WireGuard basics

WireGuard is an OSS and protocol that implements VPN by creating secure point-to-point connections over UDP in routed configurations. It runs as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols. The protocol is designed to provide a general purpose VPN solution and can support different configuration types including point-to-point, client-server, and site-to-site connections.

WireGuard generally relies on public-key cryptography. It requires to generate a private and public key for each peer and exchange only the public keys. While the private key is best never disclosed outside the peer where it was generated. For better security, you can also generate and exchange a pre-shared key. Each pair of peers should use one pre-shared key.

WireGuard is time sensitive and can refuse to pass traffic if the peer's clock is out of sync. It's recommended to rely on NTP for all peers. The issue could be caused by incorrect NTP configuration, or race conditions between netifd and sysntpd services, specifically when RTC is missing. Setting time forward on the client side can work around the problem.

Navigate to LuCI → System → Software and install the package luci-proto-wireguard.

Generate a key pair of private and public keys.

wg genkey | tee wg.key | wg pubkey > wg.pub
  • Use the wg.key file to configure the WireGuard interface on this router.
  • Use the wg.pub file to configure peers that will connect to this router through the WireGuard VPN.

Navigate to LuCI → System → Startup → Initscripts and click to network → Restart.

To create a new WireGuard interface go to LuCI → Network → Interfaces → Add new interface... and select WireGuard VPN from the Protocol dropdown menu.

The menu LuCI → Status → WireGuard shows information about the WireGuard VPN.

To have wireguard send debug messages to the kernel message buffer, one must compile the kernel with the following option enabled:

  • Global build settings >> Kernel build options >> Compile the kernel with debug information

The resulting option will create /sys/kernel/debug/dynamic_debug/control which can be used to enable debug logging of wireguard with the following command:

echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

Now wireguard transactions should be echoed to the kernel message buffer, viewable by a call to dmesg.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/01/02 05:45
  • by vgaetera