Wireguard Configuration

WireGuard is an open source encrypted VPN solution; WireGuard configuration support was added to the REST API and Config Shell at release 23.8. WireGuard facilitates communication between two peer devices; in order to communicate with a peer, both devices must have a virtual WireGuard interface configured over the physical or virtual interface they are connected over.

Note:Users who have pre-existing configuration files for WireGuard will not have their configurations overwritten as the configurator will only modify those files if they are initially missing or are prefixed with a disclaimer that manual edits will be overwritten.

Viewing a WireGuard Configuration

WireGuard installs the wg tool which can be used to control, configure and monitor WireGuard . Refer to the WireGuard online tools index page: index : wireguard-tools

Note: OpenGear does not own or operate the WireGuard tools web page and is not responsible for its content or maintenance. The link is provided only for the reader's convenience.

Configure WireGuard through Config Shell or REST API

WireGuard is configured through Config Shell or REST API. The minimum configuration of WireGuard is shown in the following:

  1. Provide a name for the interface (wg0 in the example below).

  2. Set enabled.

  3. Set the private_key of your WireGuard interface.

  4. Add an address (at least one) for your WireGuard interface (10.0.0.1/24 in this case).

  5. Add a peer with the following parameters: endpoint_address, endpoint_port, public_key.

  6. Add an allowed_ip for your peer. At least one - this is the WireGuard address(es) (as it can also accept an address range) of the other interface to which you are connected.

For example:

config: wireguard
config(wireguard): add wg0
config(wireguard wg0): private_key AGiZvFHY+r/dD0rHSKU5ZCrHNdLM0W/h29VxobxWgFo=
config(wireguard wg0): enabled true
config(wireguard wg0): addresses
config(wireguard wg0 addresses): add 10.0.0.1/24
config(wireguard wg0 addresses): up
config(wireguard wg0): peers
config(wireguard wg0 peers): add
config(wireguard wg0 peers 0): public_key o+quB4sbUAG2hEGSPpMNTnO0YSaQTP7dD+Q4IVjiCW8=
config(wireguard wg0 peers 0): allowed_ips
config(wireguard wg0 peers 0 allowed_ips): add 10.0.0.2/32
config(wireguard wg0 peers 0 allowed_ips): up
config(wireguard wg0 peers 0): endpoint_address 192.168.1.2
config(wireguard wg0 peers 0): endpoint_port 51820
config(wireguard wg0 peers 0): up
config(wireguard wg0 peers): top

Config Shell WireGuard CONFIGURATION

The following shows a typical WireGuard configuration in Config Shell:

config: show wireguard wg0
Entity wireguard item wg0
  description ""
  enabled true
  mtu 1420
  name wg0
  port 51820
  private_key AGiZvFHY+r/dD0rHSKU5ZCrHNdLM0W/h29VxobxWgFo=
  public_key ""
  table ""
  addresses (array)
    0 10.0.0.1/24
  peers (array)
    0 (object)
      endpoint_address     192.168.1.2
      endpoint_port            51820
      keep_alive                  ""
      public_key                  o+quB4sbUAG2hEGSPpMNTnO0YSaQTP7dD+Q4IVjiCW8=
      allowed_ips (array)
          0 10.0.0.2/32
  post_down_hooks (array)
  post_up_hooks (array)
  pre_down_hooks (array)
  pre_up_hooks (array)

REST API WireGuard CONFIGURATION

The following shows a typical WireGuard configuration in Config Shell:

{
    "wireguards": [
        {
          "enabled": true,
          "post_down_hooks": [],
          "id": "wireguard_tunnels-1",
          "pre_up_hooks": [],
          "post_up_hooks": [],
          "private_key": "AGiZvFHY+r/dD0rHSKU5ZCrHNdLM0W/h29VxobxWgFo=",
          "name": "wg0",
          "pre_down_hooks": [],
          "addresses": [
              "10.0.0.1/24"
          ],
          "peers": [
              {
                       "allowed_ips": [
                             "10.0.0.2/32"
                       ],
                       "public_key": "o+quB4sbUAG2hEGSPpMNTnO0YSaQTP7dD+Q4IVjiCW8=",
                       "endpoint_address": "192.168.1.2",
                       "endpoint_port": 51820
              }
          ]
      }
   ]
}

Configurable WireGuard FieLds

The WireGuard <interface-name> context holds the configuration for a WireGuard connection. The following fields can be configured:

WireGuard Field Description
description

This can be any user text to describe the WireGuard interface.

enabled

Values may be true or false. When enabled, WireGuard will be started for this configuration.

mtu Allows customization of the maximum transmission unit (MTU) for the local WireGuard interface. The range is 1280 - 1472 and if not set, WireGuard will use the internal default of 1420.
name The name of the WireGuard interface used in the Linux kernel. Names must be unique, max 15 characters and only contain letters, numbers, hyphens or underscores.
port The port the local instance of WireGuard will listen on. The range is 1 to 65535 and defaults to 51820.
private_key The private key to use to authenticate the local WireGuard interface. This is obtained by running the wg genkey command.
public_key The public key that corresponds your private key, which WireGuard peers will authenticate with. This is obtained by running the wg pubkey command.
table The routing table for the WireGuard routes. Can be a table number, 'off' or 'auto'.

WireGuard Context Sub-objects

There are a number of sub-objects under the WireGuard context: addresses, peers and hooks.

Addresses

The wireguard <interface-name> addresses context is a list that holds the IPv4 CIDR addresses of the local Wireguard interface. These are statically assigned when the WireGuard interface is brought up.

config: wireguard
config(wireguard): add wg0
config(wireguard wg0): addresses
config(wireguard wg0 addresses): add 10.0.0.1/24

Peers

The following list defines the WireGuard settings for Wireguard-capable remote peers. Each peer has the following fields:

config(wireguard wg0 peers 0): show
Entity wireguard item wg0 field peers 0
    endpoint_address ""
    endpoint_port ""
    keep_alive ""
    public_key "" (required)
    allowed_ips (array) (required)

Peer Field Description
endpoint_address A reachable IP address or fully-qualified domain name for the remote peer with a WireGuard interface.
endpoint_port The port number for which the WireGuard instance is listening on the remote peer.
keep_alive Equivalent to PersistentKeepalive in the WireGuard config, this specifies how often the WireGuard interface must send a keep alive packet. This helps keep the routing entry alive for scenarios where the peer is behind a NAT.
public_key The public key that will be accepted by the local WireGuard service if offered by a peer for the purpose of mutual authentication during a five step key exchange process.
allowed_ips - A list which specifies the IP ranges for which a peer routes traffic. For multiple WireGuard interfaces on the same device, the addresses must not overlap. The IP addresses specified here are the addresses of the peer’s WireGuard interface(s) - this is where the peer “routes traffic”. These are specified as IPv4 addresses in a.b.c.d/<cidr_mask> format.

Hooks

WireGuard allows for commands to be executed before/after the interface is brought up/down. These can be specified in the following array fields:

Note:Each field is an array of strings that correspond to commands to be executed.

Hook Description
pre_up_hooks

Run a command before the interface is brought up (optional).

post_up_hooks

Run a command after the interface is brought up (optional).

pre_down_hooks Run a command before the interface is brought down (optional).
post_down_hooks Run a command after the interface is brought down (optional).

Adding a WireGuard Interface to a Firewall Zone

The WireGuard interface can be added to a firewall zone as in the following example:

Entity firewall/zone item zone
description "" (required)
label "" (required)
masquerade "" (required)
name zone
permit_all_traffic "" (required)
address_filters (array)
custom_rules (array)
physifs (array)
port_forwarding_rules (array)
wireguards (array)