Wireguard: simple VPN/tunnels

Wireguard: simple VPN/tunnels

For a while now I have been intrigued by Wireguard. Its kind of like a cross between ssh and ipsec. You can create a point-to-point link very easily, and the authentication is public-key based (like SSH). The host gets a new Ethernet interface, and that is your tunnel. Beauty!

I think this could be a broadly-applicable technology. The internals they call 'Cryptokey Routing'. You need to get a link from A-B. You want it to support L2. You don't want all the complexity of IKE(v2) and X.509, you are happy w/ pre-shared private keys like SSH.

Lets try it. Azirevpn is currently testing free Wireguard endpoints. So...

wg genkey | tee privatekey | wg pubkey > publickey

curl -d ... {strictly an Azire thing, not related to wireguard}

Now we have a file:

$ sudo cat /etc/wireguard/azirevpn-ca1.conf 
[Interface]
PrivateKey = OXXXXXXXXXXXXXXXXXXXXY=
Address = 10.50.16.133/19, 2607:f938:3001:4000::1086/64
DNS = 192.211.0.2, 2606:ed00:2:babe::2

[Peer]
PublicKey = GXXXXXXXXXXXXXXXXXXXXXXXQ=
Endpoint = 149.248.160.60:51820
AllowedIPs = 0.0.0.0/0, ::/0

And bringing it up, we see what we expected, we get an IP, set some routes. Standard Linux network setup, not the complex bits we see in ipsec.

[#] ip link add azirevpn-ca1 type wireguard
[#] wg setconf azirevpn-ca1 /dev/fd/63
[#] ip address add 10.50.16.133/19 dev azirevpn-ca1
[#] ip address add 2607:f938:3001:4000::1086/64 dev azirevpn-ca1
[#] ip link set mtu 1420 dev azirevpn-ca1
[#] ip link set azirevpn-ca1 up
[#] resolvconf -a tun.azirevpn-ca1 -m 0 -x
[#] wg set azirevpn-ca1 fwmark 51820
[#] ip -6 route add ::/0 dev azirevpn-ca1 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] wg set azirevpn-ca1 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev azirevpn-ca1 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0

Checking...

$ curl -4 icanhazip.com
149.248.160.60

Yup. IP is on the far side. Story checks out.

Leave a Reply

Your email address will not be published. Required fields are marked *

*