summaryrefslogtreecommitdiff
path: root/docs/vpn/wireguard.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/vpn/wireguard.rst')
-rw-r--r--docs/vpn/wireguard.rst40
1 files changed, 23 insertions, 17 deletions
diff --git a/docs/vpn/wireguard.rst b/docs/vpn/wireguard.rst
index 783bcbf4..e166a1e2 100644
--- a/docs/vpn/wireguard.rst
+++ b/docs/vpn/wireguard.rst
@@ -1,20 +1,21 @@
.. _wireguard:
-WireGuard VPN Interface
------------------------
+#########
+WireGuard
+#########
WireGuard is an extremely simple yet fast and modern VPN that utilizes
state-of-the-art cryptography. See https://www.wireguard.com for more
information.
Configuration
-^^^^^^^^^^^^^
+=============
Wireguard requires the generation of a keypair, a private key which will decrypt
incoming traffic and a public key, which the peer(s) will use to encrypt traffic.
-Generate a keypair
-~~~~~~~~~~~~~~~~~~
+Generate keypair
+----------------
Generate the keypair, which creates a public and private part and stores it
within VyOS.
@@ -35,8 +36,8 @@ traffic to your system using this public key.
u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=
-Generate named keypairs
-~~~~~~~~~~~~~~~~~~~~~~~
+Generate named keypair
+----------------------
Named keypairs can be used on a interface basis, if configured.
If multiple wireguard interfaces are being configured, each can have
@@ -52,8 +53,8 @@ to each other.
wg01# run generate wireguard named-keypairs KP02
-Wireguard Interface configuration
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Interface configuration
+-----------------------
The next step is to configure your local side as well as the policy based
trusted destination addresses. If you only initiate a connection, the listen
@@ -79,7 +80,8 @@ below is always the public key from your peer, not your local one.
set interfaces wireguard wg01 port '12345'
set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01
-.. note:: The `endpoint` must be an IP and not a fully qualified domain name (FQDN). Using a FQDN will result in unexpected behavior.
+.. note:: The `endpoint` must be an IP and not a fully qualified domain name
+ (FQDN). Using a FQDN will result in unexpected behavior.
The last step is to define an interface route for 10.2.0.0/24 to get through
the wireguard interface `wg01`. Multiple IPs or networks can be defined and
@@ -143,11 +145,13 @@ your peer should have knowledge of its content.
wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
Road Warrior Example
-~~~~~~~~~~~~~~~~~~~~
+--------------------
-With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN. It just lacks the ``endpoint`` address.
+With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN. It
+just lacks the ``endpoint`` address.
-In the following example, the IPs for the remote clients are defined in the peers. This would allow the peers to interact with one another.
+In the following example, the IPs for the remote clients are defined in the
+peers. This would allow the peers to interact with one another.
.. code-block:: none
@@ -170,8 +174,9 @@ In the following example, the IPs for the remote clients are defined in the peer
port 2224
}
-The following is the config for the iPhone peer above. It's important to note that the ``AllowedIPs`` setting
-directs all IPv4 and IPv6 traffic through the connection.
+The following is the config for the iPhone peer above. It's important to note
+that the ``AllowedIPs`` setting directs all IPv4 and IPv6 traffic through the
+connection.
.. code-block:: none
@@ -187,7 +192,8 @@ directs all IPv4 and IPv6 traffic through the connection.
PersistentKeepalive = 25
-This MacBook peer is doing split-tunneling, where only the subnets local to the server go over the connection.
+This MacBook peer is doing split-tunneling, where only the subnets local to the
+server go over the connection.
.. code-block:: none
@@ -203,7 +209,7 @@ This MacBook peer is doing split-tunneling, where only the subnets local to the
Operational commands
-^^^^^^^^^^^^^^^^^^^^
+====================
**Show interface status**