summaryrefslogtreecommitdiff
path: root/docs/vpn
diff options
context:
space:
mode:
authorkroy-the-rabbit <kroy@kroy.io>2019-11-26 13:15:19 -0600
committerChristian Poessinger <christian@poessinger.com>2019-11-26 20:15:19 +0100
commitaf2f1dd50f23faaf878af2c27b8358d334660e6d (patch)
treea6e9383d3a03af4959df9361bacd3558b4bd56bc /docs/vpn
parentc023e9753b3212bd0ffbff4869c0e79364aebc53 (diff)
downloadvyos-documentation-af2f1dd50f23faaf878af2c27b8358d334660e6d.tar.gz
vyos-documentation-af2f1dd50f23faaf878af2c27b8358d334660e6d.zip
wireguard: Add road-warrior example
Diffstat (limited to 'docs/vpn')
-rw-r--r--docs/vpn/wireguard.rst60
1 files changed, 60 insertions, 0 deletions
diff --git a/docs/vpn/wireguard.rst b/docs/vpn/wireguard.rst
index ecd7598e..b1fb0bdc 100644
--- a/docs/vpn/wireguard.rst
+++ b/docs/vpn/wireguard.rst
@@ -142,6 +142,66 @@ your peer should have knowledge of its content.
wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
+Road Warrior Example
+~~~~~~~~~~~~~~~~~~~~
+
+With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN. It just lacks the ``endpoint`` address.
+
+In the following example, the IPs for the remote clients are defined in the peers. This would allow the peers to interact with one another.
+
+.. code-block:: sh
+
+ wireguard wg0 {
+ address 10.172.24.1/24
+ address 2001:DB8:470:22::1/64
+ description RoadWarrior
+ peer MacBook {
+ allowed-ips 10.172.24.30/32
+ allowed-ips 2001:DB8:470:22::30/128
+ persistent-keepalive 15
+ pubkey F5MbW7ye7DsoxdOaixjdrudshjjxN5UdNV+pGFHqehc=
+ }
+ peer iPhone {
+ allowed-ips 10.172.24.20/32
+ allowed-ips 2001:DB8:470:22::30/128
+ persistent-keepalive 15
+ pubkey BknHcLFo8nOo8Dwq2CjaC/TedchKQ0ebxC7GYn7Al00=
+ }
+ port 2224
+ }
+
+The following is the config for the iPhone peer above. It's important to note that the ``AllowedIPs`` setting
+directs all IPv4 and IPv6 traffic through the connection.
+
+.. code-block:: sh
+
+ [Interface]
+ PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf=
+ Address = 10.172.24.20/24, 2001:DB8:470:22::20/64
+ DNS = 10.0.0.53, 10.0.0.54
+
+ [Peer]
+ PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc=
+ AllowedIPs = 0.0.0.0/0, ::/0
+ Endpoint = 192.0.2.1:2224
+ PersistentKeepalive = 25
+
+
+This MacBook peer is doing split-tunneling, where only the subnets local to the server go over the connection.
+
+.. code-block:: sh
+
+ [Interface]
+ PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go=
+ Address = 10.172.24.30/24, 2001:DB8:470:22::30/64
+
+ [Peer]
+ PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc=
+ AllowedIPs = 10.172.24.30/24, 2001:DB8:470:22::/64
+ Endpoint = 192.0.2.1:2224
+ PersistentKeepalive = 25
+
+
Operational commands
^^^^^^^^^^^^^^^^^^^^