Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:wireguard:basics [2021/08/16 01:45] – [WireGuard basics] vgaeteradocs:guide-user:services:vpn:wireguard:basics [2023/08/29 13:17] – add howto for debugging info darksky2
Line 2: Line 2:
 {{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}} {{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
-WireGuard is an OSS application and protocol that implements VPN techniques to create secure point-to-point connections over UDP in routed configurations.+===== Protocol ===== 
 +WireGuard is an [[wp>Open-source_software|OSS]] and protocol that implements [[wp>Virtual_private_network|VPN]] by creating secure point-to-point connections over UDP in routed configurations.
 It runs as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols. It runs as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols.
 The protocol is designed to provide a general purpose VPN solution and can support [[docs:guide-user:services:vpn:wireguard:serverclient|different configuration types]] including point-to-point, client-server, and site-to-site connections. The protocol is designed to provide a general purpose VPN solution and can support [[docs:guide-user:services:vpn:wireguard:serverclient|different configuration types]] including point-to-point, client-server, and site-to-site connections.
Line 8: Line 9:
 ===== Key management ===== ===== Key management =====
 WireGuard generally relies on [[wp>Public-key_cryptography|public-key cryptography]]. WireGuard generally relies on [[wp>Public-key_cryptography|public-key cryptography]].
-This means you should generate private keys on the respective peers and exchange only their public keys. +It requires to generate private and public key for each peer and exchange only the public keys. 
-In addition for better security, you can also generate and exchange a pre-shared key. +While the private key is best never disclosed outside the peer where it was generated. 
-Each peers should use a common pre-shared key.+For better security, you can also generate and exchange a pre-shared key. 
 +Each pair of peers should use one pre-shared key.
  
 ===== Time synchronization ===== ===== Time synchronization =====
 WireGuard is time sensitive and can refuse to pass traffic if the peer's clock is out of sync. WireGuard is time sensitive and can refuse to pass traffic if the peer's clock is out of sync.
 It's recommended to rely on NTP for all peers. It's recommended to rely on NTP for all peers.
-The issue could be caused by incorrect NTP configuration, or race conditions between netifd and sysntpd services, or related to specific hardware.+The issue could be caused by incorrect NTP configuration, or race conditions between netifd and sysntpd services, specifically when RTC is missing.
 Setting [[docs:guide-user:services:vpn:wireguard:extras#race_conditions|time forward]] on the client side can work around the problem. Setting [[docs:guide-user:services:vpn:wireguard:extras#race_conditions|time forward]] on the client side can work around the problem.
  
Line 39: Line 41:
  
 ==== 5. Monitoring status ==== ==== 5. Monitoring status ====
-The menu **LuCI -> Status -> WireGuard Status** shows information about the WireGuard VPN.+The menu **LuCI -> Status -> WireGuard** shows information about the WireGuard VPN.
  
 +===== Enabling debug support =====
 +To have wireguard send debug messages to the kernel message buffer, one must compile the kernel with the following option enabled:
 +  - Global build settings >> Kernel build options >> Compile the kernel with debug information
 +
 +The resulting option will be the creation of **/sys/kernel/debug/dynamic_debug/control** which can be used to enable debug logging of wireguard with the following command:
 +<code>
 +echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
 +</code>
 +
 +Now wireguard transactions should be echoed to the kernel message buffer.
  • Last modified: 2024/01/02 05:45
  • by vgaetera