WireGuard VPN: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
mNo edit summary
 
(14 intermediate revisions by 3 users not shown)
Line 29: Line 29:
== About WireGuard VPN ==
== About WireGuard VPN ==


The '''WireGuard VPN''' service provides virtual private networking via WireGuard, which is an open source lightweight VPN application and protocol designed to be fast, secure, and easy to configure.
The '''WireGuard VPN''' service provides virtual private networking via [https://wireguard.com WireGuard], which is an open source lightweight VPN application and protocol designed to be fast, secure, and easy to configure.
 
The [[VPN Overview]] article provides some general guidance of which VPN technology may be the best fit for different scenarios.


== Settings ==
== Settings ==
Line 44: Line 42:
:This section displays information about the local WireGuard service such as the public key, endpoint address and port, peer address, and the list of local networks.
:This section displays information about the local WireGuard service such as the public key, endpoint address and port, peer address, and the list of local networks.


*'''Connected Tunnels'''
*'''Enabled Tunnels'''
:This section shows a list of active WireGuard tunnels.
:This section shows a list of active WireGuard tunnels.


{{ServiceAppScreenshot|wireguard-vpn|status}}
{{ServiceAppScreenshot|wireguard-vpn|status}}


=== <u>Settings</u> ===
=== <u>Settings</u> ===
Line 59: Line 56:
: Sets the MTU size for WireGuard tunnels.
: Sets the MTU size for WireGuard tunnels.


==== <u>Peer IP Address Pool</u> ====
==== Remote Client Configuration ====
These fields are used when generating the Remote Client configuration.
 
* '''DNS Server'''
: IP Address of local DNS server that will be added to client configuration.  It is initially populated using the first defined DHCP DNS Server Override address is used it found.  If not, the IP address of your first non-WAN interface is used.
* '''Networks'''
: These are networks added to the client's allowed IP list.  It is initially populated with all known local networks discovered from non-WAN interfaces (and their aliases) and static routes.
 
==== Peer IP Address Pool ====
* '''Assignment'''
* '''Assignment'''
: Used to select the method for address pool assignment. Can be set for <b>Automatic</b> to allow the system to automatically select an unused address block or <b>Self-assigned</b> to configure a user selected address block.
: Used to select the method for address pool assignment. Can be set for <b>Automatic</b> to allow the system to automatically select an unused network space or <b>Self-assigned</b> to configure a user entered network space.
* '''Network Space'''
: Shows the automatically assigned networks space or allows editing the self-assigned network space.
* '''New Network Space'''
: Click when using Automatic assignment to select a new random network space.


{{ServiceAppScreenshot|wireguard-vpn|settings}}
{{ServiceAppScreenshot|wireguard-vpn|settings}}




=== <u>IPsec Tunnels</u> ===
=== <u>Tunnels</u> ===
 
The Tunnels tab is where you create and manage WireGuard VPN tunnels. Each tunnel in the table has options to view the client configuration or edit the tunnel.
 
For a step by step guide to setting up WireGuard VPN tunnels, see [https://support.untangle.com/hc/en-us/articles/360055662393 Setting up WireGuard VPN site-to-site connections in NG Firewall].


The IPsec Tunnels tab is where you create and manage the IPsec VPN configuration.  The main tab display shows a summary of all IPsec tunnels that have been created.
* ''' Remote Client '''
Clicking this icon will display a window showing the recommended client configuration in both Quick Reference (QR) Code, which many WireGuard mobile apps can scan with the devices camera and import and text file suitable for copying and pasting into the remote client.


* ''' Tunnel Editor '''
* ''' Tunnel Editor '''
: When you create a new tunnel, or edit and existing tunnel, the tunnel editor screen will appear with the following configurable settings:
: When you add a tunnel, or edit and existing tunnel, the tunnel editor screen will appear with the following configurable settings:
 
'''Note:''' You can copy the configuration from a remote NG Firewall peer and paste it into any of the configurable fields. The screen automatically populates all of the relevant fields from the remote side. This simplifies the configuration of tunnels and is recommended to avoid misconfiguration.


{| border="1" cellpadding="2" width="85%" align="center"
{| border="1" cellpadding="2" width="85%" align="center"
Line 83: Line 99:
|This field should contain a short name or description.
|This field should contain a short name or description.
|-  
|-  
|'''Connection Type'''
|'''Remote Public Key'''
|This field allows you to set the connection type to any of the following:
|This field is for the public key of the tunnel peer.
 
|-
*Select Tunnel to specify a host-to-host, host-to-subnet, or subnet-to-subnet tunnel. This is by far the most common connection type.
|'''Remote Endpoint Type'''
* Select Transport to specify a host-to-host transport mode tunnel. This connection type is much less common, and would generally only be used if you are attempting to establish an IPsec connection to another host which specifically requires this mode.
|This field controls the endpoint type for the peer.
* Select <b>Roaming</b> if the remote endpoint is a mobile device using the WireGuard app, or if the remote network is used for client access only and does not host any resources.
* Select <b>Static</b> for a traditional site to site tunnel configuration where each network hosts resources that must be accessible over the virtual private network.  
|-
|'''Remote Endpoint IP Address'''
|Sets the IP address for a static endpoint.
|-
|-
|'''IKE Version'''
|'''Remote Endpoint Port'''
|The IKE version to use, either version 1 or version 2. Both endpoints must use the same IKE version.
|Sets the port for a static endpoint.
 
|-
|-
|'''Connect Mode'''
|'''Remote Peer IP Address'''
|This field controls how IPsec manages the corresponding tunnel when the IPsec process re-starts:
|This field sets the IP address that will be used by the remote peer.
 
* Select Always Connected to have the tunnel automatically loaded, routes inserted, and connection initiated.
* Select On Demand to have the tunnel load in standby mode, waiting to respond to an incoming connection request.
|-  
|-  
|'''Interface'''
|'''Remote Networks'''
|This field allows you to select the network interface that should be associated with the IPsec tunnel on the Untangle server. When you select a valid interface, the Local IP field (see below) will automatically be configured with the corresponding IP address. If for some reason you want to manually configure an IP address that is not currently active, you can set the Interface to Custom and manually input the IP address below.
|This field is used to configure the list of remote networks that should be routed across this WireGuard tunnel. Networks should be entered on per line in CIDR (192.168.123.0/24) format.
|-  
|-  
|'''External IP'''
|'''Monitor Ping IP Address'''
|Use this field to configure the IP address that is associated with the IPsec VPN on the Untangle server. Normally this field will be read-only and will automatically be populated based on the Interface selected above. If you select Custom as the interface, you can then manually enter the local IP address.
|The IP address of a host on the remote network to ping for verifying that the tunnel is connected. Leave blank to disable.
|-  
|-  
|'''Remote Host'''
|'''Monitor Ping Interval'''
|This field should contain the public IP address or DNS name of the host to which the IPsec VPN will be connected.
|The time in seconds between attempts to ping the configured ping monitor address.
: '''WARNING''' - Using host names with IPsec tunnels can often cause problems, especially if you have also enabled the L2TP/Xauth VPN server.  We '''strongly''' recommend the use of IP addresses in the ''Remote Host'' field.  
|-
|-
|'''Local Identifier'''
|'''Monitor Alert on Tunnel Up/Down'''
|This field is used to configure the local identifier used for authentication. When this field is blank the value in the *External IP* field will be used.
|When enabled, CONNECT and DISCONNECT alerts will be generated when the configured ping monitor transitions from reachable to unreachable, and unreachable to reachable.
|-
|-
|'''Remote Identifier'''
|'''Monitor Alert on Ping Unreachable'''
|This field is used to configure the remote identifier used for authentication. When this field is blank, the value in the Remote Host field will be used.
|When enabled, UNREACHABLE alerts will be generated for each monitor ping that fails when the target is unreachable.
:'''IMPORTANT''' - If the remote host is located behind any kind of NAT device, you may need to use the value <TT>%any</TT> in this field for a connection to be successfully established.
|-  
|-  
|'''Local Network'''
|'''Local Service Information'''
|This field is used to configure the local network that will be reachable from hosts on the other side of the IPsec VPN.
|This section includes information from the Status tab that is useful when doing copy/paste configuration between to peers.
|-
|'''Remote Network'''
|This field is used to configure the remote network that will be reachable from hosts on the local side of the IPsec VPN.
|-
|'''Shared Secret'''
|This field should contain the shared secret or PSK (pre-shared key) that is used to authenticate the connection, and must be the same on both sides of the tunnel for the connection to be successful. Because the PSK is actually used as the encryption key for the session, using long strings of a random nature will provide the highest level of security.
|-
|'''DPD Interval'''
|The number of seconds between R_U_THERE messages. Enter 0 to disable this feature.
|-
|'''DPD Timeout'''
| The number of seconds for a dead peer tunnel to be restarted.
|-
|'''Ping Address'''
| The IP address of a host on the remote network to ping for verifying that the tunnel is connected and routing. Leave blank to disable.
|-
|'''Ping Interval'''
| The time in minutes between ping attempts of the ping address. Leave as 0 to disable. Recommended value is 1 when using a Ping address.
|-
|'''Authentication  and SA/Key Exchange'''
| If you leave the Phase 1 and Phase 2 manual configuration checkboxes disabled, IPsec will attempt to automatically negotiate the encryption protocol with the remote peer when creating the tunnel.  Given the number of different IPsec implementations and versions, as well as the overall complexity of the protocol, best results can often be achieved by enabling manual configuration of these two options, and selecting Encryption, Hash, DH Key Group, and Lifetime values that exactly match the settings configured on the peer device.
|}
|}


{{ServiceAppScreenshot|ipsec-vpn|ipsec-tunnels}}
{{ServiceAppScreenshot|wireguard-vpn|tunnels}}
 
== WireGuard VPN client ==
 
The WireGuard VPN client app is available for download on a variety of mobile device and desktop operating systems including iOS, macOS, Android, Windows, and Linux.
 
The download links for each supported OS are available from the [https://www.wireguard.com/install/ WireGuard Website].
 
For a step by step setup guide refer to the KB article [https://support.untangle.com/hc/en-us/articles/360053869734 Setting up WireGuard VPN on mobile devices and desktops]


== Reports ==
== Reports ==

Latest revision as of 18:20, 3 May 2022

    WireGuard VPN
Other Links:
WireGuard VPN Description Page
WireGuard VPN Demo
WireGuard VPN Forums
WireGuard VPN Reports
WireGuard VPN FAQs



About WireGuard VPN

The WireGuard VPN service provides virtual private networking via WireGuard, which is an open source lightweight VPN application and protocol designed to be fast, secure, and easy to configure.

Settings

This section reviews the different settings and configuration options available for WireGuard VPN.

Status

The Status tab shows the status of the WireGuard VPN service

  • Local Service Information
This section displays information about the local WireGuard service such as the public key, endpoint address and port, peer address, and the list of local networks.
  • Enabled Tunnels
This section shows a list of active WireGuard tunnels.

Settings

  • Listen port
Sets the port where the WireGuard server will listen for inbound tunnel connections from peers.
  • Keepalive interval
Sets the passive keepalive interval which ensures that sessions stay active and allows both peers to passively determine if a connection has failed or been disconnected.
  • MTU
Sets the MTU size for WireGuard tunnels.

Remote Client Configuration

These fields are used when generating the Remote Client configuration.

  • DNS Server
IP Address of local DNS server that will be added to client configuration. It is initially populated using the first defined DHCP DNS Server Override address is used it found. If not, the IP address of your first non-WAN interface is used.
  • Networks
These are networks added to the client's allowed IP list. It is initially populated with all known local networks discovered from non-WAN interfaces (and their aliases) and static routes.

Peer IP Address Pool

  • Assignment
Used to select the method for address pool assignment. Can be set for Automatic to allow the system to automatically select an unused network space or Self-assigned to configure a user entered network space.
  • Network Space
Shows the automatically assigned networks space or allows editing the self-assigned network space.
  • New Network Space
Click when using Automatic assignment to select a new random network space.


Tunnels

The Tunnels tab is where you create and manage WireGuard VPN tunnels. Each tunnel in the table has options to view the client configuration or edit the tunnel.

For a step by step guide to setting up WireGuard VPN tunnels, see Setting up WireGuard VPN site-to-site connections in NG Firewall.

  • Remote Client

Clicking this icon will display a window showing the recommended client configuration in both Quick Reference (QR) Code, which many WireGuard mobile apps can scan with the devices camera and import and text file suitable for copying and pasting into the remote client.

  • Tunnel Editor
When you add a tunnel, or edit and existing tunnel, the tunnel editor screen will appear with the following configurable settings:

Note: You can copy the configuration from a remote NG Firewall peer and paste it into any of the configurable fields. The screen automatically populates all of the relevant fields from the remote side. This simplifies the configuration of tunnels and is recommended to avoid misconfiguration.

Name Description
Enabled This checkbox allows you to set a tunnel to either enabled or disabled.
Description This field should contain a short name or description.
Remote Public Key This field is for the public key of the tunnel peer.
Remote Endpoint Type This field controls the endpoint type for the peer.
  • Select Roaming if the remote endpoint is a mobile device using the WireGuard app, or if the remote network is used for client access only and does not host any resources.
  • Select Static for a traditional site to site tunnel configuration where each network hosts resources that must be accessible over the virtual private network.
Remote Endpoint IP Address Sets the IP address for a static endpoint.
Remote Endpoint Port Sets the port for a static endpoint.
Remote Peer IP Address This field sets the IP address that will be used by the remote peer.
Remote Networks This field is used to configure the list of remote networks that should be routed across this WireGuard tunnel. Networks should be entered on per line in CIDR (192.168.123.0/24) format.
Monitor Ping IP Address The IP address of a host on the remote network to ping for verifying that the tunnel is connected. Leave blank to disable.
Monitor Ping Interval The time in seconds between attempts to ping the configured ping monitor address.
Monitor Alert on Tunnel Up/Down When enabled, CONNECT and DISCONNECT alerts will be generated when the configured ping monitor transitions from reachable to unreachable, and unreachable to reachable.
Monitor Alert on Ping Unreachable When enabled, UNREACHABLE alerts will be generated for each monitor ping that fails when the target is unreachable.
Local Service Information This section includes information from the Status tab that is useful when doing copy/paste configuration between to peers.

WireGuard VPN client

The WireGuard VPN client app is available for download on a variety of mobile device and desktop operating systems including iOS, macOS, Android, Windows, and Linux.

The download links for each supported OS are available from the WireGuard Website.

For a step by step setup guide refer to the KB article Setting up WireGuard VPN on mobile devices and desktops

Reports

The Reports tab provides a view of all reports and events for all connections handled by WireGuard VPN.

Reports

This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries: {{#section:All_Reports|'WireGuard VPN'}}

The tables queried to render these reports:


Related Topics

IPsec VPN

OpenVPN

WireGuard VPN FAQs

How resilient is a WireGuard connection?

WireGuard is built for roaming. If your device changes networks, e.g. from WiFi to a mobile/cellular, the connection will persist because as long as the client sends correctly authenticated data to the WireGuard VPN server, the server keeps the connection alive.

What cryptography is used in WireGuard?

WireGuard uses several ciphers including ChaCha20, Curve25519, BLAKE2s, SipHash24, and HKDF. For more details refer to the WireGuard Protocol & Cryptography documentation.

What transport protocol and port does WireGuard use?

WireGuard encapsulates and encrypts all data using UDP with default port 51820. There is a built-in access rule to allow WireGuard traffic on this port.