jason schaefer . com

"arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say."

Wireguard VPN on VyOS

The commands vary depending on the version of VyOS. These instructions are for the rolling release 1.3.0

ssh to your router and start from the run terminal vyos@myGW:~$

and begin with generating keys

generate wireguard default-keypair

This creates the public and private keys that will automatically be used by wireguard /config/auth/wireguard/default/private.key and public.key

You can create the peer pub/priv keys on vyos or someplace else. If you do it on vyos follow these steps

sudo su -

wg genkey | tee /config/auth/wireguard/jason.privatekey | wg pubkey > /config/auth/wireguard/jason.publickey

exit

Now enter the configuration mode of Vyos to setup a wireguard interface

vyos@myGW:~$ configure
vyos@myGW#

set interfaces wireguard wg0 address 10.22.211.1/24
set interfaces wireguard wg0 port 51820
cat /config/auth/wireguard/jason.publickey

G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=

set interfaces wireguard wg0 peer jason pubkey G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=

set interfaces wireguard wg0 peer jason allowed-ips 10.22.211.10/32

set interfaces wireguard wg0 peer jason persistent-keepalive 15

commit; save

This is what the wireguard config should look like:

vyos@myGW# show interfaces wireguard

wireguard wg0 {
     address 10.22.211.1/24
     peer jason {
         allowed-ips 10.22.211.10/32
         persistent-keepalive 15
         pubkey G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=
     }
     port 51820
 }


Open the port on the firewall
to allow wireguard traffic to reach the router.
modify the rule number so you don’t overwrite an existing rule.

set firewall name wan-local rule 60 description "allow wireguard"
set firewall name wan-local rule 60 action accept
set firewall name wan-local rule 60 destination port 51820
set firewall name wan-local rule 60 protocol udp

Now lets setup the client peer

run show wireguard keypairs pubkey default

UkG68hbH7IrXCYkJsyH+gQotttwlpggXL9PoQda7qxg=

cat /config/auth/wireguard/jason.privatekey
QE8L380rji7YQRAFUbcpD2qmKWiQsJ5Z0DntJHkSC1s=

Create a text file on your peer like so:

[Interface]
Address = 10.22.211.10/32
PrivateKey = QE8L380rji7YQRAFUbcpD2qmKWiQsJ5Z0DntJHkSC1s=

[Peer]
PublicKey = UkG68hbH7IrXCYkJsyH+gQotttwlpggXL9PoQda7qxg=
Endpoint = [wireguard-server-ip-or-hostname]:51820
#AllowedIPs = 0.0.0.0/0, ::/0
AllowedIPs = 10.9.8.0/24, 10.254.245.0/24

PersistentKeepalive = 25

Save this file as something.conf
Connect to your new wireguard VPN with wg-quick (or whichever client you need)
sudo wg-quick /path/to/something.conf

done;

Comments

One response to “Wireguard VPN on VyOS”

  1. Janis Avatar
    Janis

    Superb! Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *