Difference between revisions of "Wireguard"

From SME Server
(Description)
 
(One intermediate revision by the same user not shown)
Line 16: Line 16:
 
|tags=VPN,security,network,remote
 
|tags=VPN,security,network,remote
 
|video=}}
 
|video=}}
 +
 +
{{Warning box|Do Not install this contrib until this notice is removed, serious bug found and update is being worked on Bug 11771}}
  
 
===Maintainer===
 
===Maintainer===

Latest revision as of 23:35, 23 November 2021




wireguard
Wireguard logo.svg
wireguard logo
MaintainerUnnilennium
Urlhttps://www.wireguard.com/
LicenceGPLv2 for kernel modules, MIT, BSD, Apache 2.0, or GPL for other parts
Category

VPN security

Tags VPNsecuritynetworkremote



Warning.png Warning:
Do Not install this contrib until this notice is removed, serious bug found and update is being worked on Bug 11771


Maintainer

Jean-Philippe Pialasse

Version

Devel 10:
Contrib 10:
smeserver-wireguard
The latest version of smeserver-wireguard is available in the SME repository, click on the version number(s) for more information.


Description

As always we worked to make it Simple and Stupid. Wireguard is the easiest VPN server to set, but we managed to make it even easier for you !

according to WireGuard website:

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Installation

yum --enablerepo=smecontribs install smeserver-wireguard

then log to your server-manager to start adding clients.

Configuration

using server-manager

main panel

On the main panel you can see at a glance, server configuration, connected clients, and configured clients.

configure the server

You can adjust the server configuration: disable the service, change the server main Ip and mask. Default will generate a class B network for more than 1000 device connected, looking that all your users might want a dedicated client for every devices (phone, pad, laptop...). 172.* class B tends to be less commonly used than 192.168.* class C network or 10.+ class A network, so this also should limit collision for your clients behind a LAN when launching their VPN session.

The private and public key are generated upon installation, but if you have specific needs, go ahead and play with them.

add a new client

To add a new client simply press the button, and select a user that will be associated to this client, and give some information about this client. IF you want to create a client for the phone of the admin, simply type "phone", then press create button and private"/public key will be generated and first available ip will be associated to the client.

get client configuration and qrcode

You can easily configure your client using a qrcode or a generated configuration.

client modification


If you want to alter the client configuration you can do so on this screen, you can even remove the private key if you do not want it on the server, or set your own public key without revealing the private key, it is only needed to generate the qrcode, not to allow you to connect.

advanced manual configuration

you can list the available configuration with the following command :

config show wg-quick@wg0

Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :

property default values
UDPPort 51820 string should keep this one as default, but free to do as you want
mask 22 network mask bit the default allow 1024 hosts
ip 172.X.0.1 IP v4 one class B IP is generated on installation, feel free to set as you want
private string private key, generated
public string public key, generated
access private private, public
status enabled enabled,disabled


You can also check the configured clients:

db wireguard show 172.X.0.2


property default values
allowedips list of ip/mask default is empty for all 0.0.0.0/0
info string name or information about the client
ip 172.X.0.Y IP v4 should be part of wg0 network
private string private key, generated
public string public key, generated
status enabled enabled,disabled


Sources of information


Uninstall

yum remove smeserver-wireguard  wireguard

Bugs

Please raise bugs under the SME-Contribs section in bugzilla

and select the smeserver-wireguard component or use this link


Below is an overview of the current issues for this contrib:

IDProductVersionStatusSummary (8 tasks)
11771SME ContribsFuturRESOLVED/var/service/qpsmtpd/config/relayclients has extra ip addresses
11767SME ContribsFuturCONFIRMEDChange Smeserver (Wireguard) external IP address in Wireguard configuration for clients
11742SME Contribs10.0CONFIRMEDnew client Information field not fully saved
11732SME Contribs10.0CONFIRMEDNFR: allow SME to connect to remote server
11729SME Contribs10.0CONFIRMEDdelete unused network
11728SME Contribs10.0CONFIRMEDNFR: add custom DNS field
11727SME Contribs10.0CONFIRMEDNFR: easy AllowedIPs configuration
11726SME Contribs10.0CONFIRMEDNFR: userpanel

Changelog

Only released version in smecontrib are listed here.

smeserver-wireguard Changelog: SME 10 (smecontribs)
2021/11/16 Brian Read 1.0-12.sme
- Fix-allowedips-in-quick-conf-contents [SME: 11756]
2021/11/03 Jean-Philippe Pialasse 1.0-11.sme
- fix tainted string from dns query [SME: 11721]

2021/11/03 Jean-Philippe Pialasse 1.0-10.sme
- fix wrong delete event [SME: 11721]

 fix ip not shown if server only
improved config display
2021/11/01 Jean-Philippe Pialasse 1.0-9.sme
- fix migrate fragment [SME: 11721]

2021/10/31 Jean-Philippe Pialasse 1.0-8.sme
- set DNS if allowedips 0.0.0.0/0 [SME: 11721]

allowedips displayed as it has been set.