Wireguard site-to-site setup?


#1

Hi, at the moment I have a site-to-site configuration with multiple clients using OpenVPN.

For each client I have a vtunX interface with a private IP and some settings for ipv6 using openvpn-option (since it’s not in the scripts).

I’m basically announcing my own /24 and then routing a /29 and a /56 (IPv6) per tunnel.

How would I do this using Wireguard? wg0, wg1, wg2, etc.? Any suggestions?


#2

Hi @sebastianm,

what do you mean with ‘announcing my own /24…’? Via bgp or another dynamic routing protocol?
You can terminate all tunnels on a single interface, or you can spread it through multiple ones. A wg interface can handle multiple endpoints.


#3

Yes, I have a VM at Vultr and a /24 prefix which I’m announcing via BGP.

How can I configure a network such as /30 or /31 between my router and the peer though?

With OpenVPN I can just use “ifconfig” (mapped to VyOS shell) & “ifconfig-ipv6”.


#4

Several options, either you define a policy via wg allowed-ips, or you set allowed-ips to 0.0.0.0, ::/0 and set an interface route if you want to use multiple interfaces.

e.g.
wg01 has 3 peers.
peer1 allowed-ips: 10.1.1.0/29
peer2 allowed-ips 10.1.1.8/29
peer2 allowed-ips: 10.1.1.64/26

the interface route would be then 10.1.1.0/24 interface wg01. Allowed IPs is basically your policy of the destination IPs.

If you want to use 1 interface per peer, then allowed IPs is either a list of destination IPs, or 0.0.0.0/0, the your route would be 10.1.1.0.24 interface wg01, 10.2.1.0/24 interface wg01 and so on.


#5

Thanks, I’ll try that. The issue I’m having right now is that apparently the wireguard module isn’t included in the latest rolling ISO. I’m getting the “modprobe: FATAL: Module wireguard not found” error.


#6

Yes, we are already aware of that issue. The wireguard modules is actually installed, but the kernel version installed in the iso is a different one.


#7

I can confirm that DHCPv6 & WireGuard works fine in “vyos-1.2.0-rolling+201810290337-amd64.iso”.


#12

@hagbard one of the wireguard interfaces “dissapears” from the config after boot. “wg” shows it’s active (wg0+wg1) & they are both in /config/config.boot but “show” command shows only wg1.

wireguard wg0 {
        address 10.0.71.3/24
        peer mgmt-vpn {
            allowed-ips 0.0.0.0/0
            endpoint server1:51820
            persistent-keepalive 15
            pubkey nopenopenope
        }
    }
    wireguard wg1 {
        address 172.16.179.2/30
        peer data-vpn {
            allowed-ips 0.0.0.0/0
            endpoint server2:51820
            persistent-keepalive 15
            pubkey nopenopenope
        }
    }

#13

okay so apparently if there are multiple wg interfaces only the last one is shown by the “show” command.


#15

Hi @sebastianm the show command is working fine, however I found a bug with setting the ip for a second interface, it set’s everything but it looks like the config parser calls the commands in a loop and therefore it is not marked as applied. I’m gonna open a bug for it and have a look. Meanwhile, you can terminate multple peers on a single wg interface.

Interface IP Address S/L Description


eth0 192.168.0.149/24 u/u
eth1 - u/u
lo 127.0.0.1/8 u/u
::1/128
wg0 10.1.1.1/32 u/u wg0
wg1 10.2.1.1/32 u/u wg1

https://phabricator.vyos.net/T949


#16

Ok I’ve reverted back to using OpenVPN instead of WireGuard for my tunnels because I had various issues with MTU (I think).

Running speedtest-cli on VMs that were on the subnet going through WireGuard was flaky, sometimes it would be stuck on “Retrieving speedtest.net configuration…” and sometimes it would work (fine or w/ 0mbps download speed & proper upload).

After reverting back to OpenVPN it now works fine though I’ve left the wg0 interface for my management network (ESXi web interface, SNMP & such) which itself is configured in a star topology.

I’m not sure if I’ll have issues with the management WireGuard VPN. If I do, I’ll report back.


#17

You can set a different mtu, but I doubt that it will be an issue if you don’t filter icmp. in my tests, it was outperforming openvpn.