How to conifugre wireguard in vyos

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

Today I will try to deploy wireguard with two vyos .

Site-to-Sit mode


Toplogy
|--------------------------------|               |---------------------------------|
|      Server                    |               |        Client                   | 
|                                |-----cloud ----|  wan:${wan-address}             |                            
| wireguard tunnel interface:wg01|               | Wireguard tunnel interface:wg01 |
|--------------------------------|               |---------------------------------|

Server configuration

# Generates a new keypair, if one exists already is asks you if you want to overwrite the existing one.
generate wireguard keypair

#Show the private key
show wireguard privkey 

#Show the public key
show wireguard pubkey

#Enter configuration mode
configure

#set virtual network interfaces for wireguard
set interfaces wireguard wg01 address '172.16.100.1/24'

#Set Wireguard listen port
set interfaces wireguard wg01 port '50100'

#Add CLIENT1
#Set wireguard allow client ip ranges to access.
set interfaces wireguard wg01 peer CLIENT1 allowed-ips '172.16.100.2/32' 

#Set how offten to send keep alives in seconds
set interfaces wireguard wg01 peer CLIENT1 persistent-keepalive '15'

#Set presharekey
set interfaces wireguard wg01 peer CLIENT1 preshared-key gLdIlCM/AsobjfDgFK/cdgsAcjILTzLY4df5BskRcqY=
#Set client public key
set interfaces wireguard wg01 peer CLIENT1 pubkey '${client-pubkey}'


#set static routing.
set protocols static interface-route '172.16.100.0/24' next-hop-interface wg01


#make configuration applied
commit

#Save configuration
save



 

Client configuration

1. vyos wireguard client

# Generates a new keypair, if one exists already is asks you if you want to overwrite the existing one.
generate wireguard keypair

#Show the private key
show wireguard privkey 

#Show the public key
show wireguard pubkey


#Set wireguard virtual network interfaces
set interfaces wireguard wg01 address '172.16.100.2/32'


#set wireguard accept packets of network.
set interfaces wireguard wg01 peer SERVER allow-ips '0.0.0.0/0'

#Set connection to server
set interfaces wireguard wg01 peer SERVER endpoint '${server-wan-address}:50100'

#Set how offten to send keep alives in seconds
set interfaces wireguard wg01 peer SERVEr persistent-keepalive 15

#Set public key for server
set interfaces wireguard wg01 peer SERVER pubkey '${server-pubkey}'

#Set presharekey
set interfaces wireguard wg01 peer SERVER preshared-key gLdIlCM/AsobjfDgFK/cdgsAcjILTzLY4df5BskRcqY=




#set static routing to client.
set protocols static interface-route '172.16.100.0/24' next-hop-interface wg01


#Make the settings applied!
commit 

#save configuration
save


#Test wireguard connection

2. macos wireguard client
  1. Download wireguard client for macos: Download from AppStore
  2. set configure like this
[Interface]
PrivateKey = AJ2oJcAbxCmeovofOMrJooMMlLMNNKGWuTqffF7oXVU=
Address = 172.16.100.3/32
DNS = 1.1.1.1

[Peer]
PublicKey = m6oJcAbxCmeovofOMrPCCCDkGWuTqfkGWufeovofEII=
AllowedIPs = 0.0.0.0/0
Endpoint = $WIREGUARD_SERVER_ADDRESS:$PORT
PersistentKeepalive = 15

3. andorid/ios

  1. Edit a configuration and save it as a config file.
  2. install qeencode
brew install qrencode
qrencode
qrencode -t ansiutf8 < client_wireguard_ios.conf
  1. with wireguard client scan qr to confirm it.

Reference