Convert wireguard config from rolling to 1.2.5 LTS

Thanks for the recent changes I am now a Patreon contributor and have access to the LTS release images.

Currently running a rolling release that is working fine and wanted to see how the LTS version differed in terms of day to day performance.

Hit a small snag with my working wireguard config. The syntax has changed which is mostly fine, however in my current config I use the private-key attribute to point to a generated key set stored in /config/auth/wireguard/wg[x]

This does not seem to have an equivalent in 1.2.5.

What am I doing wrong?

wireguard wg0 {
    address xxxxxxxx
    description mullvad
    mtu 1420
    peer mullvad-gb1 {
        address xxxxxxxx
        allowed-ips 0.0.0.0/0
        port 51820
        pubkey xxxxxxxx
    }
    private-key wg0
}

Hi @phillipmcmahon,

you are right, the CLI from 1.2 and 1.3 differ in a lot of ways. As we provide an upgrade path from 1.2 to 1.3 through a bunch of migration scripts which rewrite the config on first boot under the hood, we do not supply “downgrade” conversion scripts.

In your special case the CLI syntax has changed in VyOS 1.2 from

set interfaces wireguard wg0 peer foo endpoint 1.1.1.1:2222

to a more “frindly” version in 1.3

set interfaces wireguard wg0 peer foo address 1.1.1.1
set interfaces wireguard wg0 peer foo port 2222

I have introduced the migration because it is much easier to validate the input data on the CLI for an IP address and port rather then for a string which contains both (⚓ T2206 Split WireGuard endpoint into proper host and port nodes).

You simply need to merge the address and port node in the CLI to the old endpoint node in VyOS 1.2.x.

More infos in the documentation: WireGuard — VyOS 1.2.x (crux) documentation

Cheers!

Hi @c-po thanks for the quick response.

I should have made it clearer in my question. I already changed the syntax to the older format as you mentioned.

However, I cannot find a way to specify the private-key attribute. When trying to save the config the commit fails as a private-key cannot be found even though it is there under /config/auth/wireguard/wg0/private.key

Ah, that are called named keyspairs, that is not available in VyOS 1.2 if I recall everything.

In VyOS 1.2 there is only one key which is named default when you upgrade to 1.3.

OK, that is good to know. I was kind of hoping there might be some way to use 1.2.5. I will just stick with the rolling release.

Many thanks for the help and quick responses.

You can use 1.2.5 for sure, I do that, too.

The only difference is that VyOS 1.3 supports multipley crypto keys (a different key per tunnel) whereas VyOS 1.2 only has one for all tunnels.

I have 3 tunnels, so need to multi-key support.

Tunnel 1 : Route via a mullvad endpoint
Tunnel 2 : wg “server” that routes via the native ISP for remote LAN and WAN access
Tunnel 3 : wg “server” that routes via the mullvad endpoint for remote LAN access and VPN WAN access

Am I right in presuming the multi-key support isn’t targeted for crux?

Yes it is not targetted for crux. The only chance is use the same key on all tunnels - that would work.

True, and will consider that if you think there is a compelling reason to go from rolling to 1.2.5?

I use the rolling iso as much as possible to weed out bugs and testing, somif possible, go woth 1.3 to help us make it more stable, the more tester the sooner there will be a 1.3 stable release.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.