Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:wireguard:start [2020/10/29 21:34] – [Time synchronization] wording optimized vgaetera | docs:guide-user:services:vpn:wireguard:start [2021/03/21 07:17] – flush cache vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== WireGuard ====== | ====== WireGuard ====== | ||
| - | {{section> | + | {{pagequery> |
| - | + | ||
| - | WireGuard is an open-source software application and protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations. | + | |
| - | It is run as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols. | + | |
| - | It is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. | + | |
| - | It uses UDP. | + | |
| - | + | ||
| - | ===== VPN peers ===== | + | |
| - | WireGuard is a peer-to-peer VPN service which may be configured [[docs: | + | |
| - | The protocol itself treats all peers equally, so there is nothing that distinguishes a server from a client. | + | |
| - | That said, this VPN protocol is highly flexible and can be used as a direct peer-to-peer communications channel, server-client type relationship or in a site-to-site configuration. | + | |
| - | + | ||
| - | ===== Key management ===== | + | |
| - | WireGuard generally relies on relies on [[wp> | + | |
| - | This means you should generate private keys on the respective peers and exchange only their public keys. | + | |
| - | In addition for better security, you can also generate and exchange a pre-shared key. | + | |
| - | Each 2 peers should use a common pre-shared key. | + | |
| - | + | ||
| - | ===== Time synchronization ===== | + | |
| - | WireGuard is time sensitive. | + | |
| - | If the peer's clock is out of sync, the VPN tunnel may refuse to pass traffic. | + | |
| - | The issue could be caused by race conditions between netifd and sysntpd services, or related to specific hardware. | + | |
| - | Setting time forward on the client side can [[docs: | + | |
| - | + | ||
| - | ===== Instructions ===== | + | |
| - | ==== 1. Installing packages ==== | + | |
| - | Navigate to **LuCI -> System -> Software** and install the packages [[packages: | + | |
| - | + | ||
| - | ==== 2. Generating keys ===== | + | |
| - | Generate a key pair of private and public keys. | + | |
| - | + | ||
| - | <code bash> | + | |
| - | wg genkey | tee wg.key | wg pubkey > wg.pub | + | |
| - | </ | + | |
| - | + | ||
| - | * Use the **wg.key** file to configure the WireGuard interface on this router. | + | |
| - | * Use the **wg.pub** file to configure peers that will connect to //this// router through the WireGuard VPN. | + | |
| - | + | ||
| - | ==== 3. Restarting services ==== | + | |
| - | Navigate to **LuCI -> System -> Startup -> Initscripts** and click to **network -> Restart**. | + | |
| - | + | ||
| - | ==== 4. Setting up network ==== | + | |
| - | To create a new WireGuard interface go to **LuCI -> Network -> Interfaces -> Add new interface...** and select **WireGuard VPN** from the **Protocol** dropdown menu. | + | |
| - | + | ||
| - | ==== 5. Monitoring connection status ==== | + | |
| - | The menu **LuCI -> Status -> WireGuard Status** shows information about the WireGuard VPN. | + | |
| - | + | ||
| - | ===== Internal links ===== | + | |
| - | {{pagequery> | + | |
| - | + | ||
| - | See also: | + | |
| - | * [[docs: | + | |
| - | * [[docs: | + | |
| - | + | ||
| - | ===== External links ===== | + | |
| - | * [[https:// | + | |
| - | * [[https:// | + | |
| - | * [[https:// | + | |
| - | * [[https:// | + | |