diff options
| author | kroy-the-rabbit <kroy@kroy.io> | 2019-11-26 13:15:19 -0600 | 
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2019-11-26 20:15:19 +0100 | 
| commit | af2f1dd50f23faaf878af2c27b8358d334660e6d (patch) | |
| tree | a6e9383d3a03af4959df9361bacd3558b4bd56bc /docs/vpn | |
| parent | c023e9753b3212bd0ffbff4869c0e79364aebc53 (diff) | |
| download | vyos-documentation-af2f1dd50f23faaf878af2c27b8358d334660e6d.tar.gz vyos-documentation-af2f1dd50f23faaf878af2c27b8358d334660e6d.zip | |
wireguard: Add road-warrior example
Diffstat (limited to 'docs/vpn')
| -rw-r--r-- | docs/vpn/wireguard.rst | 60 | 
1 files changed, 60 insertions, 0 deletions
| diff --git a/docs/vpn/wireguard.rst b/docs/vpn/wireguard.rst index ecd7598e..b1fb0bdc 100644 --- a/docs/vpn/wireguard.rst +++ b/docs/vpn/wireguard.rst @@ -142,6 +142,66 @@ your peer should have knowledge of its content.    wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='    wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' +Road Warrior Example +~~~~~~~~~~~~~~~~~~~~ + +With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN.  It just lacks the ``endpoint`` address. + +In the following example, the IPs for the remote clients are defined in the peers.  This would allow the peers to interact with one another. + +.. code-block:: sh + +    wireguard wg0 { +        address 10.172.24.1/24 +        address 2001:DB8:470:22::1/64 +        description RoadWarrior +        peer MacBook { +            allowed-ips 10.172.24.30/32 +            allowed-ips 2001:DB8:470:22::30/128 +            persistent-keepalive 15 +            pubkey F5MbW7ye7DsoxdOaixjdrudshjjxN5UdNV+pGFHqehc= +        } +        peer iPhone { +            allowed-ips 10.172.24.20/32 +            allowed-ips 2001:DB8:470:22::30/128 +            persistent-keepalive 15 +            pubkey BknHcLFo8nOo8Dwq2CjaC/TedchKQ0ebxC7GYn7Al00= +        } +        port 2224 +    } + +The following is the config for the iPhone peer above.  It's important to note that the ``AllowedIPs`` setting  +directs all IPv4 and IPv6 traffic through the connection. + +.. code-block:: sh + +    [Interface] +    PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf= +    Address = 10.172.24.20/24, 2001:DB8:470:22::20/64 +    DNS = 10.0.0.53, 10.0.0.54 + +    [Peer] +    PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc= +    AllowedIPs = 0.0.0.0/0, ::/0 +    Endpoint = 192.0.2.1:2224 +    PersistentKeepalive = 25 + + +This MacBook peer is doing split-tunneling, where only the subnets local to the server go over the connection. + +.. code-block:: sh + +    [Interface] +    PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go= +    Address = 10.172.24.30/24, 2001:DB8:470:22::30/64 + +    [Peer] +    PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc= +    AllowedIPs = 10.172.24.30/24, 2001:DB8:470:22::/64 +    Endpoint = 192.0.2.1:2224 +    PersistentKeepalive = 25 + +  Operational commands  ^^^^^^^^^^^^^^^^^^^^ | 
