Difference between revisions of "Wireguard"

From SME Server
Jump to navigationJump to search
 
(9 intermediate revisions by 3 users not shown)
Line 6: Line 6:
 
<!-- we define the language -->
 
<!-- we define the language -->
 
{{#vardefine:lang| {{lc:  {{#titleparts:    {{PAGENAME}} | | -1}}  }} |en }}
 
{{#vardefine:lang| {{lc:  {{#titleparts:    {{PAGENAME}} | | -1}}  }} |en }}
{{Warning box|this is still at alpha stage and only bits of contribs are currently being attached together.
+
{{Infobox contribs
Do not use in production}}{{WIP box|This is a work in progress for the moment event the content of this page is not up to date. Please refer to dev RocketChat discussion and Bugs}}{{Infobox contribs
 
 
|name={{#var:contribname}}
 
|name={{#var:contribname}}
 
|image=Wireguard_logo.svg
 
|image=Wireguard_logo.svg
Line 14: Line 13:
 
|licence= GPLv2 for kernel modules, MIT, BSD, Apache 2.0, or GPL for other parts
 
|licence= GPLv2 for kernel modules, MIT, BSD, Apache 2.0, or GPL for other parts
 
|url= https://www.wireguard.com/
 
|url= https://www.wireguard.com/
|category= VPN
+
|category= VPN,security
 
|tags=VPN,security,network,remote
 
|tags=VPN,security,network,remote
 
|video=}}
 
|video=}}
Line 25: Line 24:
 
<!-- keep this first element as is, you can add some if needed -->
 
<!-- keep this first element as is, you can add some if needed -->
 
{{#smeversion: {{#var:smecontribname}} }}
 
{{#smeversion: {{#var:smecontribname}} }}
{{#smeversion: {{#var:contribname}} }}
 
  
 
===Description===
 
===Description===
 +
As always we worked to make it Simple and Stupid. Wireguard is the easiest VPN server to set, but we managed to make it even easier for you !
 +
 
according to WireGuard website:
 
according to WireGuard website:
  
 
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
 
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
 
  
 
===Installation===
 
===Installation===
<tabs container><tab name="For SME 10">
+
<tabs container=""><tab name="For SME 10">
 
  yum --enablerepo=smecontribs install {{#var:smecontribname}}
 
  yum --enablerepo=smecontribs install {{#var:smecontribname}}
 +
then log to your server-manager to start adding clients.
 
</tab></tabs>
 
</tab></tabs>
  
 
===Configuration===
 
===Configuration===
 +
 +
==== using server-manager ====
 +
[[File:Wireguard-panel.png|none|thumb|main panel]]
 +
On the main panel you can see at a glance, server configuration, connected clients, and configured clients.
 +
[[File:Wireguard-config.png|none|thumb|configure the server]]
 +
You can adjust the server configuration: disable the service, change the server main Ip and mask. Default will generate a class B network for more than 1000 device connected, looking that all your users might want a dedicated client for every devices (phone, pad, laptop...). 172.* class B tends to be less commonly used than 192.168.* class C network or 10.+ class A network, so this also should limit collision for your clients behind a LAN when launching their VPN session.
 +
 +
The private and public key are generated upon installation, but if you have specific needs, go ahead and play with them.
 +
<br />
 +
[[File:Wireguard-add-client.png|none|thumb|add a new client]]
 +
To add a new client simply press the button, and select a user that will be associated to this client, and give some information about this client. IF you want to create a client for the phone of the admin, simply type "phone", then press create button and private"/public key will be generated and first available ip will be associated to the client.
 +
<br />
 +
[[File:Wireguard-qrcode.png|none|thumb|get client configuration and qrcode]]
 +
You can easily configure your client using a qrcode or a generated configuration.
 +
<br />
 +
[[File:Wireguard-edit-client.png|none|thumb|client modification]]
 +
 +
 +
If you want to alter the client configuration you can do so on this screen, you can even remove the private key if you do not want it on the server, or set your own public key without revealing the private key, it is only needed to generate the qrcode, not to allow you to connect.
 +
 +
==== advanced manual configuration ====
 
you can list the available configuration with the following command :
 
you can list the available configuration with the following command :
 
  config show wg-quick@wg0
 
  config show wg-quick@wg0
Line 49: Line 70:
 
!
 
!
 
|-
 
|-
|DbName
+
|UDPPort
|nextcloud
+
|51820
 
|string
 
|string
|for mysql db
+
|should keep this one as default, but free to do as you want
 
|-
 
|-
|DbPassword
+
|mask
|GENERATED
+
|22
 +
|network mask bit
 +
|the default allow 1024 hosts
 +
|-
 +
|ip
 +
|172.X.0.1
 +
|IP v4
 +
|one class B IP is generated on installation, feel free to set as you want
 +
|-
 +
|private
 +
|
 
|string
 
|string
|for mysql db
+
|private key, generated
 
|-
 
|-
|DbUser
+
|public
|nextcloud
+
|
 
|string
 
|string
|for mysql db
+
|public key, generated
 
|-
 
|-
 
|access
 
|access
Line 73: Line 104:
 
|enabled,disabled
 
|enabled,disabled
 
|}
 
|}
 +
 +
 +
You can also check the configured clients:
 +
db wireguard show 172.X.0.2
 +
 +
<br />
 +
{| class="wikitable"
 +
!property
 +
!default
 +
!values
 +
!
 +
|-
 +
|allowedips
 +
|
 +
|list of ip/mask
 +
|default is empty for all  0.0.0.0/0
 +
|-
 +
|info
 +
|
 +
|string
 +
|name or information about the client
 +
|-
 +
|ip
 +
|172.X.0.Y
 +
|IP v4
 +
|should be part of wg0 network
 +
|-
 +
|private
 +
|
 +
|string
 +
|private key, generated
 +
|-
 +
|public
 +
|
 +
|string
 +
|public key, generated
 +
|-
 +
|status
 +
|enabled
 +
|enabled,disabled
 +
|
 +
|}
 +
  
 
===Sources of information===
 
===Sources of information===
  
* https://www.subnet-calculator.com/subnet.php?net_class=B
+
*https://www.subnet-calculator.com/subnet.php?net_class=B
* https://github.com/pirate/wireguard-docs
+
*https://github.com/pirate/wireguard-docs
* https://manpages.debian.org/unstable/wireguard-tools/wg.8.en.html
+
*https://manpages.debian.org/unstable/wireguard-tools/wg.8.en.html
* https://www.linuxbabe.com/centos/wireguard-vpn-server-centos
+
*https://www.linuxbabe.com/centos/wireguard-vpn-server-centos
*  
+
*
  
 
<br />
 
<br />
 
===Uninstall===
 
===Uninstall===
  yum remove {{#var:smecontribname}}  {{#var:contribname}}
+
  yum remove {{#var:smecontribname}}  {{#var:contribname}} wireguard-tools kmod-wireguard
  
 
===Bugs===
 
===Bugs===
Line 100: Line 174:
 
<!-- list of category you want to see this page in -->
 
<!-- list of category you want to see this page in -->
 
[[Category: Contrib]]
 
[[Category: Contrib]]
 
 
<!-- Please keep there the template revision  number as is -->
 
<!-- Please keep there the template revision  number as is -->

Latest revision as of 12:19, 9 May 2023




wireguard
Wireguard logo.svg
wireguard logo
MaintainerUnnilennium
Urlhttps://www.wireguard.com/
LicenceGPLv2 for kernel modules, MIT, BSD, Apache 2.0, or GPL for other parts
Category

VPN security

Tags VPNsecuritynetworkremote


Maintainer

Jean-Philippe Pialasse

Version

Contrib 10:
smeserver-wireguard
The latest version of smeserver-wireguard is available in the SME repository, click on the version number(s) for more information.


Description

As always we worked to make it Simple and Stupid. Wireguard is the easiest VPN server to set, but we managed to make it even easier for you !

according to WireGuard website:

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Installation

yum --enablerepo=smecontribs install smeserver-wireguard

then log to your server-manager to start adding clients.

Configuration

using server-manager

main panel

On the main panel you can see at a glance, server configuration, connected clients, and configured clients.

configure the server

You can adjust the server configuration: disable the service, change the server main Ip and mask. Default will generate a class B network for more than 1000 device connected, looking that all your users might want a dedicated client for every devices (phone, pad, laptop...). 172.* class B tends to be less commonly used than 192.168.* class C network or 10.+ class A network, so this also should limit collision for your clients behind a LAN when launching their VPN session.

The private and public key are generated upon installation, but if you have specific needs, go ahead and play with them.

add a new client

To add a new client simply press the button, and select a user that will be associated to this client, and give some information about this client. IF you want to create a client for the phone of the admin, simply type "phone", then press create button and private"/public key will be generated and first available ip will be associated to the client.

get client configuration and qrcode

You can easily configure your client using a qrcode or a generated configuration.

client modification


If you want to alter the client configuration you can do so on this screen, you can even remove the private key if you do not want it on the server, or set your own public key without revealing the private key, it is only needed to generate the qrcode, not to allow you to connect.

advanced manual configuration

you can list the available configuration with the following command :

config show wg-quick@wg0

Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :

property default values
UDPPort 51820 string should keep this one as default, but free to do as you want
mask 22 network mask bit the default allow 1024 hosts
ip 172.X.0.1 IP v4 one class B IP is generated on installation, feel free to set as you want
private string private key, generated
public string public key, generated
access private private, public
status enabled enabled,disabled


You can also check the configured clients:

db wireguard show 172.X.0.2


property default values
allowedips list of ip/mask default is empty for all 0.0.0.0/0
info string name or information about the client
ip 172.X.0.Y IP v4 should be part of wg0 network
private string private key, generated
public string public key, generated
status enabled enabled,disabled


Sources of information


Uninstall

yum remove smeserver-wireguard  wireguard wireguard-tools kmod-wireguard

Bugs

Please raise bugs under the SME-Contribs section in bugzilla

and select the smeserver-wireguard component or use this link


Below is an overview of the current issues for this contrib:

IDProductVersionStatusSummary (7 tasks)
12492SME Contribs10.0RESOLVEDError in SM2 wireguard panel
11767SME ContribsFuturCONFIRMEDChange Smeserver (Wireguard) external IP address in Wireguard configuration for clients
11732SME Contribs10.0CONFIRMEDNFR: allow SME to connect to remote server
11729SME Contribs10.0CONFIRMEDdelete unused network
11728SME Contribs10.0CONFIRMEDNFR: add custom DNS field
11727SME Contribs10.0CONFIRMEDNFR: easy AllowedIPs configuration
11726SME Contribs10.0CONFIRMEDNFR: userpanel

Changelog

Only released version in smecontrib are listed here.

smeserver-wireguard Changelog: SME 10 (smecontribs)
2024/09/06 Terry Fage 1.0-20.sme
- apply locale 2024-09-06.patch
2024/03/01 Brian Read 1.0-19.sme
- Edit SM2 Menu entry to conform to new arrangements [SME: 12493]
2022/12/26 Jean-Philippe Pialasse 1.0-18.sme
- remove masquerade and forward directive on startup [SME: 12288]
2022/11/11 Jean-Philippe Pialasse 1.0-17.sme
- apply locale 2022-11-11 patch

2022/05/29 Jean-Philippe Pialasse 1.0-16.sme
- improve check and tidying for non local network type [SME: 11771]

updated both legacy and new panel