For a while now I have been intrigued by Wireguard. Its kind of like a cross between ssh and ipsec. You can create a point-to-point link very easily, and the authentication is public-key based (like SSH). The host gets a new Ethernet interface, and that is your tunnel. Beauty!
I think this could be a broadly-applicable technology. The internals they call ‘Cryptokey Routing’. You need to get a link from A-B. You want it to support L2. You don’t want all the complexity of IKE(v2) and X.509, you are happy w/ pre-shared private keys like SSH.
Lets try it. Azirevpn is currently testing free Wireguard endpoints. So…
wg genkey | tee privatekey | wg pubkey > publickey
curl -d … {strictly an Azire thing, not related to wireguard}
Now we have a file:
$ sudo cat /etc/wireguard/azirevpn-ca1.conf [Interface] PrivateKey = OXXXXXXXXXXXXXXXXXXXXY= Address = 10.50.16.133/19, 2607:f938:3001:4000::1086/64 DNS = 192.211.0.2, 2606:ed00:2:babe::2 [Peer] PublicKey = GXXXXXXXXXXXXXXXXXXXXXXXQ= Endpoint = 149.248.160.60:51820 AllowedIPs = 0.0.0.0/0, ::/0
And bringing it up, we see what we expected, we get an IP, set some routes. Standard Linux network setup, not the complex bits we see in ipsec.
[#] ip link add azirevpn-ca1 type wireguard [#] wg setconf azirevpn-ca1 /dev/fd/63 [#] ip address add 10.50.16.133/19 dev azirevpn-ca1 [#] ip address add 2607:f938:3001:4000::1086/64 dev azirevpn-ca1 [#] ip link set mtu 1420 dev azirevpn-ca1 [#] ip link set azirevpn-ca1 up [#] resolvconf -a tun.azirevpn-ca1 -m 0 -x [#] wg set azirevpn-ca1 fwmark 51820 [#] ip -6 route add ::/0 dev azirevpn-ca1 table 51820 [#] ip -6 rule add not fwmark 51820 table 51820 [#] ip -6 rule add table main suppress_prefixlength 0 [#] wg set azirevpn-ca1 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev azirevpn-ca1 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0
Checking…
$ curl -4 icanhazip.com 149.248.160.60
Yup. IP is on the far side. Story checks out.
Leave a Reply