This is something I had in mind but didn't find the time to accomplish before. It just took a very cold day to convince me that I have to play with Wireguard on VyOS.
I used GNS3 of course, on my personal Linux laptop to create this setup. Of course the performance was not that great since it is just a simulation.
In real life, I am using Wireguard on a 10 years old Raspberry Pi Model B and amazingly with just a 700MHz single core ARM CPU and less than 512 MB of RAM I had a decent and stable permanent Wireguard tunnel. (My bandwidth would reach 24 Mbps without issue)
Back to my simulation, this is what it looks like :
Quick explanation: the VYOS routers labeled IPERF1 and IPERF2 are only used for an iperf3 test, which was able to reach about 50 to 60 Mbps each time. It ain't much but it was honest (and free) secure bandwidth!
I won't get into the details of this setup but I will just post the two most important configurations : R-East and R-West :
#### VYOS WireGuard Site2Site ####
##KEY GENERATION ON BOTH ROUTERS##
generate wireguard default-keypair
##GETTING THE PUBLIC KEY ON EACH ROUTER##
show wireguard keypairs pubkey default
#R-EAST CONFIG
set interfaces wireguard wg01 address '10.255.255.1/30'
set interfaces wireguard wg01 description 'VPN-to-wg02'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.0.0.0/24'
set interfaces wireguard wg01 peer to-wg02 address '172.16.0.2'
set interfaces wireguard wg01 peer to-wg02 port '51820'
set interfaces wireguard wg01 peer to-wg02 pubkey 'R-WEST PUBLIC KEY'
set interfaces wireguard wg01 port '51820'
set protocols static interface-route 10.0.0.0/24 next-hop-interface wg01
#R-WEST CONFIG
set interfaces wireguard wg01 address '10.255.255.2/30'
set interfaces wireguard wg01 description 'VPN-to-wg02'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.0.0/24'
set interfaces wireguard wg01 peer to-wg02 address '172.17.0.2'
set interfaces wireguard wg01 peer to-wg02 port '51820'
set interfaces wireguard wg01 peer to-wg02 pubkey 'R-EAST PUBLIC KEY'
set interfaces wireguard wg01 port '51820'
set protocols static interface-route 192.168.0.0/24 next-hop-interface wg01
## VYOS Firewall, on both routers
set firewall name OUTSIDE_LOCAL rule 10 action accept
set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related'
set firewall name OUTSIDE_LOCAL rule 10 state established enable
set firewall name OUTSIDE_LOCAL rule 10 state related enable
set firewall name OUTSIDE_LOCAL rule 20 action accept
set firewall name OUTSIDE_LOCAL rule 20 description WireGuard_IN
set firewall name OUTSIDE_LOCAL rule 20 destination port 51820
set firewall name OUTSIDE_LOCAL rule 20 log enable
set firewall name OUTSIDE_LOCAL rule 20 protocol udp
set firewall name OUTSIDE_LOCAL rule 20 source
set interfaces ethernet eth0 firewall local name 'OUTSIDE_LOCAL'
This configuration allows only the networks 192.168.0.0/24 from the East side and 10.0.0.0/24 from the West side to send traffic through the Wireguard VPN Tunnel between R-East and R-West. For testing purposes, you should for example ping from PC1 to PC2 and PC2 to PC1. Pinging from R-East to R-West would fail if the source is not set to the authorized network.
Also, there has been no configuration whatsoever on the OpenVSwitch switches, they are used only for L2 packet switching.
Commentaires