WireGuard VPN Configuration

AstLinux now supports the WireGuard VPN. WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. WireGuard was created by Jason A. Donenfeld.

Warning → Currently (November 2017) WireGuard is labeled as experimental, and has not quite yet been accepted into the mainline Linux kernel. Be certain to perform your own due diligence and testing of what could become the premier VPN in the not too distant future.

Note: AstLinux 1.3.2 or later is required

WireGuard Configuration

Select the Network Tab in the web interface.
Network Tab

Locate the WireGuard VPN entry within Network Services: → VPN Type:
WireGuard VPN Enable Config

Check “WireGuard VPN” and click on WireGuard Configuration

WireGuard VPN Enable Config

Fill in the “IPv4 Address”, click “Save Settings” and then “Restart VPN”.

WireGuard VPN is now running, but by default no remote peers are defined. Click on Edit Peer Config and view the commented example peer.

## WireGuard VPN Peers
##
## Example:
## Uncomment and replace the entries with your Peer's configuration
#[Peer]
#PublicKey = HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=
#Endpoint = 10.10.1.60:51820
#AllowedIPs = 10.4.0.2/32, 192.168.200.1/24
#PersistentKeepalive = 0

Uncomment [Peer] and uncomment and define the the PublicKey and AllowedIPs entries.

Tip → PublicKey is the public key of the remote peer.

Tip → AllowedIPs are a comma-separated list of IPv4 and/or IPv6 address/networks that are allowed into the VPN tunnel, destined to the remote peer.

The Endpoint entry is optional, define it if the peer has a known IP Address or DNS name. If the peer is a roaming road-warrior, leave Endpoint commented-out.

The PersistentKeepalive entry is optional, a non-zero value in seconds will send keep-alive packets to the remote peer (rarely needed).

Note that when multiple peers are defined, the corresponding AllowedIPs operate as a sort of routing table, uniquely directing routed packets to only one peer or no peers (dropped).

When you have finished editing the remote peer(s) in the Edit tab, “Save Changes” and then restart the WireGuard VPN:

Restart WireGuard VPN

WireGuard Configuration Options

WireGuard VPN Tunnel Options

  • IPv4 Address: Define an IPv4 address which configures the WireGuard tunnel device wg0 network. Required.
  • IPv4 NetMask: Define an IPv4 netmask which configures the WireGuard tunnel device wg0 network, defaults to 255.255.255.0
  • IPv6/nn Address: Define if you have an IPv4/IPv6 system and want to create a IPv6 WireGuard tunnel device wg0 network.
  • IPv4/IPv6 Routes: Usually leave this empty and check “Automatic Routes:”. Manually defining routes may be useful in special situations.
  • Automatic Routes: When checked, automatically create routes using the AllowedIPs entries for all the peers. This setting is ignored if “IPv4/IPv6 Routes” is defined.
  • DNS Update: When checked, peer endpoints with DNS names will be continually updated after the peer becomes inactive. (Rarely needed)

Note → If an AllowedIPs entry specifies a /0 default route, no automatic route will be created for that entry.

WireGuard VPN Interface Options

  • Interface Device: Set the tunnel interface device, currently only wg0 is shown.
  • Interface MTU: Usually leave this as “default” and let WireGuard determine the best MTU. Setting this to less than 1420 may be useful in special situations.
  • UDP Listen Port: Set the UDP port number the service listens on, defaults to 51820.

WireGuard VPN Firewall Options

  • External Hosts: Define a space separated list of allowed IPv4/IPv6 addresses via the external interface. The external firewall rules are automatically created by the wireguard-vpn plugin . The firewall must be enabled, see the “Enable Firewall” section below for more info.

Tip → Allow any external IPv4-only address by defining “External Hosts:” to 0.0.0.0/0

Tip → Allow any external IPv6-only address by defining “External Hosts:” to ::/0

Tip → Allow any external IPv4/IPv6 address by defining “External Hosts:” to 0/0

WireGuard VPN Public Key

When WireGuard VPN is active, a “This Peer's Public Key:” entry is shown, for easy copy/paste to remote peer configurations.

Enable Firewall

The firewall must be enabled for the WireGuard VPN to operate properly. The WireGuard VPN device wg0 is treated as a LAN internal interface, which by default is isolated from all other LAN internal interfaces, but does by default have full access to the AstLinux box itself if the peer's AllowedIPs allows it. The firewall can be configured to allow the WireGuard VPN tunnel to pass packets to any one of the configured physical LAN interfaces. For example…

Network tab → Firewall Configuration:

Click on Firewall Configuration

Additionally, the WireGuard VPN tunnel is NAT'ed via the external interface, such that if an exiting IPv4 tunnel packet is routed out through the external interface it will have a NAT'ed path back into the tunnel.

Optional Action Script

Optionally, if there exists an executable /mnt/kd/wireguard.script script file it will be called after the VPN is up and before the VPN is down.

After the VPN is up, the arguments passed to the script are:

POST_UP interface

Before the VPN is down, the arguments passed to the script are:

PRE_DOWN interface

Note: AstLinux 1.3.4 or later also supports actions PRE_UP and POST_DOWN


Example /mnt/kd/wireguard.script script: (make it executable)

#!/bin/sh

## Action: PRE_UP POST_UP PRE_DOWN POST_DOWN
ACTION="$1"
## WireGuard Interface: (ex. wg0)
INTERFACE="$2"

if [ "$ACTION" = "POST_UP" ]; then
  logger -t wireguard -p kern.info "WireGuard VPN is started on '$INTERFACE' interface."
elif [ "$ACTION" = "PRE_DOWN" ]; then
  logger -t wireguard -p kern.info "WireGuard VPN is stopping '$INTERFACE' interface."
fi

Tip → For special routing situations, using /mnt/kd/wireguard.script you can mark wireguard traffic on POST_UP with:

wg set "$INTERFACE" fwmark 51820

and add ip rule add … fwmark 51820 rules on POST_UP and remove the same rules on PRE_DOWN.


Additional Documentation

man wg.8

Benchmarks

Troubleshooting (Ignore Proxy ARP comments)