summaryrefslogtreecommitdiff
path: root/docs/configuration/interfaces
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/interfaces')
-rw-r--r--docs/configuration/interfaces/wireguard.rst77
1 files changed, 39 insertions, 38 deletions
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index 91b5fe71..bb2418b1 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -8,13 +8,13 @@ WireGuard is an extremely simple yet fast and modern VPN that utilizes
state-of-the-art cryptography. See https://www.wireguard.com for more
information.
-*************
-Diagram
-*************
+****************
+Site to Site VPN
+****************
-This diagram corresponds with the configuration below.
+This diagram corresponds with the example site to site configuration below.
-.. figure:: /_static/images/wireguard_vpn_diagram.jpg
+.. figure:: /_static/images/wireguard_site2site_diagram.jpg
*************
Configuration
@@ -22,9 +22,9 @@ Configuration
-*************
+********
Keypairs
-*************
+********
WireGuard requires the generation of a keypair, which includes a private
key to decrypt incoming traffic, and a public key for peer(s) to encrypt
@@ -67,9 +67,9 @@ own keypairs.
vyos@vyos:~$ generate wireguard named-keypairs KP02
-**************************
+***********************
Interface configuration
-**************************
+***********************
The next step is to configure your local side as well as the policy
based trusted destination addresses. If you only initiate a connection,
@@ -91,7 +91,7 @@ one.
set interfaces wireguard wg01 address '10.1.0.1/30'
set interfaces wireguard wg01 description 'VPN-to-wg02'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24'
- set interfaces wireguard wg01 peer to-wg02 address '2.2.2.2'
+ set interfaces wireguard wg01 peer to-wg02 address '<Site1 Pub IP>'
set interfaces wireguard wg01 peer to-wg02 port '51820'
set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
set interfaces wireguard wg01 port '51820'
@@ -101,14 +101,14 @@ one.
.. code-block:: none
- set interfaces wireguard wg01 address '10.1.0.1/30' # Address of the wg01 tunnel interface.
+ set interfaces wireguard wg01 address '10.1.0.1/30' # Address of the wg01 tunnel interface.
set interfaces wireguard wg01 description 'VPN-to-wg02'
- set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24'# Subnets that are allowed to travel over the tunnel
- set interfaces wireguard wg01 peer to-wg02 address '2.2.2.2' # Public IP of the peer
- set interfaces wireguard wg01 peer to-wg02 port '58120' # Port of the Peer
- set interfaces wireguard wg01 peer to-wg02 pubkey '<pubkey>' # Public Key of the Peer
- set interfaces wireguard wg01 port '51820' # Port of own server
- set protocols static route 192.168.2.0/24 interface wg01 # Static route to remote subnet
+ set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24' # Subnets that are allowed to travel over the tunnel
+ set interfaces wireguard wg01 peer to-wg02 address '<Site2 Pub IP>' # Public IP of the peer
+ set interfaces wireguard wg01 peer to-wg02 port '58120' # Port of the Peer
+ set interfaces wireguard wg01 peer to-wg02 pubkey '<pubkey>' # Public Key of the Peer
+ set interfaces wireguard wg01 port '51820' # Port of own server
+ set protocols static route 192.168.2.0/24 interface wg01 # Static route to remote subnet
The last step is to define an interface route for 10.2.0.0/24 to get
through the WireGuard interface `wg01`. Multiple IPs or networks can be
@@ -139,7 +139,7 @@ or allows the traffic.
set interfaces wireguard wg01 address '10.1.0.2/30'
set interfaces wireguard wg01 description 'VPN-to-wg01'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.1.0/24'
- set interfaces wireguard wg01 peer to-wg02 address '1.1.1.1'
+ set interfaces wireguard wg01 peer to-wg02 address '<Site1 Pub IP>'
set interfaces wireguard wg01 peer to-wg02 port '51820'
set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='
set interfaces wireguard wg01 port '51820'
@@ -149,18 +149,18 @@ or allows the traffic.
.. code-block:: none
- set interfaces wireguard wg01 address '10.1.0.2/30' # Address of the wg01 tunnel interface.
+ set interfaces wireguard wg01 address '10.1.0.2/30' # Address of the wg01 tunnel interface.
set interfaces wireguard wg01 description 'VPN-to-wg01'
- set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.1.0/24'# Subnets that are allowed to travel over the tunnel
- set interfaces wireguard wg01 peer to-wg02 address '1.1.1.1' # Public IP address of the Peer
- set interfaces wireguard wg01 peer to-wg02 port '12345' # Port of the Peer
- set interfaces wireguard wg01 peer to-wg02 pubkey '<pubkey>' # Public key of the Peer
- set interfaces wireguard wg01 port '51820' # Port of own server
- set protocols static route 192.168.1.0/24 interface wg01 # Static route remote subnet
-
-**************************
+ set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.1.0/24' # Subnets that are allowed to travel over the tunnel
+ set interfaces wireguard wg01 peer to-wg02 address 'Site1 Pub IP' # Public IP address of the Peer
+ set interfaces wireguard wg01 peer to-wg02 port '51820' # Port of the Peer
+ set interfaces wireguard wg01 peer to-wg02 pubkey '<pubkey>' # Public key of the Peer
+ set interfaces wireguard wg01 port '51820' # Port of own server
+ set protocols static route 192.168.1.0/24 interface wg01 # Static route to remote subnet
+
+*******************
Firewall Exceptions
-**************************
+*******************
For the WireGuard traffic to pass through the WAN interface, you must create a firewall exception.
@@ -215,9 +215,9 @@ its content. Make sure you distribute the key in a safe manner,
wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
-*******************************
-Mobile "RoadWarrior" Example
-*******************************
+***********************************
+Remote Access "RoadWarrior" Example
+***********************************
With WireGuard, a Road Warrior VPN config is similar to a site-to-site
VPN. It just lacks the ``address`` and ``port`` statements.
@@ -287,17 +287,18 @@ Operational Commands
Status
======
-.. opcmd:: sudo wg
+.. opcmd:: show interfaces wireguard wg0 summary
Show info about the Wireguard service.
Also shows the latest handshake.
.. code-block:: none
+ vyos@vyos:~$ show interfaces wireguard wg0 summary
interface: wg0
public key:
private key: (hidden)
- listening port: 51869
+ listening port: 51820
peer: <peer pubkey>
endpoint: <peer public IP>
@@ -335,9 +336,9 @@ Status
TX: bytes packets errors dropped carrier collisions
0 0 0 0 0 0
-**************************
+***************
Encryption Keys
-**************************
+***************
.. opcmd:: show wireguard keypair pubkey <name>
@@ -368,9 +369,9 @@ Encryption Keys
vyos@vyos:~$ delete wireguard keypair default
-*******************************
-Mobile "RoadWarrior" clients
-*******************************
+***********************************
+Remote Access "RoadWarrior" clients
+***********************************
Some users tend to connect their mobile devices using WireGuard to their VyOS
router. To ease deployment one can generate a "per mobile" configuration from
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-04 08:45:10 +0000