Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:wireguard:basics [2021/08/15 20:01] – unify headers vgaetera | docs:guide-user:services:vpn:wireguard:basics [2023/08/29 13:17] – add howto for debugging info darksky2 | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| {{section> | {{section> | ||
| - | WireGuard is an open-source software application | + | ===== Protocol ===== |
| - | It is run as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols. | + | WireGuard is an [[wp> |
| - | It is designed | + | It runs as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols. |
| - | It uses UDP. | + | The protocol |
| - | + | ||
| - | ===== VPN peers ===== | + | |
| - | WireGuard is a peer-to-peer VPN service which may be configured | + | |
| - | The protocol itself treats all peers equally, so there is nothing that distinguishes a server from a client. | + | |
| - | That said, this VPN protocol is highly flexible and can be used as a direct peer-to-peer communications channel, server-client | + | |
| ===== Key management ===== | ===== Key management ===== | ||
| WireGuard generally relies on [[wp> | WireGuard generally relies on [[wp> | ||
| - | This means you should | + | It requires to generate |
| - | In addition for better security, you can also generate and exchange a pre-shared key. | + | While the private key is best never disclosed outside the peer where it was generated. |
| - | Each 2 peers should use a common | + | For better security, you can also generate and exchange a pre-shared key. |
| + | Each pair of peers should use one pre-shared key. | ||
| ===== Time synchronization ===== | ===== Time synchronization ===== | ||
| WireGuard is time sensitive and can refuse to pass traffic if the peer's clock is out of sync. | WireGuard is time sensitive and can refuse to pass traffic if the peer's clock is out of sync. | ||
| It's recommended to rely on NTP for all peers. | It's recommended to rely on NTP for all peers. | ||
| - | The issue could be caused by incorrect NTP configuration, | + | The issue could be caused by incorrect NTP configuration, |
| Setting [[docs: | Setting [[docs: | ||
| Line 45: | Line 41: | ||
| ==== 5. Monitoring status ==== | ==== 5. Monitoring status ==== | ||
| - | The menu **LuCI -> Status -> WireGuard | + | The menu **LuCI -> Status -> WireGuard** shows information about the WireGuard VPN. |
| + | |||
| + | ===== Enabling debug support ===== | ||
| + | To have wireguard send debug messages to the kernel message buffer, one must compile the kernel with the following option enabled: | ||
| + | - Global build settings >> Kernel build options >> Compile the kernel with debug information | ||
| + | |||
| + | The resulting option will be the creation of **/ | ||
| + | < | ||
| + | echo module wireguard +p > / | ||
| + | </ | ||
| + | Now wireguard transactions should be echoed to the kernel message buffer. | ||