Skip to content

VPN#

IPsec Example - Dedicated Public IP

The following IPsec example utilizes a dedicated public IP address for a VPN tunnel. The VPN router is bridged to an existing internal network to provide Layer 2-connectivity to that network.

IPsec is a complex framework that supports a vast array of configuration combinations with many ways to achieve the same goal, making it impossible to provide one-size-fits-all instructions. Sample configurations are given for reference and should be tailored to meet the particular environment and requirements.

Consult the IPsec Product Guide Page for step-by-step general instructions on creating an IPsec tunnel.

  • VPN Network Name: vpn-ipsec
  • VPN Router address: 192.168.0.254
  • Local VPN network: 192.168.0.0/24
  • Remote VPN network: 10.10.0.0/16
  • Bridged Internal Network Name: Internal-xyz
  • External Network Name: External

Static Lease

We navigate to Internal-xyz* > IP Addresses > New to reserve a static address for the VPN router on this internal network in order avoiding another entity from taking the same IP address. Full instructions for creating a static lease can be found here: Create a DHCP Static Lease.

VPN Static Lease

VPN Network Configuration

VPN Network Config

Phase 1

Phase 1 Configuration

Phase 2

Phase 2 Configuration

Assigned Public IP Address

The public address must be Assigned from the External network to the VPN network.

Assign Public IP

Default VPN Network Rules

Default Firewall Rules - The following necessary firewall rules are created automatically when a VPN network is created:

  • Allow IKE: Accept incoming UDP traffic on port 500 to My Router IP
  • Allow IPsec NAT-Traversal: Accept incoming UDP traffic on port 4500 to My Router IP
  • Allow ESP: Accept incoming ESP protocol traffic to My Router IP
  • Allow AH: Accept incoming AH protocol traffic to My Router IP

Review Rules

These rules can be modified to restrict to specific source addresses, where appropriate.

Additional VPN Network Rules

Additional rules need to be created on our new VPN network:

Translate Rule: VPN Translate to Router

The translate rule must be moved to the top of the rules list, before the Accept Rules. Instructions for changing the order of rules can be found in the Product Guide: Network Rules - Change the Order of Rules

Default Route Rule: VPN Default Route Rule

Internal Network Rule

A routing rule is needed on Internal-xyz to route its VPN traffic to the VPN network.

VPN Default Route Rule

New rules must be applied on each network to put them into effect.

IPsec Example - Tenant/NAT UI Address

The following example configures an IPsec peer within a VergeOS tenant. In this example, the dedicated IP address used for accessing the tenant UI is also used for the IPsec tunnel, with NAT rules in place to direct tunnel traffic appropriately.

This example pertains to a tenant using a dedicated IP address; tenants using a shared address (via proxy/PAT rules) will require different configuration.

IPsec is a complex framework that supports a vast array of configuration combinations with many ways to achieve the same goal, making it impossible to provide one-size-fits-all instructions. Sample configurations are given for reference and should be tailored to meet the particular environment and requirements.

Consult the IPsec Product Guide Page for step-by-step general instructions on creating an IPsec tunnel.

Host Configuration

Assigning the UI address to a tenant automatically creates rules on the host system (external and tenant networks) to channel traffic appropriately. No further configuration should be needed on the host.

All configuration outlined below is done within the tenant system.

VPN Network Configuration

VPN Network Configuration

Phase 1

Phase 1 Configuration

Phase 2

Phase 2 Configuration

Default VPN Network Rules

Default Firewall Rules - The following necessary firewall rules are created automatically when a VPN network is created:

  • Allow IKE: Accept incoming UDP traffic on port 500 to My Router IP
  • Allow IPsec NAT-Traversal: Accept incoming UDP traffic on port 4500 to My Router IP
  • Allow ESP: Accept incoming ESP protocol traffic to My Router IP
  • Allow AH: Accept incoming AH protocol traffic to My Router IP

Review Rules

These rules can be modified to restrict to specific source addresses, where appropriate.

Additional VPN Network Rules

Additional rules need to be created on our new VPN network:

VPN NAT Rule: VPN NAT Rule

The incoming NAT rule must be moved to the top, before the Accept Rules. Instructions for changing the order of rules can be found in the Product Guide: Network Rules - Change the Order of Rules

Default Route Rule: VPN Default Route Rule

VPN SNAT Rule: VPN Nat Rule

External Network Rules

Translate rules are necessary on the tenant's external network, to send IPsec traffic to the VPN network:

External UDP NAT Rule: VPN Nat Rule

External ESP NAT Rule: VPN Nat Rule

External AH NAT Rule: VPN Nat Rule

Connecting Internal Networks to the VPN

Routing can be configured between the VPN network and other internal networks to provide tunnel access to those networks; see How to Configure Routing Between Networks.

New rules must be applied on each network to put them into effect.

Wireguard - Setup Remote Access VPN

How to Setup a Wireguard Remote Access VPN

Here are instructions on how to set up a Remote Access VPN using the built-in Wireguard capabilities of VergeOS. More information can be found in the Help section of the VergeOS User Interface.

Create the Wireguard Setup on Your Internal Network

You can use an existing Internal Network or create a new Internal Network.

  1. In the Verge OS UI, navigate to Networks -> Internals and view or double-click on the Internal Network that you want to use.
  2. In the left menu, click on Wireguard (VPN).
  3. Click on Add New Interface. wireguardvpn-img1.png

  4. Enter the following information:

    • Enter a unique Name for this interface.
    • Enter a Description (optional).
    • Check Enabled.
    • Enter the IP Address to be used for this Wireguard Internal Network. This must be separate from your existing Internal network IP scheme. For example, if your Internal Network is using 192.168.0.1/24, you must choose a different unique IP scheme like 192.168.255.1/24.
    • Enter the Listen Port to be used when connecting to the VPN (Default: 51820). This is the port that you will use on your External network to send VPN traffic into your Internal Network.
    • Enter a Private Key or leave it blank to auto-generate a key.
    • Enter an Endpoint IP or leave it blank, and the system will attempt to auto-detect the IP. We highly recommend you enter the IP manually to ensure the correct config. This IP is the external IP of your environment, usually the same IP as your UI. You can find your External IP by going to Networks -> Externals and viewing your External network. In the Network Router section, it should be the IP address as shown below: wireguardvpn-img3-fixed.png
  5. Click Submit to add the new interface.

  6. After adding the interface, it will take you to the dashboard where you will see your new interface.
    wireguardvpn-img2.png

  7. Click Apply Rules on the left menu bar to apply the firewall rules. The rules automatically created will accept inbound UDP traffic on port 51820 to both the Router IP and the DMZ IP of the Internal Network. wireguardvpn-img-intrules.png

External Network PAT Rule

In order for the internal network to be connected, we need an external PAT (Port Address Translation) rule to translate the port (default 51820) to the internal network.

2023-09-06_11_56_18-training___rules.png

Add External PAT Rule
  1. From the External network Dashboard, click Rules on the left menu.
  2. Click New on the left menu.
  3. Enter a Name that will be helpful to future administration.
  4. Optionally, a Description can be entered to record additional administrative information.
  5. In the Action dropdown, select Translate.
  6. In the Protocol dropdown, select UDP.
  7. In the Direction dropdown, select Incoming.

Source:

  1. In the Type dropdown, select Any/None. Optionally, you can source-lock the VPN traffic here if needed.

Destination:

  1. In the Type dropdown, select My Router IP. If you are inside a Tenant, change this to My IP Addresses and choose the IP of the Tenant UI. This should be the same as the Endpoint IP used above. If using a different IP than the UI IP, create an SNAT rule on the External network.

  2. In the Destination Ports/Ranges field, enter the Port (Default Port: 51820).

Target:

  1. In the Type dropdown, select Other Network DMZ IP.
  2. In the Target Network dropdown, select the Target Network.
  3. Leave the Target Ports/Ranges field blank.

  4. Click Submit and Apply Rules on the left menu to put the new rule into effect.

SNAT Rule (if not using UI IP)

If you are adding Wireguard and are not using the IP address of the UI, we recommend creating an SNAT rule on the External network.

  1. From the External network Dashboard, click Rules on the left menu.
  2. Click New on the left menu.
  3. Enter a Name that will be helpful to future administration.
  4. Optionally, enter a Description for additional information.
  5. In the Action dropdown, select Translate.
  6. In the Protocol dropdown, select UDP.
  7. In the Direction dropdown, select Outgoing.

Source:

  1. In the Type dropdown, select Other Network DMZ IP.
  2. In the Network dropdown, select the Internal Network that Wireguard is on.
  3. Leave the Source Ports/Ranges field blank.

Destination:

  1. In the Type dropdown, select Any / None.
  2. Leave the Destination Ports/Ranges field blank.

Target:

  1. In the Type dropdown, select My IP Addresses.
  2. In the IP Address dropdown, select the IP address you want to use.

  3. Click Submit and Apply Rules to enable the SNAT rule.

This SNAT rule forces any outgoing traffic from the DMZ IP of the internal network to use the correct IP. By default, it goes out the UI IP, causing flapping issues.

Adding a Remote User Peer

You will set up a Peer for each user connecting to the VPN.

  1. From the Wireguard Interface screen, click Add new peer. wireguardvpn-img4.png

  2. Assign a Name to the peer, such as the remote user's name.

  3. Optionally, enter a Description.
  4. Check the Auto-Generate Peer Configuration checkbox.
  5. Enter the Endpoint for the Peer (the external-facing IP address, hostname, or URL).
  6. For Allowed IPs, enter the /32 IP for this peer.
  7. In the Configure Firewall dropdown, select Remote User.
  8. Click Submit to save the peer entry. wireguardvpn-img6.png
Download the Configuration File:
  1. Click the Download Config button on the peer record and download the file.

download-link.png configuration-file.png

Install WireGuard Software on Client:

WireGuard client software can be downloaded from: https://wireguard.com/install.

  1. Install WireGuard on the client machine.
  2. Click Add Tunnel.
  3. Navigate to and select the generated configuration file.
  4. Click the Activate button to open the tunnel. tunnel-active.png

Document Information

  • Last Updated: 2024-08-29
  • vergeOS Version: 4.11

Wireguard - Adding Nameserver entries to Client Configs

Wireguard Config Entries

The following are instructions for adding a PostUp and PostDown script to the Wireguard config.
For Windows, this adds Powershell commands for adding and removing a DNS Client Rule when the client connects and disconnects.

Windows Clients

  1. In the Windows Wireguard client, edit the config.
  2. Add the following commands in the [Interface] section:
PostUp = powershell -command "Add-DnsClientNrptRule -Namespace 'domainname.com' -NameServers '10.1.10.2'"
PostDown = powershell -command "Get-DnsClientNrptRule | Where { $_.Namespace -match '.*domainname\.com' } | Remove-DnsClientNrptRule -force"
  1. Change the following entries to match your setup:
    • Namespace: A comma-separated list of domain names to add.
    • NameServers: A comma-separated list of nameserver IP addresses.

For the -match, make sure to include a backslash (\) before each period (.)


Linux Clients

This may vary based on your Linux distribution.

  1. Edit the config file on the Linux client.
  2. In the [Interface] section, add the following:
PostUp = resolvectl dns %i 10.1.10.2; resolvectl domain %i domainname.com
PreUp = iptables -A INPUT -i wg -m state --state ESTABLISHED,RELATED -j ACCEPT
PreUp = iptables -A INPUT -i wg -j REJECT
PostDown = iptables -D INPUT -i wg -m state --state ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D INPUT -i wg -j REJECT
  1. Replace 10.1.10.2 with the correct IP of your nameserver.
  2. Replace domainname.com with your domain name.

Document Information

  • Last Updated: 2024-08-29
  • vergeOS Version: 4.12.6