Menu
▾
▴
Re: [Astlinux-devel] Wireguard Q's
|
From: Lonnie A. <li...@lo...> - 2017-11-14 21:32:30
|
Hi David, There is no client vs. server per. se., it is peer to peer, but a WireGuard endpoint with many peer entries connected with WireGuard endpoints with only a single peer, the multi-peer endpoint might be thought of as a server. Also a roaming (road-warrior) "client" peer would have a "Endpoint = " entry to the "server" which the server's peer would not have an "Endpoint = " entry, the connection would be initiated by the "client". I would try AstLinux to AstLinux to learn, but AstLinux to General Linux should work as well. One thing to keep in mind is if you have multiple peers, the AllowedIPs networks must be unique across all peers, as it describes a sort of routing table for the wg0 traffic. > So, make sure I understand this correct. I need to put the public key of the client I want to let connect into the wg0.conf file, right? And the subnet of the IP address that this client is going to use into Allowed IP's? Yes the public key of the remote peer, and the AllowedIPs are networks that are directed *to* that peer. Often you might define a 10.4.0.0/24 wg0 interface shared across all peers, and then add AllowedIPs to route traffic to various peers. For Example Boxes A and B: Box A: (External IPv4 Address: 1.2.3.4) WireGuard VPN: IPv4 Address: 10.4.0.10 IPv4 NetMask: 255.255.255.0 -- Box A - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box B public key> Endpoint = 5.6.7.8:51820 AllowedIPs = 10.4.0.11/32 -- Box B: (External IPv4 Address: 5.6.7.8) WireGuard VPN: IPv4 Address: 10.4.0.11 IPv4 NetMask: 255.255.255.0 -- Box B - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box A public key> Endpoint = 1.2.3.4:51820 AllowedIPs = 10.4.0.10/32 -- Now take this a step further with local LAN's and you want to route between them Box A LAN: 192.168.10.0/24 Box B LAN: 192.168.11.0/24 -- Box A - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box B public key> Endpoint = 5.6.7.8:51820 AllowedIPs = 10.4.0.11/32, 192.168.11.0/24 -- -- Box B - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box A public key> Endpoint = 1.2.3.4:51820 AllowedIPs = 10.4.0.10/32, 192.168.10.0/24 -- Even further, add Box C roaming road-warrior, VPN 10.4.0.12, without a LAN, and want all boxes to talk to each other, making Box A the "server" -- Box A - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box B public key> Endpoint = 5.6.7.8:51820 AllowedIPs = 10.4.0.11/32, 192.168.11.0/24 [Peer] PublicKey = <Box C public key> AllowedIPs = 10.4.0.12/32 -- -- Box B - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box A public key> Endpoint = 1.2.3.4:51820 AllowedIPs = 10.4.0.0/24, 192.168.10.0/24 -- -- Box C - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box A public key> Endpoint = 1.2.3.4:51820 AllowedIPs = 10.4.0.0/24, 192.168.10.0/24 -- > If I want to let multiple clients attach how do I go about that? where would I list the multiple permitted public keys? Define multiple [Peer] entries with the corresponding PublicKey's, simple as that :-) Lonnie On Nov 14, 2017, at 2:23 PM, David Kerr <Da...@Ke...> wrote: > Lonnie, > Thanks, sounds good. Maybe I missed it, but in reading the doc you wrote I could see how to setup a server, but not how to set up AstLinux as a client? I'm keen to try this out, but will start with a linux client in a VM. Time to google for instructions on that. > > Thanks > David > > On Tue, Nov 14, 2017 at 2:06 PM, Lonnie Abelbeck <li...@lo...> wrote: > > On Nov 14, 2017, at 11:37 AM, Michael Keuter <li...@mk...> wrote: > > > > >> Am 14.11.2017 um 17:56 schrieb David Kerr <da...@ke...>: > >> > >> Lonnie, > >> I have some questions on the new Wireguard features... > >> > >> Does AstLinux implement server only, or both client and server. ie, can I use wireguard to connect two AstLinux boxes together over the internet... and allow clients on each LAN to route traffic through the VPN to the other's LAN? > > > > Yes. (Both client and server) > > Hi David, > > I currently have a remote SIP peer over WireGuard instead of public SIP for an AstLinux to AstLinux configuration. I also AllowedIPs one of my LAN IP's to perform remote management. Works great! > > And the tunnel can transfer both IPv4/IPv6 and any peer to peer connection can be over either IPv4 or IPv6. > > > >> Is the public/private key used by the VPN same as that used by other AstLinux services and can it be a LetsEncrypt/acme issues/managed certificate? > > > > No. > > The public keys are short, base64 encoded strings like "HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=" thanks to Elliptic-curve cryptography. Simple Copy/Paste to share public keys between peers. > > Yesterday I fired up a VM and created a WireGuard tunnel between the VM and one of my test boxes, it took less than 2 minutes. > > > >> Are you aware of any easy to use MacOS or Windows clients? > > > > There are no yet. > > https://www.wireguard.com/install/ > > > > Michael > > It will take a little time for non-Linux user-space implementations, but that is on the roadmap. Android will probably appear first. > > In the lab I have achieved iperf3 speeds of nearly 700 Mbps using two parallel streams between a Qotom J1900 and Jetway N2930 over a WireGuard VPN. OpenVPN maxes out at 110 Mbps. For AstLinux users 1 Gb VPN routing is probably not needed yet, but the efficiency leaves more CPU head-room for Asterisk and other services, and not to mention the very easy configuration for site to site VPN's. > > More interesting tidbits ... > > It looks pretty clear that WireGuard will make it into the mainline Linux kernel: > https://plus.google.com/+gregkroahhartman/posts/jD6N4BzToa3 > > A VPN provider comments - WireGuard is the future > https://mullvad.net/blog/2017/9/27/wireguard-future/ > > A lot of projects offer WireGuard... > https://www.wireguard.com/install/ > > Lonnie > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
