Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:wireguard:basics [2021/03/21 07:11] – split from docs:guide-user:services:vpn:wireguard:start vgaeteradocs:guide-user:services:vpn:wireguard:basics [2023/08/29 13:17] – add howto for debugging info darksky2
Line 2: Line 2:
 {{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}} {{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
-WireGuard is an open-source software application and protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations. +===== Protocol ===== 
-It is run as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols. +WireGuard is an [[wp>Open-source_software|OSS]] and protocol that implements [[wp>Virtual_private_network|VPN]] by creating secure point-to-point connections over UDP in routed configurations. 
-It is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. +It runs as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols. 
-It uses UDP. +The protocol is designed to provide a general purpose VPN solution and can support [[docs:guide-user:services:vpn:wireguard:serverclient|different configuration types]] including point-to-point, client-server, and site-to-site connections.
- +
-===== VPN peers ===== +
-WireGuard is a peer-to-peer VPN service which may be configured [[docs:guide-user:services:vpn:wireguard:serverclient|depending on your use case]]+
-The protocol itself treats all peers equally, so there is nothing that distinguishes a server from a client. +
-That said, this VPN protocol is highly flexible and can be used as a direct peer-to-peer communications channelserver-client type relationship or in a site-to-site configuration.+
  
 ===== Key management ===== ===== Key management =====
 WireGuard generally relies on [[wp>Public-key_cryptography|public-key cryptography]]. WireGuard generally relies on [[wp>Public-key_cryptography|public-key cryptography]].
-This means you should generate private keys on the respective peers and exchange only their public keys. +It requires to generate private and public key for each peer and exchange only the public keys. 
-In addition for better security, you can also generate and exchange a pre-shared key. +While the private key is best never disclosed outside the peer where it was generated. 
-Each peers should use a common pre-shared key.+For better security, you can also generate and exchange a pre-shared key. 
 +Each pair of peers should use one pre-shared key.
  
 ===== Time synchronization ===== ===== Time synchronization =====
-WireGuard is time sensitive+WireGuard is time sensitive and can refuse to pass traffic if the peer's clock is out of sync
-If the peer's clock is out of sync, the VPN tunnel may refuse to pass traffic+It's recommended to rely on NTP for all peers
-The issue could be caused by incorrect NTP configuration, or race conditions between netifd and sysntpd services, or related to specific hardware+The issue could be caused by incorrect NTP configuration, or race conditions between netifd and sysntpd services, specifically when RTC is missing
-Setting time forward on the client side can [[docs:guide-user:services:vpn:wireguard:extras#race_conditions|work around the problem]].+Setting [[docs:guide-user:services:vpn:wireguard:extras#race_conditions|time forward]] on the client side can work around the problem.
  
-===== Instructions =====+===== Web interface instructions =====
 ==== 1. Installing packages ==== ==== 1. Installing packages ====
 Navigate to **LuCI -> System -> Software** and install the packages [[packages:pkgdata:luci-proto-wireguard]] and [[packages:pkgdata:luci-app-wireguard]] to manage WireGuard using LuCI. Navigate to **LuCI -> System -> Software** and install the packages [[packages:pkgdata:luci-proto-wireguard]] and [[packages:pkgdata:luci-app-wireguard]] to manage WireGuard using LuCI.
Line 44: Line 40:
 To create a new WireGuard interface go to **LuCI -> Network -> Interfaces -> Add new interface...** and select **WireGuard VPN** from the **Protocol** dropdown menu. To create a new WireGuard interface go to **LuCI -> Network -> Interfaces -> Add new interface...** and select **WireGuard VPN** from the **Protocol** dropdown menu.
  
-==== 5. Monitoring connection status ==== +==== 5. Monitoring status ==== 
-The menu **LuCI -> Status -> WireGuard Status** shows information about the WireGuard VPN.+The menu **LuCI -> Status -> WireGuard** shows information about the WireGuard VPN. 
 + 
 +===== Enabling debug support ===== 
 +To have wireguard send debug messages to the kernel message buffer, one must compile the kernel with the following option enabled: 
 +  - Global build settings >> Kernel build options >> Compile the kernel with debug information 
 + 
 +The resulting option will be the creation of **/sys/kernel/debug/dynamic_debug/control** which can be used to enable debug logging of wireguard with the following command: 
 +<code> 
 +echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control 
 +</code>
  
 +Now wireguard transactions should be echoed to the kernel message buffer.
  • Last modified: 2024/01/02 05:45
  • by vgaetera