Wireguard Configuration

Wireguard Configuration

Wireguard Configuration

Last Tested in Nodegrid Version 4.1.9

Overview


Wireguard is a current tunnel solution which is part of current Linux distributions. The Solutions are making its way into the some business applications and is for example currently supported by 128 Technologie and Perimeter81.

Advantages:

- Uses a current elliptic curve algorithm for the encryption
- Uses RSA keys and optional PSK's for authentication
- Roaming of End Points is en integrated part of the solution
- Easy to set up
- Good Client support, with native support for Windows, MacOS, Linux, iOS and Android
- Native support for tunnel interfaces to allow for Multicast traffic
- Support for IPv6 and IPv4 over the same interface
- Part of the Linux kernel ensures long term support

Disadvantages

- IP Addresses of endpoints systems are getting logged, in some environments this is undesirable due to local laws or regulations
- No native User authentication mechanisms are build in
- Relatively new protocol/solution

Wireguard is supported on Nodegrid devices since version 4.1 and allows for the establishment of an easy site to site tunnel.

Configuration

- Login to the Nodegrid shell as root user
- Navigate to `/etc/wireguard`
- Create a private and public key with the following command
  1. umask 077
  2. wg genkey | tee privatekey | wg pubkey > publickey
- This will create 2 files:
      - privatekey : this file contains the private key. This should never be share.
      - publickey: This file contains the public key which will be shared with other endpoints
- Create now configuration file. The file name has to match the interface which will be used for example if the interface which will be used is called `wg0` the file name should be `wg0.conf`
  1. [Interface]
  2. ListenPort = <Local UDP Port>
  3. PrivateKey = <LOCAL PRIVATE KEY>
  4. Address = <LOCAL IP ADDRESS RANGE WHICH WILL BE ALLOWED>
  5. [Peer]
  6. PublicKey = <ENDPOINT PUBLIC KEY>
  7. AllowedIPs = <ENDPOINT ADDRESS RANGE WICH WILL BE ALLOWD>
  8. PersistentKeepalive = 25 #Keepalive checks for the tunnel in secounds
  9. Endpoint = <ENDPOINT PUBLIC IP AND UDP PORT NUMBER>
Example
  1. root@nodegrid:/etc/wireguard# cat wg1.conf
  2. [Interface]
  3. ListenPort = 8000
  4. PrivateKey = yXi....j4=
  5. Address = 10.255.255.3/24
  6. [Peer]
  7. PublicKey = BVbf....aNXU=
  8. AllowedIPs = 10.255.0.0/16
  9. PersistentKeepalive = 10
  10. Endpoint = 134.122.64.42:8000

Tunnel Management

Start Tunnel

Tunnel can be started with the `wg-quick` command and the interface name
  1. wg-quick up wg1

Stop Tunnel

Tunnel can be stopped with the `wg-quick` command and the interface name
  1. wg-quick down wg1

Tunnel Status

The current tunnel status can be seen with the `wg` command
  1. root@nodegrid:/etc/wireguard# wg
  2. interface: wg1
  3. public key: ZLqr/.../MK3nGgC3k=
  4. private key: (hidden)
  5. listening port: 8000
  6. peer: BVb....XU=
  7. endpoint: xxx.xxx.xxx.xxx:8000
  8. allowed ips: 10.255.0.0/16
  9. latest handshake: 1 minute, 52 seconds ago
  10. transfer: 26.42 KiB received, 24.79 KiB sent
  11. persistent keepalive: every 10 seconds


Reference




    • Related Articles

    • IPSec VPN support

      Version 0.1 (02 May 2018) Virtual Private Network (VPN) Overview A Virtual Private Network (VPN) is used to provide a secure means of communication among remote computers across networks, such as the Internet or a public WAN in general. VPN creates ...
    • Network Configuration via CLI

      Example of configuring the ETH0 interface via CLI (please, replace the network values with your own information). Log in as admin to the Nodegrid console port or HDMI Type the following commands (in bold): [admin@nodegrid /]# cd ...
    • User Group Permissions

      Nodegrid allows you to create users and groups, and set the appropriate permissions for them. For example, user John belongs to group system-test, and the this group will be able to configure Nodegrid, track system information, and terminate session. ...
    • How to Configure Network Bridge on the Nodegrid Serial Console

      Nodegrid Serial Console cascades, or daisy chains, network ports by implementing a network bridge between ports ETH0 and ETH1. In this configuration several NSC units can be used in cascade mode, all sharing the same network switch port, saving a ...
    • How to Enable Network Bonding on the Nodegrid Serial Console

      Below are the steps to configure network bonding with ETH0 and ETH1. WebUI Open a browser, enter the Nodegrid Serial Console IP/hostname, and log in as admin Go to Network :: Connections page Click on Add, and fill out the form as follows: Enter a ...