2018-11-03 14:31:59 +00:00
|
|
|
:orphan:
|
|
|
|
|
2018-09-14 07:52:16 +00:00
|
|
|
============================
|
|
|
|
WireGuard Site-to-Site Setup
|
|
|
|
============================
|
|
|
|
|
|
|
|
------------
|
|
|
|
Introduction
|
|
|
|
------------
|
|
|
|
|
|
|
|
WireGuard is a simple and fast modern VPN. It aims to be faster and simpler than IPSec. It intends to be
|
|
|
|
considerably more performant than OpenVPN. Initially released for the Linux kernel, it is now cross-platform
|
|
|
|
and widely deployable. It is currently under heavy development.
|
|
|
|
|
|
|
|
---------------------
|
|
|
|
Step 1 - Installation
|
|
|
|
---------------------
|
|
|
|
|
2019-07-18 11:40:11 +00:00
|
|
|
Install the plugin as usual, refresh and page and the you will find the client
|
2019-03-06 17:27:21 +00:00
|
|
|
via :menuselection:`VPN --> WireGuard`.
|
2018-09-14 07:52:16 +00:00
|
|
|
|
|
|
|
------------------------
|
|
|
|
Step 2 - Setup WireGuard
|
|
|
|
------------------------
|
|
|
|
|
2019-04-30 09:28:13 +00:00
|
|
|
The setup of a Site-2-Site VPN is very simple. Just go to tab **Local** and create a new instance.
|
|
|
|
Give it a **Name** and set a desired **Listen Port**. If you have more than one service instance be
|
2018-09-14 07:52:16 +00:00
|
|
|
aware that you can use the **Listen Port** only once. For **Tunnel Address** choose a new virtual
|
|
|
|
network to run communication over it, just like with OpenVPN or GRE (e.g. 192.168.0.1/24).
|
|
|
|
**Peers** can not be chosen yet since we have not created them yet.
|
|
|
|
After hitting **Save changes** you can reopen the newly created instance, write down your new public
|
|
|
|
key and give it to the other side.
|
|
|
|
|
|
|
|
When this VPN is set up on OPNsense only do the same on the second machine and exchange the public
|
|
|
|
keys. Now go to tab **Endpoints** and add the remote site, give it a **Name**, insert the **Public
|
2019-07-21 11:54:44 +00:00
|
|
|
Key** and the **Allowed IPs** e.g. *192.168.0.2/32, 10.10.10.0/24*. This will set the remonte tunnel
|
|
|
|
IP address (/32 is important when using multiple endpoints) and route 10.10.10.0/24 via the tunnel.
|
|
|
|
**Endpoint Address** is the public IP of the remote site and you can also set optionally the
|
|
|
|
**Endpoint Port**, now hit **Save changes**.
|
2018-09-14 07:52:16 +00:00
|
|
|
|
2019-04-30 09:28:13 +00:00
|
|
|
Go back to tab **Local**, open the instance and choose the newly created endpoint in **Peers**.
|
2018-09-14 07:52:16 +00:00
|
|
|
|
|
|
|
Now we can **Enable** the VPN in tab **General** and go on with the setup.
|
|
|
|
|
|
|
|
-----------------------
|
|
|
|
Step 3 - Setup Firewall
|
|
|
|
-----------------------
|
|
|
|
|
2019-03-06 17:27:21 +00:00
|
|
|
On :menuselection:`Firewall --> Rules` add a new rule on your WAN interface allowing the port you set in your
|
2020-03-30 15:41:32 +00:00
|
|
|
instance (Protocol UDP). You also have a new interface **Wireguard** in rules, where you can
|
|
|
|
set granular rules on connections inside your tunnel.
|
2018-09-14 07:52:16 +00:00
|
|
|
|
|
|
|
Your tunnel is now up and running.
|
|
|
|
|
|
|
|
-------------------------
|
|
|
|
Step 4 - Routing networks
|
|
|
|
-------------------------
|
|
|
|
|
2019-07-09 20:57:55 +00:00
|
|
|
If you want to route your internal networks via this VPN just add the network in the field
|
|
|
|
**Allowed IPs** in **Endpoints** tab (e.g. 10.0.1.0/24).
|
2018-09-14 07:52:16 +00:00
|
|
|
|
|
|
|
That's it!
|