summaryrefslogtreecommitdiff
path: root/docs/vpn/wireguard.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/vpn/wireguard.rst')
-rw-r--r--docs/vpn/wireguard.rst114
1 files changed, 60 insertions, 54 deletions
diff --git a/docs/vpn/wireguard.rst b/docs/vpn/wireguard.rst
index 6348fb01..9b3d36f4 100644
--- a/docs/vpn/wireguard.rst
+++ b/docs/vpn/wireguard.rst
@@ -11,61 +11,66 @@ information.
Configuration
=============
-WireGuard requires the generation of a keypair, a private key which will decrypt
-incoming traffic and a public key, which the peer(s) will use to encrypt traffic.
+WireGuard requires the generation of a keypair, a private key which will
+decrypt incoming traffic and a public key, which the peer(s) will use to
+encrypt traffic.
Generate keypair
----------------
-Generate the keypair, which creates a public and private part and stores it
-within VyOS. It will be used per default on any configured WireGuard interface,
-even if multiple interfaces are being configured.
+.. opcmd:: generate wireguard default-keypair
-.. code-block:: none
+It generates the keypair, that is its public and private part and stores
+it within VyOS. It will be used per default on any configured WireGuard
+interface, even if multiple interfaces are being configured.
- wg01:~$ configure
- wg01# run generate wireguard keypair
-The public key is being shared with your peer(s), your peer will encrypt all
-traffic to your system using this public key.
-.. code-block:: none
+.. opcmd:: show wireguard keypairs pubkey default
+
+It shows the public key which needs to be shared with your peer(s). Your
+peer will encrypt all traffic to your system using this public key.
+
+
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show wireguard keypairs pubkey default
+ hW17UxY7zeydJNPIyo3UtGnBHkzTK/NeBOrDSIU9Tx0=
- wg01# run show wireguard pubkey
- u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=
Generate named keypair
----------------------
-Named keypairs can be used on a interface basis, if configured.
-If multiple WireGuard interfaces are being configured, each can have
-their own keypairs.
+Named keypairs can be used on a interface basis, if configured. If
+multiple WireGuard interfaces are being configured, each can have their
+own keypairs.
-The commands below will generate 2 keypairs, which are not related
-to each other.
+The commands below will generate 2 keypairs, which are not related to
+each other.
.. code-block:: none
- wg01:~$ configure
- wg01# run generate wireguard named-keypairs KP01
- wg01# run generate wireguard named-keypairs KP02
+ vyos@vyos:~$ generate wireguard named-keypairs KP01
+ vyos@vyos:~$ generate wireguard named-keypairs KP02
Interface configuration
-----------------------
-The next step is to configure your local side as well as the policy based
-trusted destination addresses. If you only initiate a connection, the listen
-port and endpoint is optional, if you however act as a server and endpoints
-initiate the connections to your system, you need to define a port your clients
-can connect to, otherwise it's randomly chosen and may make it difficult with
-firewall rules, since the port may be a different one when you reboot your
-system.
+The next step is to configure your local side as well as the policy
+based trusted destination addresses. If you only initiate a connection,
+the listen port and endpoint is optional, if you however act as a server
+and endpoints initiate the connections to your system, you need to
+define a port your clients can connect to, otherwise it's randomly
+chosen and may make it difficult with firewall rules, since the port may
+be a different one when you reboot your system.
-You will also need the public key of your peer as well as the network(s) you
-want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key
-below is always the public key from your peer, not your local one.
+You will also need the public key of your peer as well as the network(s)
+you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The
+public key below is always the public key from your peer, not your local
+one.
**local side**
@@ -79,24 +84,25 @@ below is always the public key from your peer, not your local one.
set interfaces wireguard wg01 port '12345'
set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01
-.. note:: The `endpoint` must be an IP and not a fully qualified domain name
- (FQDN). Using a FQDN will result in unexpected behavior.
+.. note:: The `endpoint` must be an IP and not a fully qualified domain
+ name (FQDN). Using a FQDN will result in unexpected behavior.
-The last step is to define an interface route for 10.2.0.0/24 to get through
-the WireGuard interface `wg01`. Multiple IPs or networks can be defined and
-routed, the last check is allowed-ips which either prevents or allows the
-traffic.
+The last step is to define an interface route for 10.2.0.0/24 to get
+through the WireGuard interface `wg01`. Multiple IPs or networks can be
+defined and routed, the last check is allowed-ips which either prevents
+or allows the traffic.
-To use a named key on an interface, the option private-key needs to be set.
+To use a named key on an interface, the option private-key needs to be
+set.
.. code-block:: none
set interfaces wireguard wg01 private-key KP01
set interfaces wireguard wg02 private-key KP02
-The command ``run show wireguard keypairs pubkey KP01`` will then show the public key,
-which needs to be shared with the peer.
+The command ``run show wireguard keypairs pubkey KP01`` will then show
+the public key, which needs to be shared with the peer.
**remote side**
@@ -111,8 +117,8 @@ which needs to be shared with the peer.
set interfaces wireguard wg01 port '12345'
set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01
-Assure that your firewall rules allow the traffic, in which case you have a
-working VPN using WireGuard
+Assure that your firewall rules allow the traffic, in which case you
+have a working VPN using WireGuard
.. code-block:: none
@@ -134,9 +140,9 @@ asymmetric crypto, which is optional.
wg01# run generate wireguard preshared-key
rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=
-Copy the key, as it is not stored on the local file system. Make sure you
-distribute that key in a safe manner, it's a symmetric key, so only you and
-your peer should have knowledge of its content.
+Copy the key, as it is not stored on the local file system. Make sure
+you distribute that key in a safe manner, it's a symmetric key, so only
+you and your peer should have knowledge of its content.
.. code-block:: none
@@ -146,11 +152,11 @@ your peer should have knowledge of its content.
Road Warrior Example
--------------------
-With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN. It
-just lacks the ``endpoint`` address.
+With WireGuard, a Road Warrior VPN config is similar to a site-to-site
+VPN. It just lacks the ``endpoint`` address.
-In the following example, the IPs for the remote clients are defined in the
-peers. This would allow the peers to interact with one another.
+In the following example, the IPs for the remote clients are defined in
+the peers. This would allow the peers to interact with one another.
.. code-block:: none
@@ -173,9 +179,9 @@ peers. This would allow the peers to interact with one another.
port 2224
}
-The following is the config for the iPhone peer above. It's important to note
-that the ``AllowedIPs`` setting directs all IPv4 and IPv6 traffic through the
-connection.
+The following is the config for the iPhone peer above. It's important to
+note that the ``AllowedIPs`` setting directs all IPv4 and IPv6 traffic
+through the connection.
.. code-block:: none
@@ -191,8 +197,8 @@ connection.
PersistentKeepalive = 25
-This MacBook peer is doing split-tunneling, where only the subnets local to the
-server go over the connection.
+This MacBook peer is doing split-tunneling, where only the subnets local
+to the server go over the connection.
.. code-block:: none