WireGuard#
WireGuard is a modern, open-source VPN software and tunnel protocol that provides fast communication, utilizing state-of-the-art cryptography. WireGuard has been integrated into VergeOS for the implementation of secure tunnels with minimal setup effort. These secure tunnels can be used for both remote user access and site-to-site connectivity. The following outlines the fundamental components of setup; for detailed reference examples, seeĀ WireGuard Examples
Basic Steps to Configure WireGuard#
Select the Network:#
- WireGuard is attached to one VergeOS network; this should be a network that has access to all networks to which the VPN should reach.
Create the WireGuard Interface:#
- Navigate to the selected Network.
- Click WireGuard(VPN) on the left menu.
- Click New Interface.
- Name - a friendly name for the interface.
- Description (optional) - can be entered to record additional, free-form text, and administrative information for the interface.
- IP Address - defines the IP/network address for the interface. This should be a unique address space that has been specifically set aside for the VPN and will not conflict with addressing on participating networks on the system or VPN peers. For example: if attaching WireGuard to an internal network that uses the default addressing of 192.168.0.1/24 and a peer that uses address scheming of 10.10.100.0/24, an address scheme of 192.168.1.0/24 could be used for the WireGuard interface, as it will not intersect with used local or peer addressing.
- Listen Port - can typically be left at the standard default WireGuard port, 51820;
Listening port can be changed to a different UDP port. When using a non-standard port, be sure to avoid any potential conflicts; check to make sure the given port is not in use. Also verify that vpn peers are configured to connect to the appropriate port.{.is-success}
- Private Key - typically left blank to allow for auto-generation of key pair, however, a specific private key can be entered if desired.
WireGuard requires base64-encoded public and private keys; an entered private key must be a complete, base64 key. {.is-info}
The Public key is always system-generated based on the private key that was auto-generated by the system or entered by the user. {.is-info}
- Endpoint IP (optional) - the external address to which a peer will connect (IP or URL), to be used in auto-generated peer configurations. If left blank, the system will attempt to the proper IP.
- Click Submit to save the new Interface.
Create Peer Definition(s):#
A peer definition needs to be created for each entity that will connect to this WireGuard instance; for example, to create a site-to-site VPN implementation: each side would have a Wireguard interface and configure the other as a peer using the public key from the other side in the peer record; to create a remote access system for users: a peer record is created for each user that will connect, each with a different public key.
- From the Network Dashboard, click WireGuard (VPN) on the left menu.
- Click New Peer.
- Select the appropriate Interface from the dropdown list.
- Name - the name for the peer; use a descriptive name, such as the name of the other location (for site-to-site) or the name of the remote user.
- Description(optional) - can be entered to record additional administrative information.
- Auto-Generate Peer Configuration (creates a configuration file to be used by remote access users) - can be selected to automatically set most fields and create a configuration file for use on the peer system. *More info at the end of Create Peer Definition instructions.
- Endpoint - the external-facing IP or hostname of the peer; the address from which this system would access the peer.
- Listen Port - can be left at the standard WireGuard default of 51820, or changed to a different UDP port.
Listening port can be changed to a different UDP port. When using a non-standard port, be sure to avoid any potential conflicts; check to make sure the given port is not in use. Interface configuration (instructions above) must use a matching port..{.is-success}
- Peer IP - the IP address that routes the traffic here; typically this is the internal address assigned to the local interface on this peer.
- Public Key - the 64base public key from the peer.
If the peer is another VergeOS system, this key can be copied from the dashboard on that system, using the copy icon.{.is-success}
- Preshared Key (optional) - can be entered to provide an extra layer of security. This allows for symmetrical encryption to be used in addition to the required public-private key pair encryption. If a preshared key is entered here, the same key must be entered in the configuration at the associated peer.
- Allowed IPs - one or more IP address segments, in CIDR format (e.g. 192.168.0.1/24; 10.135.12.65/27;10.10.125.9/29); these are source addresses that will be allowed incoming from this peer and to which traffic will be routed for this peer.
- Configure Firewall - selection determines auto-configuration of firewall rules:
- Site-to-Site - creates firewall rules for a site peer
- Remote user - creates firewall rules for a remote user peer
- Don't Create Rules - does not auto-generate any firewall rules; needed firewall configuration must be handled manually.
- Keepalive - by default this is set to 0 which means that keepalives are disabled. The roaming property of WireGuard typically ensures reliable NAT traversal without the need for NAT to keep sessions open for long; however, for scenarios where it is imperative to keep open a NAT session or stateful firewall indefinitely, a value can be entered to automatically send persistent, authenticated keepalives every x seconds.
Auto-generate Peer Configuration#
Using this option, a configuration file is generated and the following fields are automatically detected and populated by the system: - Port - Peer IP - Public Key - Preshared Key - Allowed IPs - Additionally, the Keepalive value is automatically set to 25.
- Click Submit to save the new Peer record.
Apply Rules:#
System-generated network rules (e.g. NAT, firewall, routes) are not automatically applied. Click Apply Rules on the left menu to put these rules into effect.