Overview
Wireguard is a current tunnel solution which is part of current Linux distributions. The Solutions are making its way into the some business applications and is for example currently supported by 128 Technologie and Perimeter81.
Advantages:
- Uses a current elliptic curve algorithm for the encryption
- Uses RSA keys and optional PSK's for authentication
- Roaming of End Points is en integrated part of the solution
- Easy to set up
- Good Client support, with native support for Windows, MacOS, Linux, iOS and Android
- Native support for tunnel interfaces to allow for Multicast traffic
- Support for IPv6 and IPv4 over the same interface
- Part of the Linux kernel ensures long term support
Disadvantages
- IP Addresses of endpoints systems are getting logged, in some environments this is undesirable due to local laws or regulations
- No native User authentication mechanisms are build in
- Relatively new protocol/solution
Wireguard is supported in the admin CLI and GUI on Nodegrid devices since version 5.2 and allows for the establishment of an easy site to site tunnel. Here are the required options:
| Interface Options | Description |
Interface Name | Label assigned to describe the Interface |
Interface Type | Specifies if the Nodegrid will act as the Server or Client |
Status | Specifies if the Interface is Enabled or Disabled |
Internal Address | The local IP address range which will be allowed |
Listening Port (Server only) | The local UDP port |
Peer Options | Description |
Peer Name | Label assigned to describe the Peer |
Allowed IPs | The endpoint address range which will be allowed |
Public Key | The public key generated on the Peer |
External Address (Client only) | The remote endpoint IP address
|
Listening Port (Client only) | The remote UDP port |
| Keepalive | Keep alivechecks for the tunnel in seconds |
Configuration via WebUI
- Log in as admin to the Nodegrid Serial Console Web interface
- Navigate to Network :: Wireguard
- Click Add to create interface
- Set the Interface Name as desired
- Select Interface Type: Server or Clinet
- Click Generate Keypair
- Set the Listen Port (if Server selected)
- Set Internal Address
- Set Optional settings if appropriate
- Click Save
- Click the interface name just created
- Click Add to configure a Peer
- Set Peer Name as desired
- Set Allowed IPs and Keepalive
- Set the External Address and Listening Port (if Client selected on Interface)
- Copy the Public Key from the Peer
- Click Save
- Repeat steps 8-13 to add additional Peers as needed
- Copy the Nodegrid's Public Key to each Peer as needed
Configuration via CLI:
- Log as admin via SSH or console port
- Type the following commands:
[admin@nodegrid /]# cd /settings/wireguard/
[admin@nodegrid {wireguard}]# set
dns_server= interface_name= listening_port= public_key=
external_address= interface_type= mtu= routing_rules=
fwmark= internal_address= private_key= status=
once all parameters are configured, type:
[admin@nodegrid {wireguard}]# commit
[admin@nodegrid wireguard]# cd Interface_Name/
[admin@nodegrid Server_Interface]# cd peers/
[admin@nodegrid peers]# add
[admin@nodegrid {peers}]# set
allowed_ips= keepalive= peer_name=
external_address= listening_port= public_key=
once all parameters are configured, type:
[admin@nodegrid {peers}]# commit