Apr 072022
 
 April 7, 2022  Posted by at 9:48 am Uncategorized Tagged with: , ,  Add comments

The commands vary depending on the version of VyOS. These instructions are for the rolling release 1.3.0

ssh to your router and start from the run terminal vyos@myGW:~$

and begin with generating keys

generate wireguard default-keypair

This creates the public and private keys that will automatically be used by wireguard /config/auth/wireguard/default/private.key and public.key

You can create the peer pub/priv keys on vyos or someplace else. If you do it on vyos follow these steps

sudo su -

wg genkey | tee /config/auth/wireguard/jason.privatekey | wg pubkey > /config/auth/wireguard/jason.publickey

exit

Now enter the configuration mode of Vyos to setup a wireguard interface

vyos@myGW:~$ configure
vyos@myGW#

set interfaces wireguard wg0 address 10.22.211.1/24
set interfaces wireguard wg0 port 51820
cat /config/auth/wireguard/jason.publickey

G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=

set interfaces wireguard wg0 peer jason pubkey G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=

set interfaces wireguard wg0 peer jason allowed-ips 10.22.211.10/32

set interfaces wireguard wg0 peer jason persistent-keepalive 15

commit; save

This is what the wireguard config should look like:

vyos@myGW# show interfaces wireguard

wireguard wg0 {
     address 10.22.211.1/24
     peer jason {
         allowed-ips 10.22.211.10/32
         persistent-keepalive 15
         pubkey G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=
     }
     port 51820
 }


Open the port on the firewall
to allow wireguard traffic to reach the router.
modify the rule number so you don’t overwrite an existing rule.

set firewall name wan-local rule 60 description "allow wireguard"
set firewall name wan-local rule 60 action accept
set firewall name wan-local rule 60 destination port 51820
set firewall name wan-local rule 60 protocol udp

Now lets setup the client peer

run show wireguard keypairs pubkey default

UkG68hbH7IrXCYkJsyH+gQotttwlpggXL9PoQda7qxg=

cat /config/auth/wireguard/jason.privatekey
QE8L380rji7YQRAFUbcpD2qmKWiQsJ5Z0DntJHkSC1s=

Create a text file on your peer like so:

[Interface]
Address = 10.22.211.10/32
PrivateKey = QE8L380rji7YQRAFUbcpD2qmKWiQsJ5Z0DntJHkSC1s=

[Peer]
PublicKey = UkG68hbH7IrXCYkJsyH+gQotttwlpggXL9PoQda7qxg=
Endpoint = [wireguard-server-ip-or-hostname]:51820
#AllowedIPs = 0.0.0.0/0, ::/0
AllowedIPs = 10.9.8.0/24, 10.254.245.0/24

PersistentKeepalive = 25

Save this file as something.conf
Connect to your new wireguard VPN with wg-quick (or whichever client you need)
sudo wg-quick /path/to/something.conf

done;

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)