diff for wireguard examples on faq17.html

Jim Hoffman Sun, 02 May 2021 12:22:19 -0700

Hi,

There has been a lot of interest in WireGuard on the OpenBSD subreddit. So here
is a patch that provides a few basic examples for usage.


Thanks,
Jim


Index: www/faq/faq17.html
===================================================================
RCS file: /cvs/www/faq/faq17.html,v
retrieving revision 1.16
diff -u -p -u -r1.16 faq17.html
--- www/faq/faq17.html  12 Dec 2020 19:07:25 -0000      1.16
+++ www/faq/faq17.html  2 May 2021 15:08:42 -0000
@@ -54,6 +54,7 @@ FAQ - Virtual Private Networks (VPN)
     <li><a href="#clientwindows">With a Windows Client</a>
   </ul>
   <li><a href="#clientikev1"    >Connecting to an IKEv1/L2TP OpenBSD VPN</a>
+  <li><a href="#wireguard"      >WireGuard</a>
 </ul>
 
 <hr>
@@ -78,12 +79,6 @@ also available and, coupled with
 <a href="https://man.openbsd.org/npppd";>npppd(8)</a>, it allows you to build
 an IKEv1/L2TP VPN where IKEv2 can't be deployed.
 
-<p>
-Native WireGuard support is also available via the
-<a href="https://man.openbsd.org/wg";>wg(4)</a> device.
-As the manual explains, it can be configured the same way as all other
-<a href="faq6.html">network interfaces</a> in OpenBSD.
-
 <h2 id="authentication">Authentication</h2>
 
 <a href="https://man.openbsd.org/iked";>iked(8)</a> supports the following
@@ -644,3 +639,169 @@ OpenBSD doesn't provide an L2TP client b
 
 Refer to <code>/usr/local/share/doc/pkg-readmes/xl2tpd</code> for instructions
 on how to properly setup the L2TP client.
+
+<h2 id="wireguard">WireGuard</h2>
+
+<p>
+Native WireGuard support is also available via the
+<a href="https://man.openbsd.org/wg";>wg(4)</a> device.
+As the manual explains, it can be configured the same way as all other
+<a href="faq6.html">network interfaces</a> in OpenBSD.
+
+<p>
+WireGuard is an interface based VPN tunnel, which requires more knowledge
+about networking to get functioning.
+It can act as a responder or initiator or both where possible.
+WireGuard is a connectionless based tunnel, meaning there is no need to worry
+about daemons or state of the tunnel.
+The encryption / decryption key that is negotiated has a very short life span 
of
+2 minutes and does not rely on the last packet recieved; so it is very 
resilient
+against packet loss.
+
+<p>
+Required to forward traffic over WireGuard interfaces.
+
+<pre class="cmdbox">
+# <b>sysctl net.inet.ip.forwarding=1</b>
+</pre>
+
+<h3>Client to Server example</h3>
+
+<h4>Server configuration (responder)</h4>
+
+<p>
+Create a persistnent private key and interface, set listening port, get the
+pubkey that the client will need.
+
+<pre class="cmdbox">
+server# <b>echo "wgkey `openssl rand -base64 32`" > /etc/hostname.wg0</b>
+server# <b># sh /etc/netstart wg0</b>
+server# <b>ifconfig wg0 wgport 51820</b>
+server# <b>ifconfig wg0 | grep wgpubkey | cut -d ‘ ‘ -f 2</b>
+zQfRbQPcQiLppc55LJWbFCdrnHdpxZTg47VQmJG6heE=
+server# <b>ifconfig wg0 inet 192.0.2.1/24</b>
+server# <b>ifconfig wg0 wgpeer f+wtDqJrNnSIRqOCCiBa4YWGZ58WLSo5b5oWjBQt6Xg= \
+                wgpsk jPNozq8SGbXk5ACrfAHEA3/O1jWlrhiCJ4ibvon3oqc= \
+                wgaip 192.0.2.2/32</b>
+</pre>
+
+<p>
+PF rules needed for clients to establish a connection and enter and leave on 
the
+wg0 interface on the server.
+The nat-to rule is only needed if you want the client to be able to use the
+internet of the server.
+
+<pre class="cmdbox">
+pass in on egress inet proto udp to port 51820
+match out on egress from wg0:network nat-to egress # needed for client to surf 
the internet
+pass on wg keep state (if-bound)
+</pre>
+
+<h4>Client configuration (initiator)</h4>
+
+<p>
+Create a persistnent private key and interface and get the pubkey that the
+server will need.
+
+<pre class="cmdbox">
+client# <b>echo "wgkey `openssl rand -base64 32`" > /etc/hostname.wg0</b>
+client# <b># sh /etc/netstart wg0</b>
+clinet# <b>ifconfig wg0 | grep wgpubkey | cut -d ‘ ‘ -f 2</b>
+f+wtDqJrNnSIRqOCCiBa4YWGZ58WLSo5b5oWjBQt6Xg=
+client# <b>ifconfig wg0 inet 192.0.2.2/24</b>
+client# <b>ifconfig wg0 wgpeer zQfRbQPcQiLppc55LJWbFCdrnHdpxZTg47VQmJG6heE= \
+                wgpsk jPNozq8SGbXk5ACrfAHEA3/O1jWlrhiCJ4ibvon3oqc= \
+                wgendpoint a.b.c.d 51820 wgaip 0.0.0.0/0</b>
+</pre>
+
+<p>
+PF rules needed for traffic to enter and leave on the wg0 interface on the
+client.
+
+<pre class="cmdbox">
+pass on wg keep state (if-bound)
+</pre>
+
+<p>
+Routes needed on client to tunnel all traffic to / through the server.
+
+<pre class="cmdbox">
+client# <b>route add -priority 2 a.b.c.d `netstat -rn | grep default | \
+        awk ‘{print $2}’`</b>
+client# <b>route add -priority 7 default 192.0.2.1/24</b>
+</pre>
+
+<h3>Server to Server example</h3>
+
+<p>
+This example shows 2 servers each with another subnet connected to them. Pay
+close attention to the wgaip info. There can be multiple allowed IP's or
+subnets each with their own wgaip for the wgpeer line.
+
+
+<h4>Server 1 configuration (initiator and responder)</h4>
+
+<p>
+Create a persistnent private key and interface, set listening port, get the
+pubkey that server 2 will need.
+
+<pre class="cmdbox">
+server1# <b>echo "wgkey `openssl rand -base64 32`" > /etc/hostname.wg0</b>
+server1# <b># sh /etc/netstart wg0</b>
+server1# <b>ifconfig wg0 wgport 51820</b>
+server1# <b>ifconfig wg0 | grep wgpubkey | cut -d ‘ ‘ -f 2</b>
+zQfRbQPcQiLppc55LJWbFCdrnHdpxZTg47VQmJG6heE=
+server1# <b>ifconfig wg0 inet 192.0.2.1/24</b>
+server1# <b>ifconfig wg0 wgpeer f+wtDqJrNnSIRqOCCiBa4YWGZ58WLSo5b5oWjBQt6Xg= \
+                wgpsk jPNozq8SGbXk5ACrfAHEA3/O1jWlrhiCJ4ibvon3oqc= \
+                wgendpoint e.f.g.h 51820 wgaip 192.0.2.2/32 wgaip 
10.0.1.0/24</b>
+</pre>
+
+<p>
+PF rules needed for server 2 to establish a connection and enter and leave on
+the wg0 interface.
+
+<pre class="cmdbox">
+pass in on egress inet proto udp to port 51820
+pass on wg keep state (if-bound)
+</pre>
+
+<p>
+Routes needed on server 1 to allow 10.0.0.0/24 to reach 10.0.1.0/24.
+
+<pre class="cmdbox">
+server1# <b>route add 10.0.1.0/24 192.0.2.2</b>
+</pre>
+
+<h4>Server 2 configuration (initiator and responder)</h4>
+
+<p>
+Create a persistnent private key and interface and get the pubkey that the
+server 1 will need.
+
+<pre class="cmdbox">
+server2# <b>echo "wgkey `openssl rand -base64 32`" > /etc/hostname.wg0</b>
+server2# <b># sh /etc/netstart wg0</b>
+server2# <b>ifconfig wg0 | grep wgpubkey | cut -d ‘ ‘ -f 2</b>
+f+wtDqJrNnSIRqOCCiBa4YWGZ58WLSo5b5oWjBQt6Xg=
+server2# <b>ifconfig wg0 inet 192.0.2.2/24</b>
+server2# <b>ifconfig wg0 wgpeer zQfRbQPcQiLppc55LJWbFCdrnHdpxZTg47VQmJG6heE= \
+                wgpsk jPNozq8SGbXk5ACrfAHEA3/O1jWlrhiCJ4ibvon3oqc= \
+                wgendpoint a.b.c.d 51820 wgaip 192.0.2.1/32 wgaip 
10.0.0.0/24</b>
+</pre>
+
+<p>
+PF rules needed for server 1 to establish a connection and enter and leave on 
the
+wg0 interface.
+
+<pre class="cmdbox">
+pass in on egress inet proto udp to port 51820
+pass on wg keep state (if-bound)
+</pre>
+
+<p>
+Routes needed on server 2 to allow 10.0.1.0/24 to reach 10.0.0.0/24.
+
+<pre class="cmdbox">
+server2# <b>route add 10.0.0.0/24 192.0.2.1</b>
+</pre>

diff for wireguard examples on faq17.html

Reply via email to