Menu
▾
▴
Re: [Astlinux-devel] Wireguard Q's
|
From: Lonnie A. <li...@lo...> - 2017-11-14 22:15:05
|
On Nov 14, 2017, at 3:44 PM, David Kerr <Da...@Ke...> wrote: > Okay, so during a coffee break here in the office, I got a Ubuntu VM talking to my AstLinux an home, I can ping hosts on my internal LAN at home. Basically I followed https://git.zx2c4.com/WireGuard/plain/contrib/examples/ncat-client-server/client.sh to figure it out. Excellent. BTW, You could have also used the general Linux wg-quick script (wireguard-tools) to bring the VPN up and down. AstLinux does not include the wg-quick script but our /etc/init.d/wireguard does the same basic thing. > Now that done, it prompts more questions... > 1) I had to manually assign an IP address at my client side. Is that right? No way to push down an available IP address from the server within a subnet setup at the server side? So, e.g. I have 172.23.19.1 set as my server side wg0 IP address, and at the client I set 172.23.19.2. And in AllowedIPs I let all 172.23.19.1/24 go through the VPN. I think it is possible to not define an IP address for the remote peer ("client" as you say) as long as useful AllowedIPs are defined, but for AstLinux we require a unique IPv4 address to be assigned to the wg0 interface. WireGuard is simple, no negotiating, no pushing or pulling options or addresses. > 2) I had to manually add route to my internal 192.168.x.0/24 on the client side before I could ping devices on my home LAN. Again, any way for this to be pushed down from the server? This is automatic in AstLinux, and the general Linux wg-quick script also automatically creates the routes to wg0 based on the AllowedIPs peer networks in wg0.conf . > Crying out for a GUI at the client side I think. I can hardly wait for a iOS WireGuard App and ChromeOS support. Lonnie > > David > > > > > On Tue, Nov 14, 2017 at 4:32 PM, Lonnie Abelbeck <li...@lo...> wrote: > Hi David, > > There is no client vs. server per. se., it is peer to peer, but a WireGuard endpoint with many peer entries connected with WireGuard endpoints with only a single peer, the multi-peer endpoint might be thought of as a server. > > Also a roaming (road-warrior) "client" peer would have a "Endpoint = " entry to the "server" which the server's peer would not have an "Endpoint = " entry, the connection would be initiated by the "client". > > I would try AstLinux to AstLinux to learn, but AstLinux to General Linux should work as well. > > One thing to keep in mind is if you have multiple peers, the AllowedIPs networks must be unique across all peers, as it describes a sort of routing table for the wg0 traffic. > > > > So, make sure I understand this correct. I need to put the public key of the client I want to let connect into the wg0.conf file, right? And the subnet of the IP address that this client is going to use into Allowed IP's? > > Yes the public key of the remote peer, and the AllowedIPs are networks that are directed *to* that peer. > > Often you might define a 10.4.0.0/24 wg0 interface shared across all peers, and then add AllowedIPs to route traffic to various peers. > > For Example Boxes A and B: > > Box A: (External IPv4 Address: 1.2.3.4) > > WireGuard VPN: > IPv4 Address: 10.4.0.10 > IPv4 NetMask: 255.255.255.0 > > -- Box A - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box B public key> > Endpoint = 5.6.7.8:51820 > AllowedIPs = 10.4.0.11/32 > -- > > Box B: (External IPv4 Address: 5.6.7.8) > > WireGuard VPN: > IPv4 Address: 10.4.0.11 > IPv4 NetMask: 255.255.255.0 > > -- Box B - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.10/32 > -- > > Now take this a step further with local LAN's and you want to route between them > > Box A LAN: 192.168.10.0/24 > Box B LAN: 192.168.11.0/24 > > -- Box A - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box B public key> > Endpoint = 5.6.7.8:51820 > AllowedIPs = 10.4.0.11/32, 192.168.11.0/24 > -- > > -- Box B - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.10/32, 192.168.10.0/24 > -- > > Even further, add Box C roaming road-warrior, VPN 10.4.0.12, without a LAN, and want all boxes to talk to each other, making Box A the "server" > > -- Box A - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box B public key> > Endpoint = 5.6.7.8:51820 > AllowedIPs = 10.4.0.11/32, 192.168.11.0/24 > > [Peer] > PublicKey = <Box C public key> > AllowedIPs = 10.4.0.12/32 > -- > > -- Box B - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.0/24, 192.168.10.0/24 > -- > > -- Box C - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.0/24, 192.168.10.0/24 > -- > > > > If I want to let multiple clients attach how do I go about that? where would I list the multiple permitted public keys? > > Define multiple [Peer] entries with the corresponding PublicKey's, simple as that :-) > > Lonnie > > > > On Nov 14, 2017, at 2:23 PM, David Kerr <Da...@Ke...> wrote: > > > Lonnie, > > Thanks, sounds good. Maybe I missed it, but in reading the doc you wrote I could see how to setup a server, but not how to set up AstLinux as a client? I'm keen to try this out, but will start with a linux client in a VM. Time to google for instructions on that. > > > > Thanks > > David > > > > On Tue, Nov 14, 2017 at 2:06 PM, Lonnie Abelbeck <li...@lo...> wrote: > > > > On Nov 14, 2017, at 11:37 AM, Michael Keuter <li...@mk...> wrote: > > > > > > > >> Am 14.11.2017 um 17:56 schrieb David Kerr <da...@ke...>: > > >> > > >> Lonnie, > > >> I have some questions on the new Wireguard features... > > >> > > >> Does AstLinux implement server only, or both client and server. ie, can I use wireguard to connect two AstLinux boxes together over the internet... and allow clients on each LAN to route traffic through the VPN to the other's LAN? > > > > > > Yes. (Both client and server) > > > > Hi David, > > > > I currently have a remote SIP peer over WireGuard instead of public SIP for an AstLinux to AstLinux configuration. I also AllowedIPs one of my LAN IP's to perform remote management. Works great! > > > > And the tunnel can transfer both IPv4/IPv6 and any peer to peer connection can be over either IPv4 or IPv6. > > > > > > >> Is the public/private key used by the VPN same as that used by other AstLinux services and can it be a LetsEncrypt/acme issues/managed certificate? > > > > > > No. > > > > The public keys are short, base64 encoded strings like "HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=" thanks to Elliptic-curve cryptography. Simple Copy/Paste to share public keys between peers. > > > > Yesterday I fired up a VM and created a WireGuard tunnel between the VM and one of my test boxes, it took less than 2 minutes. > > > > > > >> Are you aware of any easy to use MacOS or Windows clients? > > > > > > There are no yet. > > > https://www.wireguard.com/install/ > > > > > > Michael > > > > It will take a little time for non-Linux user-space implementations, but that is on the roadmap. Android will probably appear first. > > > > In the lab I have achieved iperf3 speeds of nearly 700 Mbps using two parallel streams between a Qotom J1900 and Jetway N2930 over a WireGuard VPN. OpenVPN maxes out at 110 Mbps. For AstLinux users 1 Gb VPN routing is probably not needed yet, but the efficiency leaves more CPU head-room for Asterisk and other services, and not to mention the very easy configuration for site to site VPN's. > > > > More interesting tidbits ... > > > > It looks pretty clear that WireGuard will make it into the mainline Linux kernel: > > https://plus.google.com/+gregkroahhartman/posts/jD6N4BzToa3 > > > > A VPN provider comments - WireGuard is the future > > https://mullvad.net/blog/2017/9/27/wireguard-future/ > > > > A lot of projects offer WireGuard... > > https://www.wireguard.com/install/ > > > > Lonnie > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Astlinux-devel mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ > > Astlinux-devel mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
