Menu
▾
▴
Re: [Astlinux-devel] Wireguard Q's
|
From: David K. <da...@ke...> - 2017-11-14 21:45:28
|
Okay, so during a coffee break here in the office, I got a Ubuntu VM talking to my AstLinux an home, I can ping hosts on my internal LAN at home. Basically I followed https://git.zx2c4.com/WireGuard/plain/contrib/examples/ncat-client-server/client.sh to figure it out. Now that done, it prompts more questions... 1) I had to manually assign an IP address at my client side. Is that right? No way to push down an available IP address from the server within a subnet setup at the server side? So, e.g. I have 172.23.19.1 set as my server side wg0 IP address, and at the client I set 172.23.19.2. And in AllowedIPs I let all 172.23.19.1/24 go through the VPN. 2) I had to manually add route to my internal 192.168.x.0/24 on the client side before I could ping devices on my home LAN. Again, any way for this to be pushed down from the server? Crying out for a GUI at the client side I think. David On Tue, Nov 14, 2017 at 4:32 PM, Lonnie Abelbeck <li...@lo...> wrote: > Hi David, > > There is no client vs. server per. se., it is peer to peer, but a > WireGuard endpoint with many peer entries connected with WireGuard > endpoints with only a single peer, the multi-peer endpoint might be thought > of as a server. > > Also a roaming (road-warrior) "client" peer would have a "Endpoint = " > entry to the "server" which the server's peer would not have an "Endpoint = > " entry, the connection would be initiated by the "client". > > I would try AstLinux to AstLinux to learn, but AstLinux to General Linux > should work as well. > > One thing to keep in mind is if you have multiple peers, the AllowedIPs > networks must be unique across all peers, as it describes a sort of routing > table for the wg0 traffic. > > > > So, make sure I understand this correct. I need to put the public key > of the client I want to let connect into the wg0.conf file, right? And the > subnet of the IP address that this client is going to use into Allowed IP's? > > Yes the public key of the remote peer, and the AllowedIPs are networks > that are directed *to* that peer. > > Often you might define a 10.4.0.0/24 wg0 interface shared across all > peers, and then add AllowedIPs to route traffic to various peers. > > For Example Boxes A and B: > > Box A: (External IPv4 Address: 1.2.3.4) > > WireGuard VPN: > IPv4 Address: 10.4.0.10 > IPv4 NetMask: 255.255.255.0 > > -- Box A - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box B public key> > Endpoint = 5.6.7.8:51820 > AllowedIPs = 10.4.0.11/32 > -- > > Box B: (External IPv4 Address: 5.6.7.8) > > WireGuard VPN: > IPv4 Address: 10.4.0.11 > IPv4 NetMask: 255.255.255.0 > > -- Box B - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.10/32 > -- > > Now take this a step further with local LAN's and you want to route > between them > > Box A LAN: 192.168.10.0/24 > Box B LAN: 192.168.11.0/24 > > -- Box A - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box B public key> > Endpoint = 5.6.7.8:51820 > AllowedIPs = 10.4.0.11/32, 192.168.11.0/24 > -- > > -- Box B - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.10/32, 192.168.10.0/24 > -- > > Even further, add Box C roaming road-warrior, VPN 10.4.0.12, without a > LAN, and want all boxes to talk to each other, making Box A the "server" > > -- Box A - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box B public key> > Endpoint = 5.6.7.8:51820 > AllowedIPs = 10.4.0.11/32, 192.168.11.0/24 > > [Peer] > PublicKey = <Box C public key> > AllowedIPs = 10.4.0.12/32 > -- > > -- Box B - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.0/24, 192.168.10.0/24 > -- > > -- Box C - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.0/24, 192.168.10.0/24 > -- > > > > If I want to let multiple clients attach how do I go about that? where > would I list the multiple permitted public keys? > > Define multiple [Peer] entries with the corresponding PublicKey's, simple > as that :-) > > Lonnie > > > > On Nov 14, 2017, at 2:23 PM, David Kerr <Da...@Ke...> wrote: > > > Lonnie, > > Thanks, sounds good. Maybe I missed it, but in reading the doc you > wrote I could see how to setup a server, but not how to set up AstLinux as > a client? I'm keen to try this out, but will start with a linux client in > a VM. Time to google for instructions on that. > > > > Thanks > > David > > > > On Tue, Nov 14, 2017 at 2:06 PM, Lonnie Abelbeck < > li...@lo...> wrote: > > > > On Nov 14, 2017, at 11:37 AM, Michael Keuter <li...@mk...> > wrote: > > > > > > > >> Am 14.11.2017 um 17:56 schrieb David Kerr <da...@ke...>: > > >> > > >> Lonnie, > > >> I have some questions on the new Wireguard features... > > >> > > >> Does AstLinux implement server only, or both client and server. ie, > can I use wireguard to connect two AstLinux boxes together over the > internet... and allow clients on each LAN to route traffic through the VPN > to the other's LAN? > > > > > > Yes. (Both client and server) > > > > Hi David, > > > > I currently have a remote SIP peer over WireGuard instead of public SIP > for an AstLinux to AstLinux configuration. I also AllowedIPs one of my LAN > IP's to perform remote management. Works great! > > > > And the tunnel can transfer both IPv4/IPv6 and any peer to peer > connection can be over either IPv4 or IPv6. > > > > > > >> Is the public/private key used by the VPN same as that used by other > AstLinux services and can it be a LetsEncrypt/acme issues/managed > certificate? > > > > > > No. > > > > The public keys are short, base64 encoded strings like " > HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=" thanks to Elliptic-curve > cryptography. Simple Copy/Paste to share public keys between peers. > > > > Yesterday I fired up a VM and created a WireGuard tunnel between the VM > and one of my test boxes, it took less than 2 minutes. > > > > > > >> Are you aware of any easy to use MacOS or Windows clients? > > > > > > There are no yet. > > > https://www.wireguard.com/install/ > > > > > > Michael > > > > It will take a little time for non-Linux user-space implementations, but > that is on the roadmap. Android will probably appear first. > > > > In the lab I have achieved iperf3 speeds of nearly 700 Mbps using two > parallel streams between a Qotom J1900 and Jetway N2930 over a WireGuard > VPN. OpenVPN maxes out at 110 Mbps. For AstLinux users 1 Gb VPN routing > is probably not needed yet, but the efficiency leaves more CPU head-room > for Asterisk and other services, and not to mention the very easy > configuration for site to site VPN's. > > > > More interesting tidbits ... > > > > It looks pretty clear that WireGuard will make it into the mainline > Linux kernel: > > https://plus.google.com/+gregkroahhartman/posts/jD6N4BzToa3 > > > > A VPN provider comments - WireGuard is the future > > https://mullvad.net/blog/2017/9/27/wireguard-future/ > > > > A lot of projects offer WireGuard... > > https://www.wireguard.com/install/ > > > > Lonnie > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Astlinux-devel mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot______ > _________________________________________ > > Astlinux-devel mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > |
