Moved wireguard from the interfaces to vpn directory, as it is a VPN.

 Modified the index files to reflect this.
 Added Diagram of the VPN Topology
 Modified the weird IP subnets for local& remote sites. This Included:
	Changing the Interface Address for the wg01 tunnel
	Chaning the WAN addresses to addrs not in the RFC1918 range (1.1.1.1 & 2.2.2.2)
	Modifing the allowed IPs and static route to reflect this.
	Modified the ping test to reflect this.
 Added an annotated verison of the wireguard local&remote config.
 Added an example of a firewall exception for wirguard (OUTSIDE_IN)
 Modified the explanation for the behavior of AllowedIPs for remote clients.
 Added an example of "sudo wg" to the operational commands.
 Fixed typo

3 files changed, 124 insertions, 39 deletions

diff --git a/docs/configuration/interfaces/index.rst b/docs/configuration/interfaces/index.rst
index 3c75f482..2c0a7193 100644
--- a/docs/configuration/interfaces/index.rst
+++ b/docs/configuration/interfaces/index.rst
@@ -21,7 +21,6 @@ Interfaces
    tunnel
    vti
    vxlan
-   wireguard
    wireless
    wwan
 
diff --git a/docs/configuration/vpn/index.rst b/docs/configuration/vpn/index.rst
index abaca198..c57fc4eb 100644
--- a/docs/configuration/vpn/index.rst
+++ b/docs/configuration/vpn/index.rst
@@ -13,6 +13,7 @@ VPN
    pptp
    rsa-keys
    sstp
+   wireguard
 
 
 
@@ -23,4 +24,4 @@ pages to sort
    :includehidden:
 
    dmvpn
-   site2site_ipsec
\ No newline at end of file
+   site2site_ipsec
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/vpn/wireguard.rst
index ddfbe620..91b5fe71 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/vpn/wireguard.rst
@@ -1,7 +1,5 @@
 .. _wireguard:
 
-.. include:: /_include/need_improvement.txt
-
 #########
 WireGuard
 #########
@@ -11,9 +9,23 @@ state-of-the-art cryptography. See https://www.wireguard.com for more
 information.
 
 *************
+Diagram
+*************
+
+This diagram corresponds with the configuration below.
+
+.. figure:: /_static/images/wireguard_vpn_diagram.jpg
+
+*************
 Configuration
 *************
 
+
+
+*************
+Keypairs
+*************
+
 WireGuard requires the generation of a keypair, which includes a private
 key to decrypt incoming traffic, and a public key for peer(s) to encrypt
 traffic.
@@ -55,8 +67,9 @@ own keypairs.
     vyos@vyos:~$ generate wireguard named-keypairs KP02
 
 
+**************************
 Interface configuration
-=======================
+**************************
 
 The next step is to configure your local side as well as the policy
 based trusted destination addresses. If you only initiate a connection,
@@ -71,18 +84,31 @@ you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The
 public key below is always the public key from your peer, not your local
 one.
 
-**local side**
+**local side - commands**
 
 .. code-block:: none
 
-  set interfaces wireguard wg01 address '10.1.0.1/24'
+  set interfaces wireguard wg01 address '10.1.0.1/30'
   set interfaces wireguard wg01 description 'VPN-to-wg02'
-  set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.2.0.0/24'
-  set interfaces wireguard wg01 peer to-wg02 address '192.168.0.142'
-  set interfaces wireguard wg01 peer to-wg02 port '12345'
+  set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24'
+  set interfaces wireguard wg01 peer to-wg02 address '2.2.2.2'
+  set interfaces wireguard wg01 peer to-wg02 port '51820'
   set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
-  set interfaces wireguard wg01 port '12345'
-  set protocols static route 10.2.0.0/24 interface wg01
+  set interfaces wireguard wg01 port '51820'
+  set protocols static route 192.168.2.0/24 interface wg01
+
+**local side - annotated commands**
+
+.. code-block:: none
+
+  set interfaces wireguard wg01 address '10.1.0.1/30'                    # Address of the wg01 tunnel interface.          
+  set interfaces wireguard wg01 description 'VPN-to-wg02'
+  set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24'# Subnets that are allowed to travel over the tunnel
+  set interfaces wireguard wg01 peer to-wg02 address '2.2.2.2'           # Public IP of the peer
+  set interfaces wireguard wg01 peer to-wg02 port '58120'                # Port of the Peer
+  set interfaces wireguard wg01 peer to-wg02 pubkey '<pubkey>'           # Public Key of the Peer
+  set interfaces wireguard wg01 port '51820'                             # Port of own server
+  set protocols static route 192.168.2.0/24 interface wg01               # Static route to remote subnet
 
 The last step is to define an interface route for 10.2.0.0/24 to get
 through the WireGuard interface `wg01`. Multiple IPs or networks can be
@@ -90,7 +116,7 @@ defined and routed. The last check is allowed-ips which either prevents
 or allows the traffic.
 
 .. note:: You can not assign the same allowed-ips statement to multiple
-   WireGuard peers. This a a design decission. For more information please
+   WireGuard peers. This a a design decision. For more information please
    check the `WireGuard mailing list`_.
 
 .. cfgcmd:: set interfaces wireguard <interface> private-key <name>
@@ -106,33 +132,70 @@ or allows the traffic.
   public key, which needs to be shared with the peer.
 
 
-**remote side**
+**remote side - commands**
 
 .. code-block:: none
 
-  set interfaces wireguard wg01 address '10.2.0.1/24'
+  set interfaces wireguard wg01 address '10.1.0.2/30'
   set interfaces wireguard wg01 description 'VPN-to-wg01'
-  set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.1.0.0/24'
-  set interfaces wireguard wg01 peer to-wg02 address '192.168.0.124'
-  set interfaces wireguard wg01 peer to-wg02 port '12345'
+  set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.1.0/24'
+  set interfaces wireguard wg01 peer to-wg02 address '1.1.1.1'
+  set interfaces wireguard wg01 peer to-wg02 port '51820'
   set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='
-  set interfaces wireguard wg01 port '12345'
-  set protocols static route 10.1.0.0/24 interface wg01
+  set interfaces wireguard wg01 port '51820'
+  set protocols static route 192.168.1.0/24 interface wg01
+
+**remote side - annotated commands**
+
+.. code-block:: none
+
+  set interfaces wireguard wg01 address '10.1.0.2/30'                    # Address of the wg01 tunnel interface.
+  set interfaces wireguard wg01 description 'VPN-to-wg01'
+  set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.1.0/24'# Subnets that are allowed to travel over the tunnel
+  set interfaces wireguard wg01 peer to-wg02 address '1.1.1.1'           # Public IP address of the Peer
+  set interfaces wireguard wg01 peer to-wg02 port '12345'                # Port of the Peer
+  set interfaces wireguard wg01 peer to-wg02 pubkey '<pubkey>'           # Public key of the Peer  
+  set interfaces wireguard wg01 port '51820'                             # Port of own server
+  set protocols static route 192.168.1.0/24 interface wg01               # Static route remote subnet
+
+**************************
+Firewall Exceptions
+**************************
+
+For the WireGuard traffic to pass through the WAN interface, you must create a firewall exception.
+
+.. code-block:: none
+
+    set firewall name OUTSIDE_LOCAL rule 10 action accept
+    set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related'
+    set firewall name OUTSIDE_LOCAL rule 10 state established enable
+    set firewall name OUTSIDE_LOCAL rule 10 state related enable
+    set firewall name OUTSIDE_LOCAL rule 20 action accept
+    set firewall name OUTSIDE_LOCAL rule 20 description WireGuard_IN
+    set firewall name OUTSIDE_LOCAL rule 20 destination port 51820
+    set firewall name OUTSIDE_LOCAL rule 20 log enable
+    set firewall name OUTSIDE_LOCAL rule 20 protocol udp
+    set firewall name OUTSIDE_LOCAL rule 20 source
+
+You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local).
+
+.. code-block:: none
+
+    set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
 
-Assure that your firewall rules allow the traffic, in which case you
-have a working VPN using WireGuard.
+Assure that your firewall rules allow the traffic, in which case you have a working VPN using WireGuard.
 
 .. code-block:: none
 
-  wg01# ping 10.2.0.1
-  PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
-  64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=1.16 ms
-  64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.77 ms
+  wg01# ping 192.168.1.1
+  PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
+  64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.16 ms
+  64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=1.77 ms
 
-  wg02# ping 10.1.0.1
-  PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
-  64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=4.40 ms
-  64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms
+  wg02# ping 192.168.2.1
+  PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
+  64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=4.40 ms
+  64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=1.02 ms
 
 An additional layer of symmetric-key crypto can be used on top of the
 asymmetric crypto. This is optional.
@@ -151,8 +214,10 @@ its content. Make sure you distribute the key in a safe manner,
   wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
   wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
 
-Road Warrior Example
---------------------
+
+*******************************
+Mobile "RoadWarrior" Example
+*******************************
 
 With WireGuard, a Road Warrior VPN config is similar to a site-to-site
 VPN. It just lacks the ``address`` and ``port`` statements.
@@ -182,7 +247,7 @@ the peers. This allows the peers to interact with one another.
     }
 
 The following is the config for the iPhone peer above. It's important to
-note that the ``AllowedIPs`` setting directs all IPv4 and IPv6 traffic
+note that the ``AllowedIPs`` wildcard setting directs all IPv4 and IPv6 traffic
 through the connection.
 
 .. code-block:: none
@@ -198,9 +263,9 @@ through the connection.
     Endpoint = 192.0.2.1:2224
     PersistentKeepalive = 25
 
-
-This MacBook peer is doing split-tunneling, where only the subnets local
-to the server go over the connection.
+However, split-tunneling can be achieved by specifing the remote subnets.
+This ensures that only traffic destined for the remote site is sent over the tunnel.
+All other traffic is unaffected.
 
 .. code-block:: none
 
@@ -222,6 +287,24 @@ Operational Commands
 Status
 ======
 
+.. opcmd:: sudo wg
+
+  Show info about the Wireguard service. 
+  Also shows the latest handshake.
+
+  .. code-block:: none
+
+    interface: wg0
+      public key: 
+      private key: (hidden)
+      listening port: 51869
+
+    peer: <peer pubkey>
+      endpoint: <peer public IP>
+      allowed ips: 10.69.69.2/32
+      latest handshake: 23 hours, 45 minutes, 26 seconds ago
+      transfer: 1.26 MiB received, 6.47 MiB sent
+
 .. opcmd:: show interfaces wireguard
 
   Get a list of all wireguard interfaces
@@ -252,8 +335,9 @@ Status
         TX:  bytes  packets  errors  dropped  carrier  collisions
                  0        0       0        0        0           0
 
+**************************
 Encryption Keys
-===============
+**************************
 
 .. opcmd:: show wireguard keypair pubkey <name>
 
@@ -284,15 +368,16 @@ Encryption Keys
     vyos@vyos:~$ delete wireguard keypair default
 
 
+*******************************
 Mobile "RoadWarrior" clients
-============================
+*******************************
 
 Some users tend to connect their mobile devices using WireGuard to their VyOS
 router. To ease deployment one can generate a "per mobile" configuration from
 the VyOS CLI.
 
 .. warning:: From a security perspective it is not recommended to let a third
-  party create the private key for a secured connection. You should create the
+  party create and share the private key for a secured connection. You should create the
   private portion on your own and only hand out the public key. Please keep this
   in mind when using this convenience feature.