WireGuard Configuration Guide

introduction introduction wireguardvpn is a new vpn protocol that operates at the kernel level, delivering an efficient, secure, simple, and modern vpn solution wireguardvpn employs robust encryption techniques to ensure data security while delivering rapid transmission speeds its advantages include efficient encryption and authentication mechanisms, a lightweight protocol design, straightforward configuration and management, and high speed data transfer compared to traditional vpn protocols, wireguardvpn offers enhanced security, faster performance, greater reliability, and a superior user experience wireguard configuration wireguard configuration create wireguard create wireguard operation command description enter the system configuration view configure terminal create and enter the wireguard configuration view wireguard name generate keys generate keys operation command description enter the system configuration view configure terminal enter the wireguard configuration view wireguard name generate keys genkey configure wireguard configure wireguard operation command description enter the system configuration view configure terminal enter the wireguard configuration view wireguard name configure wireguard's listening port, private key, and ipv4 address ip4 listen port port private key string intf addr a b c d/m listen port listening port private key local private key intf addr ipv4 address of the wireguard tunnel configure wireguard's listening port, private key, and ipv6 address ip6 listen port port private key string intf addr a b/m configure the mtu for the wireguard tunnel mtu value configure nat traversal for wireguard tunnels nat zone id ids 1–3 indicate enabling nat translation functionality note after configuration, the original packet's ip address will be translated when coordinating with port nat to translate both internal and external ip layers, static nat must be configured on the port or used in conjunction with acls see section 13 5 for details configure the wireguard peer's public key and ip address settings peer {ip4|ip6} public key key \[endpoint ip a b c d endpoint port port ] \[persistent keepalive int ] public key the public key of the remote end endpoint ip the ip address of the remote end endpoint port the port of the remote end persistent keepalive tunnel survival time when no endpoint ip is configured, it passively receives requests from the peer and learns the peer's ip address and port display and maintenance display and maintenance operation command display wireguard information show wireguard status id display wireguard configuration show wireguard config id wireguard configuration example wireguard configuration example network requirements the enterprise wants to protect data flows between the branch subnet and the headquarters subnet an wireguard tunnel can be set up between the branch gateway and headquarters gateway because they communicate over the internet procedure device1 sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 10 1 1 1/24 sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 1 1 1 1/24 sonic(config)# wireguard 1 sonic(config wireguard 1)# ip4 listen port 51820 private key ugsbrshnypix0xkldpq6z8wat2k6yd3ybylmd4je6vg= intf addr 10 0 0 1/24 sonic(config wireguard 1)# peer ip4 public key h1ewr2onesu9ndjfvbo7pskwnkxt5j25vl1zit0r3ms= persistent keepalive 300 sonic(config wireguard 1)# peer public key h1ewr2onesu9ndjfvbo7pskwnkxt5j25vl1zit0r3ms= allowed ip 0 0 0 0/0 sonic(config)# ip route 10 1 2 0/24 10 0 0 1 wg 1 device2 sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 10 1 2 1/24 sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 1 1 1 2/24 sonic(config)# wireguard 1 sonic(config wireguard 1)# ip4 listen port 51820 private key uchpw7lmoymmzsvkhvz88cs/0pv8imf2pr7wangle24= intf addr 10 0 0 2/24 sonic(config wireguard 1)# peer ip4 public key oau/e535arzn2cpuojhz5i9jwv7bfkodg3a0gtma3v8= endpoint ip 1 1 1 1 endpoint port 51820 persistent keepalive 300 sonic(config wireguard 1)# peer public key oau/e535arzn2cpuojhz5i9jwv7bfkodg3a0gtma3v8= allowed ip 10 0 0 0/24,10 1 1 0/24 sonic(config)# ip route 10 1 1 0/24 10 0 0 2 wg 1 example of wireguard configuration in pppoe scenario example of wireguard configuration in pppoe scenario network requirements the enterprise seeks to secure traffic exchanged between branch subnets and the headquarters subnet since communication between branches and headquarters occurs over the public internet, establishing a wireguard tunnel between the branch gateway and headquarters gateway can implement this security measure because the branch gateway obtains its ip address as a pppoe client and enables nat translation, the headquarters cannot obtain its ip address consequently, the headquarters gateway can only respond to wireguard handshakes initiated by the branch gateway procedure sonic(config)# interface ethernet 2 sonic(config if 2)# acl test sonic(config if 2)# ip address 80 0 0 1/24 sonic(config)# interface ethernet 1 sonic(config if 1)# pppoe client 1 sonic(config)# access list l3 test ingress sonic(config)# rule 1 dst ip 192 168 1 0/24 packet action permit sonic(config)# wireguard 1 sonic(config wireguard 1)# ip4 listen port 51829 private key iejulvrfw8bsr6sokbhuo0mma4qbvntgnu+9lstds3m= intf addr 172 16 20 22/24 sonic(config wireguard 1)# nat zone 1 sonic(config wireguard 1)# peer ip4 public key td2jtqg8nkzzxdx1wqye5eohi/avrduwkpfjzrp5ove= endpoint ip 52 83 127 133 endpoint port 54321 sonic(config wireguard 1)# peer public key td2jtqg8nkzzxdx1wqye5eohi/avrduwkpfjzrp5ove= allowed ip 172 16 20 0/24,192 168 1 0/24 sonic(config)# nat enable sonic(config)# nat pool pool1 172 16 20 22 sonic(config)# nat binding test1 pool1 test sonic(config)# interface dialer 1 sonic(config dialerif 1)# ppp chap username test1 test123 sonic(config dialerif 1)# nat zone 1 sonic(config)# ip route 52 83 127 0/24 dialer 1 sonic(config)# ip route 192 168 1 0/24 172 16 20 22 wg 1