-keepalive flag in the RoadWarrior section
This commit is contained in:
Alex Oberhauser 2022-02-20 23:58:35 -05:00
parent 4395d0080a
commit d43077ed45
No known key found for this signature in database
GPG Key ID: 605EFE23AEF64D47
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
docs/configuration/interfaces/wireguard.rst
View File

@ -169,15 +169,17 @@ traffic.
WireGuard peers. This a design decision. For more information please WireGuard peers. This a design decision. For more information please
check the `WireGuard mailing list`_. check the `WireGuard mailing list`_.
.. cfgcmd:: set interfaces wireguard <interface> private-key <name> .. cfgcmd:: set interfaces wireguard <interface> private-key <private-key>
To use a named key on an interface, the option private-key needs to be set. Associates the previously generated private key to a specific WireGuard
interface. The private key can be generate via the command
:opcmd:`generate pki wireguard key-pair`.
.. code-block:: none .. code-block:: none
set interfaces wireguard wg01 private-key KP01 set interfaces wireguard wg01 private-key 'iJJyEARGK52Ls1GYRCcFvPuTj7WyWYDo//BknoDU0XY='
The command :opcmd:`show wireguard keypairs pubkey KP01` will then show the The command :opcmd:`show interfaces wireguard wg01 public-key` will then show the
public key, which needs to be shared with the peer. public key, which needs to be shared with the peer.
**remote side - commands** **remote side - commands**
@ -189,7 +191,7 @@ traffic.
set interfaces wireguard wg01 peer to-wg01 allowed-ips '192.168.1.0/24' set interfaces wireguard wg01 peer to-wg01 allowed-ips '192.168.1.0/24'
set interfaces wireguard wg01 peer to-wg01 address '192.0.2.2' set interfaces wireguard wg01 peer to-wg01 address '192.0.2.2'
set interfaces wireguard wg01 peer to-wg01 port '51820' set interfaces wireguard wg01 peer to-wg01 port '51820'
set interfaces wireguard wg01 peer to-wg01 public-key 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=' set interfaces wireguard wg01 peer to-wg01 public-key 'EKY0dxRrSD98QHjfHOK13mZ5PJ7hnddRZt5woB3szyw='
set interfaces wireguard wg01 port '51820' set interfaces wireguard wg01 port '51820'
set protocols static route 192.168.1.0/24 interface wg01 set protocols static route 192.168.1.0/24 interface wg01
@ -262,7 +264,12 @@ With WireGuard, a Road Warrior VPN config is similar to a site-to-site
VPN. It just lacks the ``address`` and ``port`` statements. VPN. It just lacks the ``address`` and ``port`` statements.
In the following example, the IPs for the remote clients are defined in In the following example, the IPs for the remote clients are defined in
the peers. This allows the peers to interact with one another. the peers. This allows the peers to interact with one another. In
comparison to the site-to-site example the ``persistent-keepalive``
flag is set to 15 seconds to assure the connection is kept alive.
This is mainly relevant if one of the peers is behind NAT and can't
be connected to if the connection is lost. To be effective this
value needs to be lower than the UDP timeout.
.. code-block:: none .. code-block:: none