Wireguard

Testdate: 2021-11-23
Version: 1.4-rolling-202106170808

This simple structure show how to connect two offices. One remote branch and the central office.

Topology

The topology have a central and a branch VyOS router and one client, to test, in each site.

Ansible Example topology image

Configuration

Set the local subnet on eth2 and the public ip address eth1 on each site.

Central

set interface ethernet eth2 address 10.0.1.254/24
set interface ethernet eth1 address 198.51.100.1/24

Branch

set interface ethernet eth2 address 10.0.2.254/24
set interface ethernet eth1 address 198.51.100.2/24

Next thing to do, is to create a wireguard keypair on each side. After this, the public key can be displayed, to save for later.

vyos@central:~$ generate wireguard default-keypair
vyos@central:~$ show wireguard keypairs pubkey default
+mLLOGxR37k3EsWba7+G7vIDq6yW4t0s549rNVShWy4=

After you have each public key. The wireguard interfaces can be setup.

Central

set interfaces wireguard wg01 address 192.168.0.1/24
set interfaces wireguard wg01 description 'VPN-to-Branch'
set interfaces wireguard wg01 peer branch allowed-ips 10.0.2.0/24
set interfaces wireguard wg01 peer branch allowed-ips 192.168.0.0/24
set interfaces wireguard wg01 peer branch address 198.51.100.2
set interfaces wireguard wg01 peer branch port 51820
set interfaces wireguard wg01 peer branch pubkey "HF1LJSEgAtknAtkqK2d12DzfuPlx475Y+I4SpJiBWzs="
set interfaces wireguard wg01 port 51820

Branch

set interfaces wireguard wg01 address 192.168.0.2/24
set interfaces wireguard wg01 description 'VPN-to-central'
set interfaces wireguard wg01 peer central allowed-ips 10.0.1.0/24
set interfaces wireguard wg01 peer central allowed-ips 192.168.0.0/24
set interfaces wireguard wg01 peer central address 198.51.100.1
set interfaces wireguard wg01 peer central port 51820
set interfaces wireguard wg01 peer central pubkey "+mLLOGxR37k3EsWba7+G7vIDq6yW4t0s549rNVShWy4="
set interfaces wireguard wg01 port 51820

Testing and debugging

After all is done and commit, let’s take a look if the Wireguard interface is up and running.

vyos@central:~$ show interfaces wireguard
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
wg01             192.168.0.1/24                    u/u  VPN-to-Branch

And ping the Branch PC from your central router to check the response.

vyos@central:~$ ping 10.0.2.100 count 4
PING 10.0.2.100 (10.0.2.100) 56(84) bytes of data.
64 bytes from 10.0.2.100: icmp_seq=1 ttl=63 time=0.609 ms
64 bytes from 10.0.2.100: icmp_seq=2 ttl=63 time=0.871 ms
64 bytes from 10.0.2.100: icmp_seq=3 ttl=63 time=0.937 ms
64 bytes from 10.0.2.100: icmp_seq=4 ttl=63 time=0.746 ms

--- 10.0.2.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 0.609/0.790/0.937/0.130 ms