diff options
-rw-r--r-- | docs/vpn/wireguard.rst | 40 |
1 files changed, 23 insertions, 17 deletions
diff --git a/docs/vpn/wireguard.rst b/docs/vpn/wireguard.rst index 783bcbf4..e166a1e2 100644 --- a/docs/vpn/wireguard.rst +++ b/docs/vpn/wireguard.rst @@ -1,20 +1,21 @@ .. _wireguard: -WireGuard VPN Interface ------------------------ +######### +WireGuard +######### WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. See https://www.wireguard.com for more information. Configuration -^^^^^^^^^^^^^ +============= Wireguard requires the generation of a keypair, a private key which will decrypt incoming traffic and a public key, which the peer(s) will use to encrypt traffic. -Generate a keypair -~~~~~~~~~~~~~~~~~~ +Generate keypair +---------------- Generate the keypair, which creates a public and private part and stores it within VyOS. @@ -35,8 +36,8 @@ traffic to your system using this public key. u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk= -Generate named keypairs -~~~~~~~~~~~~~~~~~~~~~~~ +Generate named keypair +---------------------- Named keypairs can be used on a interface basis, if configured. If multiple wireguard interfaces are being configured, each can have @@ -52,8 +53,8 @@ to each other. wg01# run generate wireguard named-keypairs KP02 -Wireguard Interface configuration -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Interface configuration +----------------------- The next step is to configure your local side as well as the policy based trusted destination addresses. If you only initiate a connection, the listen @@ -79,7 +80,8 @@ below is always the public key from your peer, not your local one. set interfaces wireguard wg01 port '12345' set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01 -.. note:: The `endpoint` must be an IP and not a fully qualified domain name (FQDN). Using a FQDN will result in unexpected behavior. +.. note:: The `endpoint` must be an IP and not a fully qualified domain name + (FQDN). Using a FQDN will result in unexpected behavior. The last step is to define an interface route for 10.2.0.0/24 to get through the wireguard interface `wg01`. Multiple IPs or networks can be defined and @@ -143,11 +145,13 @@ your peer should have knowledge of its content. wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' Road Warrior Example -~~~~~~~~~~~~~~~~~~~~ +-------------------- -With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN. It just lacks the ``endpoint`` address. +With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN. It +just lacks the ``endpoint`` address. -In the following example, the IPs for the remote clients are defined in the peers. This would allow the peers to interact with one another. +In the following example, the IPs for the remote clients are defined in the +peers. This would allow the peers to interact with one another. .. code-block:: none @@ -170,8 +174,9 @@ In the following example, the IPs for the remote clients are defined in the peer port 2224 } -The following is the config for the iPhone peer above. It's important to note that the ``AllowedIPs`` setting -directs all IPv4 and IPv6 traffic through the connection. +The following is the config for the iPhone peer above. It's important to note +that the ``AllowedIPs`` setting directs all IPv4 and IPv6 traffic through the +connection. .. code-block:: none @@ -187,7 +192,8 @@ directs all IPv4 and IPv6 traffic through the connection. PersistentKeepalive = 25 -This MacBook peer is doing split-tunneling, where only the subnets local to the server go over the connection. +This MacBook peer is doing split-tunneling, where only the subnets local to the +server go over the connection. .. code-block:: none @@ -203,7 +209,7 @@ This MacBook peer is doing split-tunneling, where only the subnets local to the Operational commands -^^^^^^^^^^^^^^^^^^^^ +==================== **Show interface status** |