Wireguard Configuration

Wireguard Configuration

Wireguard Configuration

Last Tested in Nodegrid Version 4.1.9

Overview


Wireguard is a current tunnel solution which is part of current Linux distributions. The Solutions are making its way into the some business applications and is for example currently supported by 128 Technologie and Perimeter81.

Advantages:

- Uses a current elliptic curve algorithm for the encryption
- Uses RSA keys and optional PSK's for authentication
- Roaming of End Points is en integrated part of the solution
- Easy to set up
- Good Client support, with native support for Windows, MacOS, Linux, iOS and Android
- Native support for tunnel interfaces to allow for Multicast traffic
- Support for IPv6 and IPv4 over the same interface
- Part of the Linux kernel ensures long term support

Disadvantages

- IP Addresses of endpoints systems are getting logged, in some environments this is undesirable due to local laws or regulations
- No native User authentication mechanisms are build in
- Relatively new protocol/solution

Wireguard is supported on Nodegrid devices since version 4.1 and allows for the establishment of an easy site to site tunnel.

Configuration

- Login to the Nodegrid shell as root user
- Navigate to `/etc/wireguard`
- Create a private and public key with the following command
  1. umask 077
  2. wg genkey | tee privatekey | wg pubkey > publickey
- This will create 2 files:
      - privatekey : this file contains the private key. This should never be share.
      - publickey: This file contains the public key which will be shared with other endpoints
- Create now configuration file. The file name has to match the interface which will be used for example if the interface which will be used is called `wg0` the file name should be `wg0.conf`
  1. [Interface]
  2. ListenPort = <Local UDP Port>
  3. PrivateKey = <LOCAL PRIVATE KEY>
  4. Address = <LOCAL IP ADDRESS RANGE WHICH WILL BE ALLOWED>
  5. [Peer]
  6. PublicKey = <ENDPOINT PUBLIC KEY>
  7. AllowedIPs = <ENDPOINT ADDRESS RANGE WICH WILL BE ALLOWD>
  8. PersistentKeepalive = 25 #Keepalive checks for the tunnel in secounds
  9. Endpoint = <ENDPOINT PUBLIC IP AND UDP PORT NUMBER>
Example
  1. root@nodegrid:/etc/wireguard# cat wg1.conf
  2. [Interface]
  3. ListenPort = 8000
  4. PrivateKey = yXi....j4=
  5. Address = 10.255.255.3/24
  6. [Peer]
  7. PublicKey = BVbf....aNXU=
  8. AllowedIPs = 10.255.0.0/16
  9. PersistentKeepalive = 10
  10. Endpoint = 134.122.64.42:8000

Tunnel Management

Start Tunnel

Tunnel can be started with the `wg-quick` command and the interface name
  1. wg-quick up wg1

Stop Tunnel

Tunnel can be stopped with the `wg-quick` command and the interface name
  1. wg-quick down wg1

Tunnel Status

The current tunnel status can be seen with the `wg` command
  1. root@nodegrid:/etc/wireguard# wg
  2. interface: wg1
  3. public key: ZLqr/.../MK3nGgC3k=
  4. private key: (hidden)
  5. listening port: 8000
  6. peer: BVb....XU=
  7. endpoint: xxx.xxx.xxx.xxx:8000
  8. allowed ips: 10.255.0.0/16
  9. latest handshake: 1 minute, 52 seconds ago
  10. transfer: 26.42 KiB received, 24.79 KiB sent
  11. persistent keepalive: every 10 seconds


Reference




    • Related Articles

    • Wireguard Configuration in Nodegrid 5.2 and newer

      Overview Wireguard is a current tunnel solution which is part of current Linux distributions. The Solutions are making its way into the some business applications and is for example currently supported by 128 Technologie and Perimeter81. Advantages: ...

    • IPSec VPN support

      Version 0.1 (02 May 2018) Virtual Private Network (VPN) Overview A Virtual Private Network (VPN) is used to provide a secure means of communication among remote computers across networks, such as the Internet or a public WAN in general. VPN creates ...

    • System Configuration Checksum

      Nodegrid system configuration checksum is a feature which creats a checksum for all the configuration files inside Nodegrid. This provides administrators a quick tool to verify periodically if the configuration has changed, and can be used for ...

    • Network Configuration via CLI

      Example of configuring the ETH0 interface via CLI (please, replace the network values with your own information). Log in as admin to the Nodegrid console port or HDMI Type the following commands (in bold): [admin@nodegrid /]# cd ...

    • IPsec tunnel to AWS VPC with Certificates

      IPsec tunnel to AWS VPC with Certificates last tested on: 5.2.1 AWS VPC configuration Create Certificates AWS supports multiple ways to create and manage certificates. This guide utilized AWS Certificate Manager, read AWS documentation on how the ...