2
0
mirror of https://github.com/opnsense/docs synced 2024-11-09 01:10:33 +00:00
opensense-docs/source/manual/how-tos/wireguard-client.rst
2019-04-30 11:28:13 +02:00

97 lines
4.8 KiB
ReStructuredText

============================
WireGuard Road Warrior Setup
============================
.. Warning::
WireGuard Plugin is still in development, use at your own risk!
------------
Introduction
------------
WireGuard is a simple, fast and modern VPN. It aims to be faster and simpler than IPSec. It intends to be
considerably more performant than OpenVPN. Initially released for the Linux kernel, it is now cross-platform
and widely deployable. It is currently under heavy development. We will describe here how to set up
WireGuard as a central server or just as a client.
---------------------
Step 1 - Installation
---------------------
Since WireGuard Plugin is still in development you have to switch via :menuselection:`System --> Firmware --> Settings`
the **Release Type** to **Development**. After this go to :menuselection:`System --> Firmware --> Plugins` and search
for **os-wireguard-devel**. Install the plugin as usual, refresh and page and the you'll find the client
via :menuselection:`VPN --> WireGuard`.
--------------------------------
Step 2a - Setup WireGuard Server
--------------------------------
The setup of a central VPN server is very simple. Just go to tab **Local** and create a new instance.
Give it a **Name** and set a desired **Listen Port**. If you have more than one service instance be
aware that you can use the **Listen Port** only once. For **Tunnel Address** choose an unused network
to tunnel all clients just like with OpenVPN or GRE (e.g. 192.168.0.1/24).
**Peers** can not be chosen yet since we have not created them yet.
After hitting **Save changes** you can reopen the newly created instance, write down your new public
key and give it to the other side in a secure way (e.g. PGP encrypted or via SMS).
Now go to tab **Endpoints** and add the fist road warrior, give it a **Name**, insert the **Public
Key** and the **Tunnel Address** (e.g. 192.168.0.2/24). **Endpoint Address** and **Endpoint Port**
can be left empty since they are mostly dynamic, now hit **Save changes**.
Go back to tab **Local**, open the instance and choose the newly created endpoint in **Peers**.
Now we can **Enable** the VPN in tab **General** and continue with the setup.
If you want to add more users just add them in **Endpoints** and link them via **Peers**.
------------------------
Step 2b - Setup Firewall
------------------------
On :menuselection:`Firewall --> Rules` add a new rule on your WAN interface allowing the port you set in your
instance (Protocol UDP). You also have a new interace **Wireguard** in rules, where you can
set granular rules on connection inside your tunnel.
Your tunnel is now up and running.
---------------------------------
Step 2c - Assignments and Routing
---------------------------------
With this setup your clients can reach your internal networks when they add it vial **Tunnel Address**.
But what if you want to push all traffic via VPN in order to filter some streams out of it?
Then we have to assign the interface via :menuselection:`Interface --> Assignments`, choose our instance (e.g. instance
0 is interface wg0), enable it, hit **Prevent Interface Removal** and don't configure an IP address.
After this we can go to :menuselection:`Firewall --> NAT --> Outbound` and add a rule. Check that rule generation is set
to manual or hybrid. Add a rule and select your WAN as **Interface**. **Source** should be the Tunnel
Network you use and **Translation / target** set to WAN address.
Now when you add 0.0.0.0/0 on your road warrior, outgoing packets are translated and reach the
Internet via your VPN.
When assigning interfaces we can also add gateways to them. This would offer you the chance to
balance traffic via different VPN providers or do more complex routing scenarios.
To do this, go to :menuselection:`System --> Gateways --> Single` and add a new gateway. Choose your WireGuard interface
and set the Gateway to **dynamic**.
-------------------------------
Step 3 - Setup WireGuard Client
-------------------------------
The development of WireGuard is very dynamic so this howto won't include any screenshots since
features are added rapidly or naming might change.
If we have OPNsense also at the client side the configuration is similar to step 3a but you have to
choose a **Tunnel Address** within the range of the server side and exchange public keys after
the creation of a new instance. Then networks which should be routed via WireGuard have to be
added to your **Tunnel Address** in the endpoint configuration of your client (e.g. 192.168.0.0/24
when this is the LAN of WireGuard server). For pushing all network traffic via VPN you can add
0.0.0.0/0. If you do this it's important to also specifiy a DNS server which will be added to your
interface. Therefore go to **Local**, edit your instance and fill in one or more IP addresses to
the **DNS** field.
That's it!