diff options
-rw-r--r-- | docs/vpn/wireguard.rst | 114 |
1 files changed, 60 insertions, 54 deletions
diff --git a/docs/vpn/wireguard.rst b/docs/vpn/wireguard.rst index 6348fb01..9b3d36f4 100644 --- a/docs/vpn/wireguard.rst +++ b/docs/vpn/wireguard.rst @@ -11,61 +11,66 @@ information. Configuration ============= -WireGuard requires the generation of a keypair, a private key which will decrypt -incoming traffic and a public key, which the peer(s) will use to encrypt traffic. +WireGuard requires the generation of a keypair, a private key which will +decrypt incoming traffic and a public key, which the peer(s) will use to +encrypt traffic. Generate keypair ---------------- -Generate the keypair, which creates a public and private part and stores it -within VyOS. It will be used per default on any configured WireGuard interface, -even if multiple interfaces are being configured. +.. opcmd:: generate wireguard default-keypair -.. code-block:: none +It generates the keypair, that is its public and private part and stores +it within VyOS. It will be used per default on any configured WireGuard +interface, even if multiple interfaces are being configured. - wg01:~$ configure - wg01# run generate wireguard keypair -The public key is being shared with your peer(s), your peer will encrypt all -traffic to your system using this public key. -.. code-block:: none +.. opcmd:: show wireguard keypairs pubkey default + +It shows the public key which needs to be shared with your peer(s). Your +peer will encrypt all traffic to your system using this public key. + + + + .. code-block:: none + + vyos@vyos:~$ show wireguard keypairs pubkey default + hW17UxY7zeydJNPIyo3UtGnBHkzTK/NeBOrDSIU9Tx0= - wg01# run show wireguard pubkey - u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk= Generate named keypair ---------------------- -Named keypairs can be used on a interface basis, if configured. -If multiple WireGuard interfaces are being configured, each can have -their own keypairs. +Named keypairs can be used on a interface basis, if configured. If +multiple WireGuard interfaces are being configured, each can have their +own keypairs. -The commands below will generate 2 keypairs, which are not related -to each other. +The commands below will generate 2 keypairs, which are not related to +each other. .. code-block:: none - wg01:~$ configure - wg01# run generate wireguard named-keypairs KP01 - wg01# run generate wireguard named-keypairs KP02 + vyos@vyos:~$ generate wireguard named-keypairs KP01 + vyos@vyos:~$ generate wireguard named-keypairs KP02 Interface configuration ----------------------- -The next step is to configure your local side as well as the policy based -trusted destination addresses. If you only initiate a connection, the listen -port and endpoint is optional, if you however act as a server and endpoints -initiate the connections to your system, you need to define a port your clients -can connect to, otherwise it's randomly chosen and may make it difficult with -firewall rules, since the port may be a different one when you reboot your -system. +The next step is to configure your local side as well as the policy +based trusted destination addresses. If you only initiate a connection, +the listen port and endpoint is optional, if you however act as a server +and endpoints initiate the connections to your system, you need to +define a port your clients can connect to, otherwise it's randomly +chosen and may make it difficult with firewall rules, since the port may +be a different one when you reboot your system. -You will also need the public key of your peer as well as the network(s) you -want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key -below is always the public key from your peer, not your local one. +You will also need the public key of your peer as well as the network(s) +you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The +public key below is always the public key from your peer, not your local +one. **local side** @@ -79,24 +84,25 @@ below is always the public key from your peer, not your local one. set interfaces wireguard wg01 port '12345' set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01 -.. note:: The `endpoint` must be an IP and not a fully qualified domain name - (FQDN). Using a FQDN will result in unexpected behavior. +.. note:: The `endpoint` must be an IP and not a fully qualified domain + name (FQDN). Using a FQDN will result in unexpected behavior. -The last step is to define an interface route for 10.2.0.0/24 to get through -the WireGuard interface `wg01`. Multiple IPs or networks can be defined and -routed, the last check is allowed-ips which either prevents or allows the -traffic. +The last step is to define an interface route for 10.2.0.0/24 to get +through the WireGuard interface `wg01`. Multiple IPs or networks can be +defined and routed, the last check is allowed-ips which either prevents +or allows the traffic. -To use a named key on an interface, the option private-key needs to be set. +To use a named key on an interface, the option private-key needs to be +set. .. code-block:: none set interfaces wireguard wg01 private-key KP01 set interfaces wireguard wg02 private-key KP02 -The command ``run show wireguard keypairs pubkey KP01`` will then show the public key, -which needs to be shared with the peer. +The command ``run show wireguard keypairs pubkey KP01`` will then show +the public key, which needs to be shared with the peer. **remote side** @@ -111,8 +117,8 @@ which needs to be shared with the peer. set interfaces wireguard wg01 port '12345' set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01 -Assure that your firewall rules allow the traffic, in which case you have a -working VPN using WireGuard +Assure that your firewall rules allow the traffic, in which case you +have a working VPN using WireGuard .. code-block:: none @@ -134,9 +140,9 @@ asymmetric crypto, which is optional. wg01# run generate wireguard preshared-key rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc= -Copy the key, as it is not stored on the local file system. Make sure you -distribute that key in a safe manner, it's a symmetric key, so only you and -your peer should have knowledge of its content. +Copy the key, as it is not stored on the local file system. Make sure +you distribute that key in a safe manner, it's a symmetric key, so only +you and your peer should have knowledge of its content. .. code-block:: none @@ -146,11 +152,11 @@ your peer should have knowledge of its content. Road Warrior Example -------------------- -With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN. It -just lacks the ``endpoint`` address. +With WireGuard, a Road Warrior VPN config is similar to a site-to-site +VPN. It just lacks the ``endpoint`` address. -In the following example, the IPs for the remote clients are defined in the -peers. This would allow the peers to interact with one another. +In the following example, the IPs for the remote clients are defined in +the peers. This would allow the peers to interact with one another. .. code-block:: none @@ -173,9 +179,9 @@ peers. This would allow the peers to interact with one another. port 2224 } -The following is the config for the iPhone peer above. It's important to note -that the ``AllowedIPs`` setting directs all IPv4 and IPv6 traffic through the -connection. +The following is the config for the iPhone peer above. It's important to +note that the ``AllowedIPs`` setting directs all IPv4 and IPv6 traffic +through the connection. .. code-block:: none @@ -191,8 +197,8 @@ connection. PersistentKeepalive = 25 -This MacBook peer is doing split-tunneling, where only the subnets local to the -server go over the connection. +This MacBook peer is doing split-tunneling, where only the subnets local +to the server go over the connection. .. code-block:: none |