Wireguard

Testdate: 2023-08-31
Version: 1.4-rolling-202308240020

This simple structure show how to connect two offices. One remote branch and the central office.

Topology

The topology have a central and a branch VyOS router and one client, to test, in each site.

Ansible Example topology image

Configuration

Set the local subnet on eth2 and the public ip address eth1 on each site.

Central

set interface ethernet eth2 address 10.0.1.254/24
set interface ethernet eth1 address 198.51.100.1/24

Branch

set interface ethernet eth2 address 10.0.2.254/24
set interface ethernet eth1 address 198.51.100.2/24

Next thing to do, is to create a wireguard keypair on each side. After this, the public key can be displayed, to save for later.

vyos@central:~$ generate pki wireguard
Private key: cMNGHtb5dW92ORG3HS8JJlvQF8pmVGt2Ydny8hTBLnY=
Public key: WyfLCTXi31gL+YbYOwoAHCl2RgS+y56cYHEK6pQsTQ8=

After you have each public key. The wireguard interfaces can be setup.

Central

set interfaces wireguard wg01 private-key 'cMNGHtb5dW92ORG3HS8JJlvQF8pmVGt2Ydny8hTBLnY='
set interfaces wireguard wg01 address 192.168.0.1/24
set interfaces wireguard wg01 description 'VPN-to-Branch'
set interfaces wireguard wg01 peer branch allowed-ips 10.0.2.0/24
set interfaces wireguard wg01 peer branch allowed-ips 192.168.0.0/24
set interfaces wireguard wg01 peer branch address 198.51.100.2
set interfaces wireguard wg01 peer branch port 51820
set interfaces wireguard wg01 peer branch public-key '9ySVcjER2cY1tG/L7598zHg8g1xyggjxALqzeCxLgw4='
set interfaces wireguard wg01 port 51820

Branch

set interfaces wireguard wg01 private-key 'oDZ2S/4S6UEuhOyk0MvNSQTebugihX5RKCrI3exmHV8='
set interfaces wireguard wg01 address 192.168.0.2/24
set interfaces wireguard wg01 description 'VPN-to-central'
set interfaces wireguard wg01 peer central allowed-ips 10.0.1.0/24
set interfaces wireguard wg01 peer central allowed-ips 192.168.0.0/24
set interfaces wireguard wg01 peer central address 198.51.100.1
set interfaces wireguard wg01 peer central port 51820
set interfaces wireguard wg01 peer central public-key 'WyfLCTXi31gL+YbYOwoAHCl2RgS+y56cYHEK6pQsTQ8='
set interfaces wireguard wg01 port 51820

To reach the network, a route must be set on each VyOS host. In this structure, a static interface route will fit the requirements.

Central

set protocols static route 10.0.2.0/24 interface wg01

Branch

set protocols static route 10.0.1.0/24 interface wg01

Testing and debugging

After all is done and commit, let’s take a look if the Wireguard interface is up and running.

vyos@central:~$ show interfaces wireguard
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
wg01             192.168.0.1/24                    u/u  VPN-to-Branch

And ping the Branch PC from your central router to check the response.

vyos@central:~$ ping 10.0.2.100 count 4
PING 10.0.2.100 (10.0.2.100) 56(84) bytes of data.
64 bytes from 10.0.2.100: icmp_seq=1 ttl=63 time=0.641 ms
64 bytes from 10.0.2.100: icmp_seq=2 ttl=63 time=0.836 ms
64 bytes from 10.0.2.100: icmp_seq=3 ttl=63 time=0.792 ms
64 bytes from 10.0.2.100: icmp_seq=4 ttl=63 time=1.09 ms

--- 10.0.2.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3013ms
rtt min/avg/max/mdev = 0.641/0.838/1.086/0.160 ms