summaryrefslogtreecommitdiff
path: root/docs/vpn
diff options
context:
space:
mode:
Diffstat (limited to 'docs/vpn')
-rw-r--r--docs/vpn/openvpn.rst584
-rw-r--r--docs/vpn/wireguard.rst265
2 files changed, 0 insertions, 849 deletions
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst
deleted file mode 100644
index c6934335..00000000
--- a/docs/vpn/openvpn.rst
+++ /dev/null
@@ -1,584 +0,0 @@
-.. _openvpn:
-
-#######
-OpenVPN
-#######
-
-Traditionally hardware routers implement IPsec exclusively due to relative
-ease of implementing it in hardware and insufficient CPU power for doing
-encryption in software. Since VyOS is a software router, this is less of a
-concern. OpenVPN has been widely used on UNIX platform for a long time and is
-a popular option for remote access VPN, though it's also capable of
-site-to-site connections.
-
-Advantages of OpenVPN are:
-
-* It uses a single TCP or UDP connection and does not rely on packet source
- addresses, so it will work even through a double NAT: perfect for public
- hotspots and such
-
-* It's easy to setup and offers very flexible split tunneling
-
-* There's a variety of client GUI frontends for any platform
-
-Disadvantages are:
-
-* It's slower than IPsec due to higher protocol overhead and the fact it runs
- in user mode while IPsec, on Linux, is in kernel mode
-
-* None of the operating systems have client software installed by default
-
-In the VyOS CLI, a key point often overlooked is that rather than being
-configured using the `set vpn` stanza, OpenVPN is configured as a network
-interface using `set interfaces openvpn`.
-
-Site-To-Site
-============
-
-While many are aware of OpenVPN as a Client VPN solution, it is often
-overlooked as a site-to-site VPN solution due to lack of support for this mode
-in many router platforms.
-
-Site-to-site mode supports x.509 but doesn't require it and can also work with
-static keys, which is simpler in many cases. In this example, we'll configure
-a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key.
-
-First, one of the systems generate the key using the operational command
-``generate openvpn key <filename>``. This will generate a key with the name
-provided in the ``/config/auth/`` directory. Once generated, you will need to
-copy this key to the remote router.
-
-In our example, we used the filename ``openvpn-1.key`` which we will reference
-in our configuration.
-
-* The public IP address of the local side of the VPN will be 198.51.100.10
-* The remote will be 203.0.113.11
-* The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote.
-* OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency,
- while TCP will work better for lossy connections; generally UDP is preferred
- when possible.
-* The official port for OpenVPN is 1194, which we reserve for client VPN; we
- will use 1195 for site-to-site VPN.
-* The ``persistent-tunnel`` directive will allow us to configure tunnel-related
- attributes, such as firewall policy as we would on any normal network
- interface.
-* If known, the IP of the remote router can be configured using the
- ``remote-host`` directive; if unknown, it can be omitted. We will assume a
- dynamic IP for our remote router.
-
-Local Configuration:
-
-.. code-block:: none
-
- set interfaces openvpn vtun1 mode site-to-site
- set interfaces openvpn vtun1 protocol udp
- set interfaces openvpn vtun1 persistent-tunnel
- set interfaces openvpn vtun1 local-host '198.51.100.10'
- set interfaces openvpn vtun1 local-port '1195'
- set interfaces openvpn vtun1 remote-port '1195'
- set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
- set interfaces openvpn vtun1 local-address '10.255.1.1'
- set interfaces openvpn vtun1 remote-address '10.255.1.2'
-
-Remote Configuration:
-
-.. code-block:: none
-
- set interfaces openvpn vtun1 mode site-to-site
- set interfaces openvpn vtun1 protocol udp
- set interfaces openvpn vtun1 persistent-tunnel
- set interfaces openvpn vtun1 remote-host '198.51.100.10'
- set interfaces openvpn vtun1 local-port '1195'
- set interfaces openvpn vtun1 remote-port '1195'
- set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
- set interfaces openvpn vtun1 local-address '10.255.1.2'
- set interfaces openvpn vtun1 remote-address '10.255.1.1'
-
-The configurations above will default to using 256-bit AES in GCM mode
-for encryption (if both sides supports NCP) and SHA-1 for HMAC authentication.
-SHA-1 is considered weak, but other hashing algorithms are available, as are
-encryption algorithms:
-
-For Encryption:
-
-This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or
-OpenVPN version < 2.4.0.
-
-.. code-block:: none
-
- vyos@vyos# set interfaces openvpn vtun1 encryption cipher
- Possible completions:
- des DES algorithm
- 3des DES algorithm with triple encryption
- bf128 Blowfish algorithm with 128-bit key
- bf256 Blowfish algorithm with 256-bit key
- aes128 AES algorithm with 128-bit key CBC
- aes128gcm AES algorithm with 128-bit key GCM
- aes192 AES algorithm with 192-bit key CBC
- aes192gcm AES algorithm with 192-bit key GCM
- aes256 AES algorithm with 256-bit key CBC
- aes256gcm AES algorithm with 256-bit key GCM
-
-This sets the accepted ciphers to use when version => 2.4.0 and NCP is
-enabled (which is default). Default NCP cipher for versions >= 2.4.0 is
-aes256gcm. The first cipher in this list is what server pushes to clients.
-
-.. code-block:: none
-
- vyos@vyos# set int open vtun0 encryption ncp-ciphers
- Possible completions:
- des DES algorithm
- 3des DES algorithm with triple encryption
- aes128 AES algorithm with 128-bit key CBC
- aes128gcm AES algorithm with 128-bit key GCM
- aes192 AES algorithm with 192-bit key CBC
- aes192gcm AES algorithm with 192-bit key GCM
- aes256 AES algorithm with 256-bit key CBC
- aes256gcm AES algorithm with 256-bit key GCM
-
-For Hashing:
-
-.. code-block:: none
-
- vyos@vyos# set interfaces openvpn vtun1 hash
- Possible completions:
- md5 MD5 algorithm
- sha1 SHA-1 algorithm
- sha256 SHA-256 algorithm
- sha512 SHA-512 algorithm
-
-If you change the default encryption and hashing algorithms, be sure that the
-local and remote ends have matching configurations, otherwise the tunnel will
-not come up.
-
-Static routes can be configured referencing the tunnel interface; for example,
-the local router will use a network of 10.0.0.0/16, while the remote has a
-network of 10.1.0.0/16:
-
-Local Configuration:
-
-.. code-block:: none
-
- set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1
-
-Remote Configuration:
-
-.. code-block:: none
-
- set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1
-
-Firewall policy can also be applied to the tunnel interface for `local`, `in`,
-and `out` directions and function identically to ethernet interfaces.
-
-If making use of multiple tunnels, OpenVPN must have a way to distinguish
-between different tunnels aside from the pre-shared-key. This is either by
-referencing IP address or port number. One option is to dedicate a public IP
-to each tunnel. Another option is to dedicate a port number to each tunnel
-(e.g. 1195,1196,1197...).
-
-OpenVPN status can be verified using the `show openvpn` operational commands.
-See the built-in help for a complete list of options.
-
-Server
-======
-
-Multi-client server is the most popular OpenVPN mode on routers. It always uses
-x.509 authentication and therefore requires a PKI setup. Refer this section
-**Generate X.509 Certificate and Keys** to generate a CA certificate,
-a server certificate and key, a certificate revocation list, a Diffie-Hellman
-key exchange parameters file. You do not need client certificates and keys for the server setup.
-
-In this example we will use the most complicated case: a setup where each
-client is a router that has its own subnet (think HQ and branch offices), since
-simpler setups are subsets of it.
-
-Suppose you want to use 10.23.1.0/24 network for client tunnel endpoints and
-all client subnets belong to 10.23.0.0/20. All clients need access to the
-192.168.0.0/16 network.
-
-First we need to specify the basic settings. 1194/UDP is the default. The
-``persistent-tunnel`` option is recommended, it prevents the TUN/TAP device from
-closing on connection resets or daemon reloads.
-
-.. note:: Using **openvpn-option -reneg-sec** can be tricky. This option is
- used to renegotiate data channel after n seconds. When used at both server
- and client, the lower value will trigger the renegotiation. If you set it to
- 0 on one side of the connection (to disable it), the chosen value on the
- other side will determine when the renegotiation will occur.
-
-.. code-block:: none
-
- set interfaces openvpn vtun10 mode server
- set interfaces openvpn vtun10 local-port 1194
- set interfaces openvpn vtun10 persistent-tunnel
- set interfaces openvpn vtun10 protocol udp
-
-Then we need to specify the location of the cryptographic materials. Suppose
-you keep the files in `/config/auth/openvpn`
-
-.. code-block:: none
-
- set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt
- set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt
- set interfaces openvpn vtun10 tls key-file /config/auth/openvpn/server.key
- set interfaces openvpn vtun10 tls crl-file /config/auth/openvpn/crl.pem
- set interfaces openvpn vtun10 tls dh-file /config/auth/openvpn/dh2048.pem
-
-Now we need to specify the server network settings. In all cases we need to
-specify the subnet for client tunnel endpoints. Since we want clients to access
-a specific network behind out router, we will use a push-route option for
-installing that route on clients.
-
-.. code-block:: none
-
- set interfaces openvpn vtun10 server push-route 192.168.0.0/16
- set interfaces openvpn vtun10 server subnet 10.23.1.0/24
-
-Since it's a HQ and branch offices setup, we will want all clients to have
-fixed addresses and we will route traffic to specific subnets through them. We
-need configuration for each client to achieve this.
-
-.. note:: Clients are identified by the CN field of their x.509 certificates,
- in this example the CN is ``client0``:
-
-.. code-block:: none
-
- set interfaces openvpn vtun10 server client client0 ip 10.23.1.10
- set interfaces openvpn vtun10 server client client0 subnet 10.23.2.0/25
-
-OpenVPN **will not** automatically create routes in the kernel for client
-subnets when they connect and will only use client-subnet association
-internally, so we need to create a route to the 10.23.0.0/20 network ourselves:
-
-.. code-block:: none
-
- set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10
-
-Generate X.509 Certificate and Keys
------------------------------------
-
-OpenVPN ships with a set of scripts called Easy-RSA that can generate the
-appropriate files needed for an OpenVPN setup using X.509 certificates.
-Easy-RSA comes installed by default on VyOS routers.
-
-Copy the Easy-RSA scripts to a new directory to modify the values.
-
-.. code-block:: none
-
- cp -r /usr/share/easy-rsa/ /config/my-easy-rsa-config
- cd /config/my-easy-rsa-config
-
-To ensure the consistent use of values when generating the PKI, set default
-values to be used by the PKI generating scripts. Rename the vars.example filename
-to vars
-
-.. code-block:: none
-
- mv vars.example vars
-
-Following is the instance of the file after editing. You may also change other values in
-the file at your discretion/need, though for most cases the defaults should be just fine.
-(do not leave any of these parameters blank)
-
-.. code-block:: none
-
- set_var EASYRSA_DN "org"
- set_var EASYRSA_REQ_COUNTRY "US"
- set_var EASYRSA_REQ_PROVINCE "California"
- set_var EASYRSA_REQ_CITY "San Francisco"
- set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
- set_var EASYRSA_REQ_EMAIL "me@example.net"
- set_var EASYRSA_REQ_OU "My Organizational Unit"
- set_var EASYRSA_KEY_SIZE 2048
-
-
-init-pki option will create a new pki directory or will delete any previously generated
-certificates stored in that folder. The term 'central' is used to refer server and
-'branch' for client
-
-.. note:: Remember the “CA Key Passphrase” prompted in build-ca command,
- as it will be asked in signing the server/client certificate.
-
-.. code-block:: none
-
- vyos@vyos:/config/my-easy-rsa-config$./easyrsa init-pki
- vyos@vyos:/config/my-easy-rsa-config$./easyrsa build-ca
- vyos@vyos:/config/my-easy-rsa-config$./easyrsa gen-req central nopass
- vyos@vyos:/config/my-easy-rsa-config$./easyrsa sign-req server central
- vyos@vyos:/config/my-easy-rsa-config$./easyrsa gen-dh
- vyos@vyos:/config/my-easy-rsa-config$./easyrsa build-client-full branch1 nopass
-
-To generate a certificate revocation list for any client, execute these commands:
-
-.. code-block:: none
-
- vyos@vyos:/config/my-easy-rsa-config$./easyrsa revoke client1
- vyos@vyos:/config/my-easy-rsa-config$ ./easyrsa gen-crl
-
-Copy the files to /config/auth/ovpn/ to use in OpenVPN tunnel creation
-
-.. code-block:: none
-
- vyos@vyos:/config/my-easy-rsa-config$ sudo mkdir /config/auth/ovpn
- vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/ca.crt /config/auth/ovpn
- vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/dh.pem /config/auth/ovpn
- vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/private/central.key /config/auth/ovpn
- vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/issued/central.crt /config/auth/ovpn
- vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/crl.pem /config/auth/ovpn
-
-Additionally, each client needs a copy of ca.crt and its own client key and cert files.
-The files are plaintext so they may be copied either manually,
-or through a remote file transfer tool like scp. Whichever method you use,
-the files need to end up in the proper location on each router.
-For example, Branch 1's router might have the following files:
-
-.. code-block:: none
-
- vyos@branch1-rtr:$ ls /config/auth/ovpn
- ca.crt branch1.crt branch1.key
-
-Client Authentication
-=====================
-
-LDAP
-----
-
-Enterprise installations usually ship a kind of directory service which is used
-to have a single password store for all employees. VyOS and OpenVPN support using
-LDAP/AD as single user backend.
-
-Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is
-shipped with every VyOS installation. A dedicated configuration file is required.
-It is best practise to store it in ``/config`` to survive image updates
-
-.. code-block:: none
-
- set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config"
-
-The required config file may look like:
-
-.. code-block:: none
-
- <LDAP>
- # LDAP server URL
- URL ldap://ldap.example.com
- # Bind DN (If your LDAP server doesn't support anonymous binds)
- BindDN cn=LDAPUser,dc=example,dc=com
- # Bind Password password
- Password S3cr3t
- # Network timeout (in seconds)
- Timeout 15
- </LDAP>
-
- <Authorization>
- # Base DN
- BaseDN "ou=people,dc=example,dc=com"
- # User Search Filter
- SearchFilter "(&(uid=%u)(objectClass=shadowAccount))"
- # Require Group Membership - allow all users
- RequireGroup false
- </Authorization>
-
-Active Directory
-^^^^^^^^^^^^^^^^
-
-Despite the fact that AD is a superset of LDAP
-
-.. code-block:: none
-
- <LDAP>
- # LDAP server URL
- URL ldap://dc01.example.com
- # Bind DN (If your LDAP server doesn’t support anonymous binds)
- BindDN CN=LDAPUser,DC=example,DC=com
- # Bind Password
- Password mysecretpassword
- # Network timeout (in seconds)
- Timeout 15
- # Enable Start TLS
- TLSEnable no
- # Follow LDAP Referrals (anonymously)
- FollowReferrals no
- </LDAP>
-
- <Authorization>
- # Base DN
- BaseDN "DC=example,DC=com"
- # User Search Filter, user must be a member of the VPN AD group
- SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))"
- # Require Group Membership
- RequireGroup false # already handled by SearchFilter
- <Group>
- BaseDN "OU=Groups,DC=example,DC=com"
- SearchFilter "(|(cn=VPN))"
- MemberAttribute memberOf
- </Group>
- </Authorization>
-
-If you only want to check if the user account is enabled and can authenticate
-(against the primary group) the following snipped is sufficient:
-
-.. code-block:: none
-
- <LDAP>
- URL ldap://dc01.example.com
- BindDN CN=SA_OPENVPN,OU=ServiceAccounts,DC=example,DC=com
- Password ThisIsTopSecret
- Timeout 15
- TLSEnable no
- FollowReferrals no
- </LDAP>
-
- <Authorization>
- BaseDN "DC=example,DC=com"
- SearchFilter "sAMAccountName=%u"
- RequireGroup false
- </Authorization>
-
-A complete LDAP auth OpenVPN configuration could look like the following example:
-
-.. code-block:: none
-
- vyos@vyos# show interfaces openvpn
- openvpn vtun0 {
- mode server
- openvpn-option "--tun-mtu 1500 --fragment 1300 --mssfix"
- openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config"
- openvpn-option "--push redirect-gateway"
- openvpn-option --duplicate-cn
- openvpn-option --client-cert-not-required
- openvpn-option --comp-lzo
- openvpn-option --persist-key
- openvpn-option --persist-tun
- server {
- domain-name example.com
- max-connections 5
- name-server 1.1.1.1
- name-server 9.9.9.9
- subnet 172.18.100.128/29
- }
- tls {
- ca-cert-file /config/auth/ca.crt
- cert-file /config/auth/server.crt
- dh-file /config/auth/dh1024.pem
- key-file /config/auth/server.key
- }
- }
-
-Client
-======
-
-VyOS can not only act as an OpenVPN site-to-site or Server for multiple clients.
-You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client
-connecting to a VyOS OpenVPN server or any other OpenVPN server.
-
-Given the following example we have one VyOS router acting as OpenVPN server
-and another VyOS router acting as OpenVPN client. The Server also pushes a
-static client IP address to the OpenVPN client. Remember, clients are identified
-using their CN attribute in the SSL certificate.
-
-Server
-------
-
-.. code-block:: none
-
- set interfaces openvpn vtun10 encryption cipher 'aes256'
- set interfaces openvpn vtun10 hash 'sha512'
- set interfaces openvpn vtun10 local-host '172.18.201.10'
- set interfaces openvpn vtun10 local-port '1194'
- set interfaces openvpn vtun10 mode 'server'
- set interfaces openvpn vtun10 persistent-tunnel
- set interfaces openvpn vtun10 protocol 'udp'
- set interfaces openvpn vtun10 server client client1 ip '10.10.0.10'
- set interfaces openvpn vtun10 server domain-name 'vyos.net'
- set interfaces openvpn vtun10 server max-connections '250'
- set interfaces openvpn vtun10 server name-server '172.16.254.30'
- set interfaces openvpn vtun10 server subnet '10.10.0.0/24'
- set interfaces openvpn vtun10 server topology 'subnet'
- set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ca.crt'
- set interfaces openvpn vtun10 tls cert-file '/config/auth/server.crt'
- set interfaces openvpn vtun10 tls dh-file '/config/auth/dh.pem'
- set interfaces openvpn vtun10 tls key-file '/config/auth/server.key'
- set interfaces openvpn vtun10 use-lzo-compression
-
-Client
-------
-
-.. code-block:: none
-
- set interfaces openvpn vtun10 encryption cipher 'aes256'
- set interfaces openvpn vtun10 hash 'sha512'
- set interfaces openvpn vtun10 mode 'client'
- set interfaces openvpn vtun10 persistent-tunnel
- set interfaces openvpn vtun10 protocol 'udp'
- set interfaces openvpn vtun10 remote-host '172.18.201.10'
- set interfaces openvpn vtun10 remote-port '1194'
- set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ca.crt'
- set interfaces openvpn vtun10 tls cert-file '/config/auth/client1.crt'
- set interfaces openvpn vtun10 tls key-file '/config/auth/client1.key'
- set interfaces openvpn vtun10 use-lzo-compression
-
-Options
-=======
-
-We do not have CLI nodes for every single OpenVPN options. If an option is
-missing, a feature request should be opened at Phabricator_ so all users can
-benefit from it (see :ref:`issues_features`).
-
-If you are a hacker or want to try on your own we support passing raw OpenVPN
-options to OpenVPN.
-
-.. cfgcmd:: set interfaces openvpn vtun10 openvpn-option 'persistent-key'
-
-Will add ``persistent-key`` at the end of the generated OpenVPN configuration.
-Please use this only as last resort - things might break and OpenVPN won't start
-if you pass invalid options/syntax.
-
-.. cfgcmd:: set interfaces openvpn vtun10 openvpn-option 'push &quot;keepalive 1 10&quot;'
-
-Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file.
-
-.. note:: Sometimes option lines in the generated OpenVPN configurarion require
- quotes. This is done through a hack on our config generator. You can pass
- quotes using the ``&quot;`` statement.
-
-
-Troubleshooting
-===============
-
-VyOS provides some operational commands on OpenVPN.
-
-Check status
-------------
-
-The following commands let you check tunnel status.
-
-.. opcmd:: show openvpn client
-
- Use this command to check the tunnel status for OpenVPN client interfaces.
-
-.. opcmd:: show openvpn server
-
- Use this command to check the tunnel status for OpenVPN server interfaces.
-
-.. opcmd:: show openvpn site-to-site
-
- Use this command to check the tunnel status for OpenVPN site-to-site interfaces.
-
-
-Reset OpenVPN
--------------
-
-The following commands let you reset OpenVPN.
-
-.. opcmd:: reset openvpn client <text>
-
- Use this command to reset specified OpenVPN client.
-
-.. opcmd:: reset openvpn interface <interface>
-
- Uset this command to reset the OpenVPN process on a specific interface.
-
-
-
-.. include:: ../common-references.rst
diff --git a/docs/vpn/wireguard.rst b/docs/vpn/wireguard.rst
deleted file mode 100644
index 3580fac3..00000000
--- a/docs/vpn/wireguard.rst
+++ /dev/null
@@ -1,265 +0,0 @@
-.. _wireguard:
-
-#########
-WireGuard
-#########
-
-WireGuard is an extremely simple yet fast and modern VPN that utilizes
-state-of-the-art cryptography. See https://www.wireguard.com for more
-information.
-
-Configuration
-=============
-
-WireGuard requires the generation of a keypair, a private key which will
-decrypt incoming traffic and a public key, which the peer(s) will use to
-encrypt traffic.
-
-Generate keypair
-----------------
-
-.. opcmd:: generate wireguard default-keypair
-
- It generates the keypair, that is its public and private part and stores
- it within VyOS. It will be used per default on any configured WireGuard
- interface, even if multiple interfaces are being configured.
-
-.. opcmd:: show wireguard keypairs pubkey default
-
- It shows the public key which needs to be shared with your peer(s). Your
- peer will encrypt all traffic to your system using this public key.
-
- .. code-block:: none
-
- vyos@vyos:~$ show wireguard keypairs pubkey default
- hW17UxY7zeydJNPIyo3UtGnBHkzTK/NeBOrDSIU9Tx0=
-
-
-Generate named keypair
-----------------------
-
-Named keypairs can be used on a interface basis, if configured. If
-multiple WireGuard interfaces are being configured, each can have their
-own keypairs.
-
-The commands below will generate 2 keypairs, which are not related to
-each other.
-
-.. code-block:: none
-
- vyos@vyos:~$ generate wireguard named-keypairs KP01
- vyos@vyos:~$ generate wireguard named-keypairs KP02
-
-
-Interface configuration
------------------------
-
-The next step is to configure your local side as well as the policy
-based trusted destination addresses. If you only initiate a connection,
-the listen port and address/port is optional, if you however act as a server
-and endpoints initiate the connections to your system, you need to
-define a port your clients can connect to, otherwise it's randomly
-chosen and may make it difficult with firewall rules, since the port may
-be a different one when you reboot your system.
-
-You will also need the public key of your peer as well as the network(s)
-you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The
-public key below is always the public key from your peer, not your local
-one.
-
-**local side**
-
-.. code-block:: none
-
- set interfaces wireguard wg01 address '10.1.0.1/24'
- set interfaces wireguard wg01 description 'VPN-to-wg02'
- set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.2.0.0/24'
- set interfaces wireguard wg01 peer to-wg02 address '192.168.0.142'
- set interfaces wireguard wg01 peer to-wg02 port '12345'
- set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
- set interfaces wireguard wg01 port '12345'
- set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01
-
-The last step is to define an interface route for 10.2.0.0/24 to get
-through the WireGuard interface `wg01`. Multiple IPs or networks can be
-defined and routed, the last check is allowed-ips which either prevents
-or allows the traffic.
-
-.. note:: You can not assign the same allowed-ips statement to multiple
- WireGuard peers. This a a design decission. For more information please
- check the `WireGuard mailing list`_.
-
-
-To use a named key on an interface, the option private-key needs to be
-set.
-
-.. code-block:: none
-
- set interfaces wireguard wg01 private-key KP01
- set interfaces wireguard wg02 private-key KP02
-
-The command ``run show wireguard keypairs pubkey KP01`` will then show
-the public key, which needs to be shared with the peer.
-
-
-**remote side**
-
-.. code-block:: none
-
- set interfaces wireguard wg01 address '10.2.0.1/24'
- set interfaces wireguard wg01 description 'VPN-to-wg01'
- set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.1.0.0/24'
- set interfaces wireguard wg01 peer to-wg02 address '192.168.0.124'
- set interfaces wireguard wg01 peer to-wg02 port '12345'
- set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='
- set interfaces wireguard wg01 port '12345'
- set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01
-
-Assure that your firewall rules allow the traffic, in which case you
-have a working VPN using WireGuard
-
-.. code-block:: none
-
- wg01# ping 10.2.0.1
- PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
- 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=1.16 ms
- 64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.77 ms
-
- wg02# ping 10.1.0.1
- PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
- 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=4.40 ms
- 64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms
-
-An additional layer of symmetric-key crypto can be used on top of the
-asymmetric crypto, which is optional.
-
-.. code-block:: none
-
- wg01# run generate wireguard preshared-key
- rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=
-
-Copy the key, as it is not stored on the local file system. Make sure
-you distribute that key in a safe manner, it's a symmetric key, so only
-you and your peer should have knowledge of its content.
-
-.. code-block:: none
-
- wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
- wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
-
-Road Warrior Example
---------------------
-
-With WireGuard, a Road Warrior VPN config is similar to a site-to-site
-VPN. It just lacks the ``address`` and ``port`` statements.
-
-In the following example, the IPs for the remote clients are defined in
-the peers. This would allow the peers to interact with one another.
-
-.. code-block:: none
-
- wireguard wg0 {
- address 10.172.24.1/24
- address 2001:DB8:470:22::1/64
- description RoadWarrior
- peer MacBook {
- allowed-ips 10.172.24.30/32
- allowed-ips 2001:DB8:470:22::30/128
- persistent-keepalive 15
- pubkey F5MbW7ye7DsoxdOaixjdrudshjjxN5UdNV+pGFHqehc=
- }
- peer iPhone {
- allowed-ips 10.172.24.20/32
- allowed-ips 2001:DB8:470:22::30/128
- persistent-keepalive 15
- pubkey BknHcLFo8nOo8Dwq2CjaC/TedchKQ0ebxC7GYn7Al00=
- }
- port 2224
- }
-
-The following is the config for the iPhone peer above. It's important to
-note that the ``AllowedIPs`` setting directs all IPv4 and IPv6 traffic
-through the connection.
-
-.. code-block:: none
-
- [Interface]
- PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf=
- Address = 10.172.24.20/24, 2001:DB8:470:22::20/64
- DNS = 10.0.0.53, 10.0.0.54
-
- [Peer]
- PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc=
- AllowedIPs = 0.0.0.0/0, ::/0
- Endpoint = 192.0.2.1:2224
- PersistentKeepalive = 25
-
-
-This MacBook peer is doing split-tunneling, where only the subnets local
-to the server go over the connection.
-
-.. code-block:: none
-
- [Interface]
- PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go=
- Address = 10.172.24.30/24, 2001:DB8:470:22::30/64
-
- [Peer]
- PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc=
- AllowedIPs = 10.172.24.30/24, 2001:DB8:470:22::/64
- Endpoint = 192.0.2.1:2224
- PersistentKeepalive = 25
-
-
-Operational commands
-====================
-
-**Show interface status**
-
-.. code-block:: none
-
- vyos@wg01# run show interfaces wireguard wg01
- interface: wg1
- description: VPN-to-wg01
- address: 10.2.0.1/24
- public key: RIbtUTCfgzNjnLNPQ/asldkfjhaERDFl2H/xUfbyjc=
- private key: (hidden)
- listening port: 53665
- peer: to-wg02
- public key: u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=
- latest handshake: 0:01:20
- status: active
- endpoint: 192.168.0.124:12345
- allowed ips: 10.2.0.0/24
- transfer: 42 GB received, 487 MB sent
- persistent keepalive: every 15 seconds
- RX:
- bytes packets errors dropped overrun mcast
- 45252407916 31192260 0 244493 0 0
- TX:
- bytes packets errors dropped carrier collisions
- 511649780 5129601 24465 0 0 0
-
-**Show public key of the default key**
-
-.. code-block:: none
-
- vyos@wg01# run show wireguard keypair pubkey default
- FAXCPb6EbTlSH5200J5zTopt9AYXneBthAySPBLbZwM=
-
-**Show public key of a named key**
-
-.. code-block:: none
-
- vyos@wg01# run show wireguard keypair pubkey KP01
- HUtsu198toEnm1poGoRTyqkUKfKUdyh54f45dtcahDM=
-
-
-**Delete wireguard keypairs**
-
-.. code-block:: none
-
- vyos@wg01# wireguard keypair default
-
-
-.. _`WireGuard mailing list`: https://lists.zx2c4.com/pipermail/wireguard/2018-December/003704.html