Dear vyos-Experts,
Disclaimer: I’m currently evaluating vyos 1.5 nightly and I do not only have very little experience regarding vyos, I’m also relatively new to wireguard (I’m only used to setup IPsec and OpenVPN on many different platforms), so please forgive me this perhaps strange seeming question:
Why do I have to initially create a roadwarrior/peer (eg. “mobile1”) config section to be able to setup a wireguard interface?
- Scenario:
set interfaces wireguard wg1 description 'test'
set interfaces wireguard wg1 address '10.10.21.3/24'
set interfaces wireguard wg1 address '2001:____:____:1021::11/64'
set interfaces wireguard wg1 ip adjust-mss 'clamp-mss-to-pmtu'
set interfaces wireguard wg1 ipv6 adjust-mss 'clamp-mss-to-pmtu'
#set interfaces wireguard wg1 peer mobile1 allowed-ips '10.10.21.101/32'
#set interfaces wireguard wg1 peer mobile1 allowed-ips '2001:____:____:1021::101/128'
#set interfaces wireguard wg1 peer mobile1 persistent-keepalive '15'
#set interfaces wireguard wg1 peer mobile1 public-key '...='
set interfaces wireguard wg1 port '2020'
set interfaces wireguard wg1 private-key '...='
commit
[ interfaces wireguard wg1 ]
At least one Wireguard peer is required!
[[interfaces wireguard wg1]] failed
Commit failed
[edit]
Trying to commit this block fails (due to required, but missing/commented peer configuration), while trying to generate a peer config fails due to missing interface config:
generate wireguard client-config mobile1 interface wg1 server 2001:____:____:10::21 address 10.10.21.101 address 2001:____:____:1021::101`
WireGuard interface "wg1" does not exist!
I clearly understand that the interface has to be present to be able to generate a peer’s configuration, but I don’t undestand why a peer’s configuration has to present during interface configuration.
- Scenario:
set interfaces wireguard wg1 description 'test'
set interfaces wireguard wg1 address '10.10.21.3/24'
set interfaces wireguard wg1 address '2001:____:____:1021::11/64'
set interfaces wireguard wg1 ip adjust-mss 'clamp-mss-to-pmtu'
set interfaces wireguard wg1 ipv6 adjust-mss 'clamp-mss-to-pmtu'
set interfaces wireguard wg1 peer mobile1 allowed-ips '10.10.21.101/32'
set interfaces wireguard wg1 peer mobile1 allowed-ips '2001:____:____:1021::101/128'
set interfaces wireguard wg1 peer mobile1 persistent-keepalive '15'
set interfaces wireguard wg1 peer mobile1 public-key '...='
set interfaces wireguard wg1 port '2020'
set interfaces wireguard wg1 private-key '...='
Committing this block obviously succeeds.
But letting vyos generate a peer configuration (qr-code) for peer “mobile1” generates new keys and requires to overwrite the initial configuration for peer “mobile1”.
The existing peer configuration seems to be ignored, in fact it cannot be reused due the peer’s unkonwn/kept-secret private key. So the initial peer’s configuration is useless for client-config generation and shouldn’t be required during wireguard interface setup.
Thus I would like to suggest to make the peer configuration optional during interface setup.
Bonus-Enhancement-request:
vyos’ wireguard-peer/client-config generator command lacks some out-of-the-box-useful options (eg. dns server addresses, persistent-keepalives interval, …). Because the dns server’s address currently seem to be hardcoded to 1.1.1.1 each generated client-config needs custom tweaking.
Best regards,
vozzy