mirror of
https://github.com/opnsense/docs
synced 2024-10-30 21:20:20 +00:00
Update wireguard-s2s.rst - Terminology changes 23.7.6
- Changed Local to Instance - Changed Endpoint to Peer - Added information about CARP vhid tracking to mitigate HA problems. - Added note about Keepalive for NATed sites.
This commit is contained in:
parent
9eae9391d4
commit
1c293736dc
@ -10,7 +10,7 @@ WireGuard is a simple and fast modern VPN protocol. It aims to be less complicat
|
||||
It has fewer lines of code and is more easily audited than other VPN protocols. Initially released for the Linux kernel, it is now cross-platform and widely deployable.
|
||||
|
||||
.. Attention::
|
||||
Wireguard is useful for simple routed site to site tunnels and roadwarrior setups. To this date, it doesn't play too nicely with high availability setups. That's because the peer may keep polling a stale interface and misinterpret the other instance as being the one that is down and keep sending traffic there. Also, because Wireguard is bound to all interfaces (and not explicitely the CARP VIP), both High Availability firewalls will send handshakes and fight against each other for the remote Wireguard peer. This behavior will probably be mitigated in 24.1 with Wireguard CARP vhid tracking. Using the protocol for critical workloads and high availability should be avoided in favor of IPsec.
|
||||
Wireguard is useful for simple routed site to site tunnels and roadwarrior setups. To this date, it doesn't play too nicely with high availability setups. That's because the peer may keep polling a stale interface and misinterpret the other instance as being the one that is down and keep sending traffic there. Also, because Wireguard is bound to all interfaces (and not explicitely the CARP VIP), both High Availability firewalls will send handshakes and fight against each other for the remote Wireguard peer. This behavior was mitigated in 23.7.6 with Wireguard CARP vhid tracking that disables the Wireguard Instance with CARP VIPs in Backup state. In case of critical workloads and high availability, IPsec could still be the better choice.
|
||||
|
||||
.. Note::
|
||||
The following example covers an IPv4 Site to Site Wireguard Tunnel between two OPNsense Firewalls with public IPv4 addresses on their WAN interfaces. You will connect *Site A LAN Net* ``172.16.0.0/24`` to *Site B LAN Net* ``192.168.0.0/24`` using the *Wireguard Transfer Net* ``10.2.2.0/24``. *Site A Public IP* is ``203.0.113.1`` and *Site B Public IP* is ``203.0.113.2``.
|
||||
@ -24,11 +24,11 @@ Step 1 - Installation
|
||||
|
||||
Install the os-wireguard plugin in :menuselection:`System --> Firmware --> Plugins`, refresh the GUI and you will soon find :menuselection:`VPN --> WireGuard`.
|
||||
|
||||
--------------------------------------------------
|
||||
Step 2a - Setup WireGuard Local on OPNsense Site A
|
||||
--------------------------------------------------
|
||||
-----------------------------------------------------
|
||||
Step 2a - Setup WireGuard Instance on OPNsense Site A
|
||||
-----------------------------------------------------
|
||||
|
||||
Go to tab **Local** and press **+** to create a new instance.
|
||||
Go to tab **Instances** and press **+** to create a new instance.
|
||||
|
||||
Enable the *advanced mode* toggle.
|
||||
|
||||
@ -45,11 +45,11 @@ Enable the *advanced mode* toggle.
|
||||
|
||||
Press **Save** and **Apply**.
|
||||
|
||||
--------------------------------------------------
|
||||
Step 2b - Setup WireGuard Local on OPNsense Site B
|
||||
--------------------------------------------------
|
||||
-----------------------------------------------------
|
||||
Step 2b - Setup WireGuard Instance on OPNsense Site B
|
||||
-----------------------------------------------------
|
||||
|
||||
Go to tab **Local** and press **+** to create a new instance.
|
||||
Go to tab **Instance** and press **+** to create a new instance.
|
||||
|
||||
Enable the *advanced mode* toggle.
|
||||
|
||||
@ -67,17 +67,17 @@ Enable the *advanced mode* toggle.
|
||||
Press **Save** and **Apply**.
|
||||
|
||||
------------------------------------------------------
|
||||
Step 3a - Setup WireGuard Endpoints on OPNsense Site A
|
||||
Step 3a - Setup WireGuard Peer on OPNsense Site A
|
||||
------------------------------------------------------
|
||||
|
||||
Go to tab **Endpoints** and press **+** to create a new endpoint.
|
||||
Go to tab **Peers** and press **+** to create a new peer.
|
||||
|
||||
Enable the *advanced mode* toggle.
|
||||
|
||||
====================== ====================================================================================================
|
||||
**Enabled** *Checked*
|
||||
**Name** *wgopn-site-b*
|
||||
**Public Key** *Insert the public key of the local instance from wgopn-site-b*
|
||||
**Public Key** *Insert the public key of the instance from wgopn-site-b*
|
||||
**Shared Secret** *Leave empty*
|
||||
**Allowed IPs** *10.2.2.2/32 192.168.0.0/24*
|
||||
**Endpoint Address** *203.0.113.2*
|
||||
@ -86,7 +86,7 @@ Enable the *advanced mode* toggle.
|
||||
|
||||
Press **Save** and **Apply**.
|
||||
|
||||
Go to tab **Local** and edit *wgopn-site-a*.
|
||||
Go to tab **Instances** and edit *wgopn-site-a*.
|
||||
|
||||
====================== ====================================================================================================
|
||||
**Peers** *wgopn-site-b*
|
||||
@ -95,17 +95,17 @@ Go to tab **Local** and edit *wgopn-site-a*.
|
||||
Press **Save** and **Apply**.
|
||||
|
||||
------------------------------------------------------
|
||||
Step 3b - Setup WireGuard Endpoints on OPNsense Site B
|
||||
Step 3b - Setup WireGuard Peer on OPNsense Site B
|
||||
------------------------------------------------------
|
||||
|
||||
Go to tab **Endpoints** and press **+** to create a new endpoint.
|
||||
Go to tab **Peers** and press **+** to create a new peer.
|
||||
|
||||
Enable the *advanced mode* toggle.
|
||||
|
||||
====================== ====================================================================================================
|
||||
**Enabled** *Checked*
|
||||
**Name** *wgopn-site-a*
|
||||
**Public Key** *Insert the public key of the local instance from wgopn-site-a*
|
||||
**Public Key** *Insert the public key of the instance instance from wgopn-site-a*
|
||||
**Shared Secret** *Leave empty*
|
||||
**Allowed IPs** *10.2.2.1/32 172.16.0.0/24*
|
||||
**Endpoint Address** *203.0.113.1*
|
||||
@ -114,7 +114,7 @@ Enable the *advanced mode* toggle.
|
||||
|
||||
Press **Save** and **Apply**.
|
||||
|
||||
Go to tab **Local** and edit *wgopn-site-b*.
|
||||
Go to tab **Instances** and edit *wgopn-site-b*.
|
||||
|
||||
====================== ====================================================================================================
|
||||
**Peers** *wgopn-site-a*
|
||||
@ -126,7 +126,10 @@ Press **Save** and **Apply**.
|
||||
If one of your sites has a dynamic WAN IP address, you can leave the *Endpoint Address* on the site with the static IP address empty. The site with the dynamic IP will then be the initiator, and the site with the static IP will be the responder. Adjust the Firewall rule accordingly to allow any Source IP to connect to the static site.
|
||||
|
||||
.. Note::
|
||||
If you use hostnames in the *Endpoint Address*, Wireguard will only resolve them once when you start the tunnel. If both sites have dynamic *Endpoint Addresses* set, the tunnel will stop working when they both use DynDNS hostnames, and one (or both) sites receives a new Lease from the ISP. You could probably mitigate this with a cron job that restarts wireguard periodically.
|
||||
If you use hostnames in the *Endpoint Address*, Wireguard will only resolve them once when you start the tunnel. If both sites have dynamic *Endpoint Addresses* set, the tunnel will stop working when they both use DynDNS hostnames, and one (or both) sites receive a new WAN IP lease from the ISP. You could probably mitigate this with a cron job that restarts wireguard periodically.
|
||||
|
||||
.. Note::
|
||||
If a site is behind NAT, a keepalive has to be set on the site behind the NAT. The keepalive should be 25 seconds as stated in the official wireguard docs. It keeps the UDP session open when no traffic flows, preventing the wireguard tunnel from becoming stale because the outbound port changes.
|
||||
|
||||
-------------------------------
|
||||
Step 4a - Setup Firewall Site A
|
||||
@ -201,9 +204,9 @@ Go to :menuselection:`Firewall --> Settings --> Normalization` and add a new rul
|
||||
Step 4c - Enable Wireguard on Site A and Site B
|
||||
-----------------------------------------------
|
||||
|
||||
Go to :menuselection:`VPN --> WireGuard --> Settings` on both Sites and **Enable WireGuard**
|
||||
Go to :menuselection:`VPN --> WireGuard --> Settings` on both sites and **Enable WireGuard**
|
||||
|
||||
Press **Apply** and check :menuselection:`VPN --> WireGuard --> Diagnostics`. You should see *Send* and *Received* traffic and *Handshake* should be populated by a number.
|
||||
Press **Apply** and check :menuselection:`VPN --> WireGuard --> Diagnostics`. You should see *Send* and *Received* traffic and *Handshake* should be populated by a number. This happens as soon as the first traffic flows between the sites.
|
||||
|
||||
Your tunnel is now up and running.
|
||||
|
||||
@ -280,4 +283,4 @@ Go to OPNsense Site B :menuselection:`Firewall --> Rules --> Wireguard (Group)`
|
||||
Press **Save** and **Apply**.
|
||||
|
||||
.. Note::
|
||||
Now both Sites have full access to the LAN of the other Site through the Wireguard Tunnel. For additional networks just add more **Allowed IPs** to the Wireguard Endpoints and adjust the firewall rules to allow the traffic.
|
||||
Now both sites have full access to the LAN of the other Site through the Wireguard Tunnel. For additional networks just add more **Allowed IPs** to the Wireguard Endpoints and adjust the firewall rules to allow the traffic.
|
||||
|
Loading…
Reference in New Issue
Block a user