Skip to content

VPN#

Wireguard - Setup Remote Access VPN

How to Setup a Wireguard Remote Access VPN

Here are instructions on how to set up a Remote Access VPN using the built-in Wireguard capabilities of VergeOS. More information can be found in the Help section of the VergeOS User Interface.

Create the Wireguard Setup on Your Internal Network

You can use an existing Internal Network or create a new Internal Network.

  1. In the Verge OS UI, navigate to Networks -> Internals and view or double-click on the Internal Network that you want to use.
  2. In the left menu, click on Wireguard (VPN).
  3. Click on Add New Interface. wireguardvpn-img1.png

  4. Enter the following information:

    • Enter a unique Name for this interface.
    • Enter a Description (optional).
    • Check Enabled.
    • Enter the IP Address to be used for this Wireguard Internal Network. This must be separate from your existing Internal network IP scheme. For example, if your Internal Network is using 192.168.0.1/24, you must choose a different unique IP scheme like 192.168.255.1/24.
    • Enter the Listen Port to be used when connecting to the VPN (Default: 51820). This is the port that you will use on your External network to send VPN traffic into your Internal Network.
    • Enter a Private Key or leave it blank to auto-generate a key.
    • Enter an Endpoint IP or leave it blank, and the system will attempt to auto-detect the IP. We highly recommend you enter the IP manually to ensure the correct config. This IP is the external IP of your environment, usually the same IP as your UI. You can find your External IP by going to Networks -> Externals and viewing your External network. In the Network Router section, it should be the IP address as shown below: wireguardvpn-img3-fixed.png
  5. Click Submit to add the new interface.

  6. After adding the interface, it will take you to the dashboard where you will see your new interface. wireguardvpn-img2.png

  7. Click Apply Rules on the left menu bar to apply the firewall rules. The rules automatically created will accept inbound UDP traffic on port 51820 to both the Router IP and the DMZ IP of the Internal Network. wireguardvpn-img-intrules.png

External Network PAT Rule

In order for the internal network to be connected, we need an external PAT (Port Address Translation) rule to translate the port (default 51820) to the internal network.

2023-09-06_11_56_18-training___rules.png

Add External PAT Rule
  1. From the External network Dashboard, click Rules on the left menu.
  2. Click New on the left menu.
  3. Enter a Name that will be helpful to future administration.
  4. Optionally, a Description can be entered to record additional administrative information.
  5. In the Action dropdown, select Translate.
  6. In the Protocol dropdown, select UDP.
  7. In the Direction dropdown, select Incoming.

Source:

  1. In the Type dropdown, select Any/None. Optionally, you can source-lock the VPN traffic here if needed.

Destination:

  1. In the Type dropdown, select My Router IP. If you are inside a Tenant, change this to My IP Addresses and choose the IP of the Tenant UI. This should be the same as the Endpoint IP used above. If using a different IP than the UI IP, create an SNAT rule on the External network.

  2. In the Destination Ports/Ranges field, enter the Port (Default Port: 51820).

Target:

  1. In the Type dropdown, select Other Network DMZ IP.
  2. In the Target Network dropdown, select the Target Network.
  3. Leave the Target Ports/Ranges field blank.

  4. Click Submit and Apply Rules on the left menu to put the new rule into effect.

SNAT Rule (if not using UI IP)

If you are adding Wireguard and are not using the IP address of the UI, we recommend creating an SNAT rule on the External network.

  1. From the External network Dashboard, click Rules on the left menu.
  2. Click New on the left menu.
  3. Enter a Name that will be helpful to future administration.
  4. Optionally, enter a Description for additional information.
  5. In the Action dropdown, select Translate.
  6. In the Protocol dropdown, select UDP.
  7. In the Direction dropdown, select Outgoing.

Source:

  1. In the Type dropdown, select Other Network DMZ IP.
  2. In the Network dropdown, select the Internal Network that Wireguard is on.
  3. Leave the Source Ports/Ranges field blank.

Destination:

  1. In the Type dropdown, select Any / None.
  2. Leave the Destination Ports/Ranges field blank.

Target:

  1. In the Type dropdown, select My IP Addresses.
  2. In the IP Address dropdown, select the IP address you want to use.

  3. Click Submit and Apply Rules to enable the SNAT rule.

This SNAT rule forces any outgoing traffic from the DMZ IP of the internal network to use the correct IP. By default, it goes out the UI IP, causing flapping issues.

Adding a Remote User Peer

You will set up a Peer for each user connecting to the VPN.

  1. From the Wireguard Interface screen, click Add new peer. wireguardvpn-img4.png

  2. Assign a Name to the peer, such as the remote user's name.

  3. Optionally, enter a Description.
  4. Check the Auto-Generate Peer Configuration checkbox.
  5. Enter the Endpoint for the Peer (the external-facing IP address, hostname, or URL).
  6. For Allowed IPs, enter the /32 IP for this peer.
  7. In the Configure Firewall dropdown, select Remote User.
  8. Click Submit to save the peer entry. wireguardvpn-img6.png
Download the Configuration File:
  1. Click the Download Config button on the peer record and download the file.

download-link.png configuration-file.png

Install WireGuard Software on Client:

WireGuard client software can be downloaded from: https://wireguard.com/install.

  1. Install WireGuard on the client machine.
  2. Click Add Tunnel.
  3. Navigate to and select the generated configuration file.
  4. Click the Activate button to open the tunnel. tunnel-active.png

Document Information

  • Last Updated: 2024-08-29
  • vergeOS Version: 4.11

How to Create an IPsec VPN Tunnel in VergeOS

In VergeOS, the DMZ Network handles basic routing between networks: - Every router has a NIC and an IP address in the DMZ to route traffic between networks inside VergeOS. - Each vNet represents its own VXLAN or VLAN.

These instructions focus on setting up the IPsec Tunnel to connect to a VergeOS Internal Network. If you are connecting to an External Network or have special use cases, network rules must be adjusted accordingly.

Steps to Create an IPsec VPN Tunnel

Step 1: Reserve a Static IP Address

Reserve a static IP on the Internal (LAN) network that the VPN connection will use.

  • In this example, the IP address 192.168.0.254 is set to static on the internal network named Internal.

    Reserve Static IP

    • Type: Set to Static.
    • IP Address: Select an available IP address from the system. If there are no available IPs, add a new IP.

Step 2: Create the VPN Connection

  1. Navigate to Main Dashboard > Networks.
  2. Click New VPN on the left menu.

Configure the settings as required by the connection:

  • Layer 2: Set the network layer configuration.
  • Interface Network: Select the network that will be bridged to the VPN connection.
  • IP Address Type: Set to Static.
  • Network Router IP: Enter the IP address reserved in Step 1.

    Create VPN Connection

Step 3: Edit IPsec Configuration

  1. From the VPN Dashboard, click on Edit IPsec to modify or add connection-specific details.

    Edit IPsec

Step 4: Create the IPsec Tunnel

  1. Click on IPsec Tunnels to start creating the tunnel between VergeOS and the remote site.
    • Remote Gateway: Configure according to the connection requirements.
    • Phase 1 Proposal (Authentication): Set the authentication method and Pre-Shared Key.

    Phase 1 Setup

Step 5: Configure Phase 2

After completing Phase 1, you will be prompted to configure Phase 2.

  • Mode: Set to Tunnel.
  • Local Network and Remote Network: Configure as required.
  • Phase 2 Proposal: Enter the details as needed for the connection.

    Phase 2 Setup

This will automatically create rules for the VPN network.

Reviewing and Configuring VPN Network Rules

Step 6: Review VPN Network Rules

Verify the rules that were automatically created during VPN setup.

  • Allow IKE: Accept incoming UDP traffic on port 500 to My Router IP.
  • Allow IPsec NAT-Traversal: Accept incoming UDP traffic on port 4500 to My Router IP.
  • Allow ESP: Accept incoming ESP protocol traffic to My Router IP.
  • Allow AH: Accept incoming AH protocol traffic to My Router IP.

    Review Rules

Step 7: Assign a Virtual IP to the VPN Network

Assign a new virtual IP to the VPN network from the External network (Public side of the VPN tunnel).

Assign Virtual IP

This automatically creates an outgoing route rule on the VPN network with that virtual IP address. Ensure the rule is applied.

Step 8: Create VPN Network Rules

  1. Create a Default Route rule for the new VPN network to define the default outbound path for traffic inside this network.

    Create Default Route

  2. Create an sNAT Rule on the new VPN network to mask external traffic.

    Create sNAT Rule

  3. Create a General sNAT Rule as a catchall for traffic from this network.

    General sNAT Rule

  4. Create a Translate Rule to allow traffic from the VPN tunnel to access this network.

    Translate Rule

  5. Create Accept Rules:

    • One rule to allow incoming traffic from the remote network.
    • Another rule to accept traffic within the VPN network.

    Create Accept Rules

Step 9: Create Internal Network Rules

  1. Create a Route Rule on the Internal network to send traffic properly through the VPN tunnel.

    Internal Route Rule

  2. Create an Accept Rule on the Internal network to allow traffic from the remote network.

    Internal Accept Rule

Connecting to IPsec

  1. Open the VPN network's Dashboard (Networks > VPNs > select VPN).
  2. Scroll down to the IPsec Connections section.
  3. Click the plug icon to connect.

    Connect IPsec

  4. Watch for the IPsec status to show connected.

If the connection fails, proceed to the troubleshooting steps below.

Troubleshooting Guide

Checking Logs and Status

  1. Go to Diagnostics on the left menu.
  2. Change the Query to Logs and click Send.
  3. Review the latest logs for errors, such as retransmission attempts.

    Check Logs

Common Connection Issues

If you see many retransmit messages, this could indicate connection issues, often caused by incorrect network rules or firewall setups.

  • Test connectivity with Ping.
  • Change the Host to the Remote Gateway IP and check for packet failures.

If pinging the Remote Gateway fails, verify that your connection is not blocked and that the correct route is in place.

Other Diagnostics

  1. Ping 8.8.8.8 to test for internet connectivity. If this fails, check the Default Route rule.
  2. Run "What's My IP" to verify the VPN's WAN connection.
  3. Use TCP Connection Test to check the IKE port (port 500) on the Remote Gateway.
  4. Run a Trace Route to the Remote Gateway to confirm correct traffic routing.
  5. Use IPsec diagnostics with Status All to view the current state of the IPsec Tunnel or Show Config to review the configuration.
  6. Review Logs in Diagnostics, increasing the line count if necessary.

By following these steps and rules, you can successfully set up an IPsec VPN tunnel in VergeOS, troubleshoot common issues, and ensure that traffic flows properly between networks.


Document Information

  • Last Updated: 2024-08-29
  • vergeOS Version: 4.12.6

Wireguard - Adding Nameserver entries to Client Configs

Wireguard Config Entries

The following are instructions for adding a PostUp and PostDown script to the Wireguard config.
For Windows, this adds Powershell commands for adding and removing a DNS Client Rule when the client connects and disconnects.

Windows Clients

  1. In the Windows Wireguard client, edit the config.
  2. Add the following commands in the [Interface] section:
PostUp = powershell -command "Add-DnsClientNrptRule -Namespace 'domainname.com' -NameServers '10.1.10.2'"
PostDown = powershell -command "Get-DnsClientNrptRule | Where { $_.Namespace -match '.*domainname\.com' } | Remove-DnsClientNrptRule -force"
  1. Change the following entries to match your setup:
    • Namespace: A comma-separated list of domain names to add.
    • NameServers: A comma-separated list of nameserver IP addresses.

For the -match, make sure to include a backslash (\) before each period (.)


Linux Clients

This may vary based on your Linux distribution.

  1. Edit the config file on the Linux client.
  2. In the [Interface] section, add the following:
PostUp = resolvectl dns %i 10.1.10.2; resolvectl domain %i domainname.com
PreUp = iptables -A INPUT -i wg -m state --state ESTABLISHED,RELATED -j ACCEPT
PreUp = iptables -A INPUT -i wg -j REJECT
PostDown = iptables -D INPUT -i wg -m state --state ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D INPUT -i wg -j REJECT
  1. Replace 10.1.10.2 with the correct IP of your nameserver.
  2. Replace domainname.com with your domain name.

Document Information

  • Last Updated: 2024-08-29
  • vergeOS Version: 4.12.6