Wireguard Configuration
WireGuard is an open source encrypted VPN solution; WireGuard configuration support was added to the REST API and Config Shell at release 23.8. WireGuard facilitates communication between two peer devices; in order to communicate with a peer, both devices must have a virtual WireGuard interface configured over the physical or virtual interface they are connected over.
Note:Users who have pre-existing configuration files for WireGuard will not have their configurations overwritten as the configurator will only modify those files if they are initially missing or are prefixed with a disclaimer that manual edits will be overwritten.
Viewing a WireGuard Configuration
WireGuard installs the wg tool which can be used to control, configure and monitor WireGuard . Refer to the WireGuard online tools index page: index : wireguard-tools
Note:OpenGear does not own or operate the WireGuard tools web page and is not responsible for its content or maintenance. The link is provided only for the reader's convenience.
Configure WireGuard through Config Shell or REST API
WireGuard is configured through Config Shell or REST API. The minimum configuration of WireGuard is shown in the following:
-
Provide a name for the interface (wg0 in the example below).
-
Set enabled.
-
Set the private_key of your WireGuard interface.
-
Add an address (at least one) for your WireGuard interface (10.0.0.1/24 in this case).
-
Add a peer with the following parameters: endpoint_address, endpoint_port, public_key.
-
Add an allowed_ip for your peer. At least one - this is the WireGuard address(es) (as it can also accept an address range) of the other interface to which you are connected.
For example:
config: wireguard
config(wireguard): add wg0
config(wireguard wg0): private_key AGiZvFHY+r/dD0rHSKU5ZCrHNdLM0W/h29VxobxWgFo=
config(wireguard wg0): enabled true
config(wireguard wg0): addresses
config(wireguard wg0 addresses): add 10.0.0.1/24
config(wireguard wg0 addresses): up
config(wireguard wg0): peers
config(wireguard wg0 peers): add
config(wireguard wg0 peers 0): public_key o+quB4sbUAG2hEGSPpMNTnO0YSaQTP7dD+Q4IVjiCW8=
config(wireguard wg0 peers 0): allowed_ips
config(wireguard wg0 peers 0 allowed_ips): add 10.0.0.2/32
config(wireguard wg0 peers 0 allowed_ips): up
config(wireguard wg0 peers 0): endpoint_address 192.168.1.2
config(wireguard wg0 peers 0): endpoint_port 51820
config(wireguard wg0 peers 0): up
config(wireguard wg0 peers): top
Config Shell WireGuard CONFIGURATION
The following shows a typical WireGuard configuration in Config Shell:
config: show wireguard wg0
Entity wireguard item wg0
description ""
enabled true
mtu 1420
name wg0
port 51820
private_key AGiZvFHY+r/dD0rHSKU5ZCrHNdLM0W/h29VxobxWgFo=
public_key ""
table ""
addresses (array)
0 10.0.0.1/24
peers (array)
0 (object)
endpoint_address 192.168.1.2
endpoint_port 51820
keep_alive ""
public_key o+quB4sbUAG2hEGSPpMNTnO0YSaQTP7dD+Q4IVjiCW8=
allowed_ips (array)
0 10.0.0.2/32
post_down_hooks (array)
post_up_hooks (array)
pre_down_hooks (array)
pre_up_hooks (array)
REST API WireGuard CONFIGURATION
The following shows a typical WireGuard configuration in Config Shell:
{
"wireguards": [
{
"enabled": true,
"post_down_hooks": [],
"id": "wireguard_tunnels-1",
"pre_up_hooks": [],
"post_up_hooks": [],
"private_key": "AGiZvFHY+r/dD0rHSKU5ZCrHNdLM0W/h29VxobxWgFo=",
"name": "wg0",
"pre_down_hooks": [],
"addresses": [
"10.0.0.1/24"
],
"peers": [
{
"allowed_ips": [
"10.0.0.2/32"
],
"public_key": "o+quB4sbUAG2hEGSPpMNTnO0YSaQTP7dD+Q4IVjiCW8=",
"endpoint_address": "192.168.1.2",
"endpoint_port": 51820
}
]
}
]
}
Configurable WireGuard FieLds
The WireGuard <interface-name> context holds the configuration for a WireGuard connection. The following fields can be configured:
| WireGuard Field | Description |
|---|---|
| description | This can be any user text to describe the WireGuard interface. |
| enabled | Values may be true or false. When enabled, WireGuard will be started for this configuration. |
| mtu | Allows customization of the maximum transmission unit (MTU) for the local WireGuard interface. The range is 1280 - 1472 and if not set, WireGuard will use the internal default of 1420. |
| name | The name of the WireGuard interface used in the Linux kernel. Names must be unique, max 15 characters and only contain letters, numbers, hyphens or underscores. |
| port | The port the local instance of WireGuard will listen on. The range is 1 to 65535 and defaults to 51820. |
| private_key | The private key to use to authenticate the local WireGuard interface. This is obtained by running the wg genkey command. |
| public_key | The public key that corresponds your private key, which WireGuard peers will authenticate with. This is obtained by running the wg pubkey command. |
| table | The routing table for the WireGuard routes. Can be a table number, 'off' or 'auto'. |
WireGuard Context Sub-objects
There are a number of sub-objects under the WireGuard context: addresses, peers and hooks.
Addresses
The wireguard <interface-name> addresses context is a list that holds the IPv4 CIDR addresses of the local Wireguard interface. These are statically assigned when the WireGuard interface is brought up.
config: wireguard
config(wireguard): add wg0
config(wireguard wg0): addresses
config(wireguard wg0 addresses): add 10.0.0.1/24
Peers
The following list defines the WireGuard settings for Wireguard-capable remote peers. Each peer has the following fields:
config(wireguard wg0 peers 0): show
Entity wireguard item wg0 field peers 0
endpoint_address ""
endpoint_port ""
keep_alive ""
public_key "" (required)
allowed_ips (array) (required)
| Peer Field | Description |
|---|---|
| endpoint_address | A reachable IP address or fully-qualified domain name for the remote peer with a WireGuard interface. |
| endpoint_port | The port number for which the WireGuard instance is listening on the remote peer. |
| keep_alive | Equivalent to PersistentKeepalive in the WireGuard config, this specifies how often the WireGuard interface must send a keep alive packet. This helps keep the routing entry alive for scenarios where the peer is behind a NAT. |
| public_key | The public key that will be accepted by the local WireGuard service if offered by a peer for the purpose of mutual authentication during a five step key exchange process. |
| allowed_ips - | A list which specifies the IP ranges for which a peer routes traffic. For multiple WireGuard interfaces on the same device, the addresses must not overlap. The IP addresses specified here are the addresses of the peer’s WireGuard interface(s) - this is where the peer “routes traffic”. These are specified as IPv4 addresses in a.b.c.d/<cidr_mask> format. |
Hooks
WireGuard allows for commands to be executed before/after the interface is brought up/down. These can be specified in the following array fields:
Note:Each field is an array of strings that correspond to commands to be executed.
| Hook | Description |
|---|---|
| pre_up_hooks | Run a command before the interface is brought up (optional). |
| post_up_hooks | Run a command after the interface is brought up (optional). |
| pre_down_hooks | Run a command before the interface is brought down (optional). |
| post_down_hooks | Run a command after the interface is brought down (optional). |
Adding a WireGuard Interface to a Firewall Zone
The WireGuard interface can be added to a firewall zone as in the following example:
Entity firewall/zone item zone
description "" (required)
label "" (required)
masquerade "" (required)
name zone
permit_all_traffic "" (required)
address_filters (array)
custom_rules (array)
physifs (array)
port_forwarding_rules (array)
wireguards (array)
