summaryrefslogtreecommitdiff
path: root/docs/configuration/interfaces/wireguard.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/interfaces/wireguard.rst')
-rw-r--r--docs/configuration/interfaces/wireguard.rst39
1 files changed, 19 insertions, 20 deletions
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index db144650..0ceb0aa2 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -11,9 +11,9 @@ information.
Configuration
=============
-WireGuard requires the generation of a keypair, a private key which will
-decrypt incoming traffic and a public key, which the peer(s) will use to
-encrypt traffic.
+WireGuard requires the generation of a keypair, which includes a private
+key to decrypt incoming traffic, and a public key for peer(s) to encrypt
+traffic.
Generate keypair
----------------
@@ -26,8 +26,8 @@ Generate keypair
.. opcmd:: show wireguard keypairs pubkey default
- It shows the public key which needs to be shared with your peer(s). Your
- peer will encrypt all traffic to your system using this public key.
+ It shows the public key to be shared with your peer(s). Your peer will
+ encrypt all traffic to your system using this public key.
.. code-block:: none
@@ -38,12 +38,11 @@ Generate keypair
Generate named keypair
----------------------
-Named keypairs can be used on a interface basis, if configured. If
+Named keypairs can be used on a interface basis when configured. If
multiple WireGuard interfaces are being configured, each can have their
own keypairs.
-The commands below will generate 2 keypairs, which are not related to
-each other.
+The commands below generates 2 keypairs unrelated to each other.
.. code-block:: none
@@ -56,11 +55,11 @@ Interface configuration
The next step is to configure your local side as well as the policy
based trusted destination addresses. If you only initiate a connection,
-the listen port and address/port is optional, if you however act as a server
-and endpoints initiate the connections to your system, you need to
-define a port your clients can connect to, otherwise it's randomly
-chosen and may make it difficult with firewall rules, since the port may
-be a different one when you reboot your system.
+the listen port and address/port is optional; however, if you act as a
+server and endpoints initiate the connections to your system, you need to
+define a port your clients can connect to, otherwise the port is randomly
+chosen and may make connection difficult with firewall rules, since the port
+may be different each time the system is rebooted.
You will also need the public key of your peer as well as the network(s)
you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The
@@ -82,7 +81,7 @@ one.
The last step is to define an interface route for 10.2.0.0/24 to get
through the WireGuard interface `wg01`. Multiple IPs or networks can be
-defined and routed, the last check is allowed-ips which either prevents
+defined and routed. The last check is allowed-ips which either prevents
or allows the traffic.
.. note:: You can not assign the same allowed-ips statement to multiple
@@ -116,7 +115,7 @@ the public key, which needs to be shared with the peer.
set protocols static route 10.1.0.0/24 interface wg01
Assure that your firewall rules allow the traffic, in which case you
-have a working VPN using WireGuard
+have a working VPN using WireGuard.
.. code-block:: none
@@ -131,16 +130,16 @@ have a working VPN using WireGuard
64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms
An additional layer of symmetric-key crypto can be used on top of the
-asymmetric crypto, which is optional.
+asymmetric crypto. This is optional.
.. code-block:: none
wg01# run generate wireguard preshared-key
rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=
-Copy the key, as it is not stored on the local file system. Make sure
-you distribute that key in a safe manner, it's a symmetric key, so only
-you and your peer should have knowledge of its content.
+Copy the key, as it is not stored on the local filesystem. Because it
+is a symmetric key, only you and your peer should have knowledge of
+its content. Make sure you distribute the key in a safe manner,
.. code-block:: none
@@ -154,7 +153,7 @@ With WireGuard, a Road Warrior VPN config is similar to a site-to-site
VPN. It just lacks the ``address`` and ``port`` statements.
In the following example, the IPs for the remote clients are defined in
-the peers. This would allow the peers to interact with one another.
+the peers. This allows the peers to interact with one another.
.. code-block:: none