| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
userdoc:tt_wireguard_vpn [2019/09/19 14:34]
abelbeck [WireGuard Configuration Options] |
userdoc:tt_wireguard_vpn [2020/03/30 09:33] (current)
abelbeck [WireGuard VPN Configuration] |
| AstLinux now supports the [[https://www.wireguard.com/|WireGuard VPN]]. WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. WireGuard was created by Jason A. Donenfeld. | AstLinux now supports the [[https://www.wireguard.com/|WireGuard VPN]]. WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. WireGuard was created by Jason A. Donenfeld. |
| |
| !!Info ->!! Currently (November 2018) WireGuard has not quite yet been accepted into the mainline Linux kernel. Be certain to perform your own due diligence and testing of what could become the premier VPN in the not too distant future. | !!Info ->!! Currently (March 2020) WireGuard is included in Linux 5.6 and onward. Backports for older kernels are also maintained. Be certain to perform your own due diligence and testing of what could become the premier VPN type across most all platforms. |
| |
| !!Note: AstLinux 1.3.2 or later is required, new features with 1.3.5 or later!! | !!Note: AstLinux 1.3.2 or later is required, new features with 1.3.5 or later!! |
| {{:userdoc:wireguard-vpn-firewall-wg-local.png?nolink&621|WireGuard VPN Firewall WG->Local}} | {{:userdoc:wireguard-vpn-firewall-wg-local.png?nolink&621|WireGuard VPN Firewall WG->Local}} |
| |
| * Firewall Rules: Choose either "Deny WG->Local" or "Pass WG->Local", with witch the TCP/UDP fields apply to. | * Firewall Rules: Choose either "Deny WG->Local" or "Pass WG->Local", with which the TCP/UDP fields apply to. |
| |
| !!Important ->!! The default policy is to allow all **WG->Local** traffic unless "Pass WG->Local" is defined, then the default policy is to deny all **WG->Local** traffic. | !!Important ->!! The default policy is to allow all **WG->Local** traffic unless "Pass WG->Local" is defined, then the default policy is to deny all **WG->Local** traffic. |
| | |
| | ICMP Echo Request (ping) packets are allowed and rate-limited for **WG->Local** traffic, regardless of the "Firewall Rules:" choice. |
| |
| * TCP: Define ''TCP'' rules of the form; host1,host2~port1,port2 host3,host4~port3,port4 ... | * TCP: Define ''TCP'' rules of the form; host1,host2~port1,port2 host3,host4~port3,port4 ... |
| * UDP: Define ''UDP'' rules of the form; host1,host2~port1,port2 host3,host4~port3,port4 ... | * UDP: Define ''UDP'' rules of the form; host1,host2~port1,port2 host3,host4~port3,port4 ... |
| |
| !!Tip ->!! Allow SSH traffic, deny all other traffic ... choose "Pass WG->Local" and set ''TCP'' to ''0/0~22'' | !!Tip ->!! Allow SSH and DNS traffic, deny all other traffic ... choose "Pass WG->Local" and set ''TCP'' to ''0/0~22,53'' and ''UDP'' to ''0/0~53'' |
| |
| !!Tip ->!! Deny HTTP/HTTPS traffic, allow all other traffic ... choose "Deny WG->Local" and set ''TCP'' to ''0/0~80,443'' | !!Tip ->!! Deny HTTP/HTTPS traffic, allow all other traffic ... choose "Deny WG->Local" and set ''TCP'' to ''0/0~80,443'' |
| |
| !!Tip ->!! Click on the ''(i)'' icon for detailed help. | !!Tip ->!! Click on the blue ''(i)'' icon for detailed help. |
| |
| \\ | \\ |
| {{:userdoc:wireguard-vpn-public-key.png?nolink|WireGuard VPN Public Key}} | {{:userdoc:wireguard-vpn-public-key.png?nolink|WireGuard VPN Public Key}} |
| |
| When WireGuard VPN is active, a "This Peer's Public Key:" entry is shown, for easy copy/paste to remote peer configurations | When WireGuard VPN is active, a "This Peer's Public Key:" entry is shown, for easy copy/paste to remote peer configurations. |
| . | |
| ===== | ===== Enable Firewall ===== |
| Enable Firewall ===== | |
| |
| The firewall must be enabled for the WireGuard VPN to operate properly. The WireGuard VPN device ''wg0'' is treated as a LAN internal interface, which by default is isolated from all other LAN internal interfaces, but does by default have full access to the AstLinux box itself if the peer's ''AllowedIPs'' allows it. The firewall can be configured to allow the WireGuard VPN tunnel to pass packets to any one of the configured physical LAN interfaces. For example... | The firewall must be enabled for the WireGuard VPN to operate properly. The WireGuard VPN device ''wg0'' is treated as a LAN internal interface, which by default is isolated from all other LAN internal interfaces, but does by default have full access to the AstLinux box itself if the peer's ''AllowedIPs'' allows it. The firewall can be configured to allow the WireGuard VPN tunnel to pass packets to any one of the configured physical LAN interfaces. For example... |
| ===== WireGuard Client Support ===== | ===== WireGuard Client Support ===== |
| |
| WireGuard is now available for [[https://www.wireguard.com/install/|Android]] and as Beta-Version for [[https://www.wireguard.com/install/|Apple iOS]] (via TestFlight app only ≥12.x). | WireGuard is now available for [[https://www.wireguard.com/install/|iOS / Android / macOS / Windows]] installation. |
| | |
| | Each client is open source and free to use. |
| |
| \\ | \\ |