WireGuard Configuration Guide

introduction introduction wireguardvpn is a new vpn protocol that operates at the kernel level, delivering an efficient, secure, simple, and modern vpn solution wireguardvpn employs robust encryption techniques to ensure data security while delivering rapid transmission speeds its advantages include efficient encryption and authentication mechanisms, a lightweight protocol design, straightforward configuration and management, and high speed data transfer compared to traditional vpn protocols, wireguardvpn offers enhanced security, faster performance, greater reliability, and a superior user experience wireguard configuration wireguard configuration create wireguard create wireguard true 306,214 05816733143072,140 94183266856928#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type generate keys generate keys 326,180 1201814058957,154 8798185941043#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type configure wireguard configure wireguard 176,135 5568327462737,349 4431672537263 true#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type display and maintenance display and maintenance true 286,375#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type wireguard configuration example wireguard configuration example network requirements the enterprise wants to protect data flows between the branch subnet and the headquarters subnet an wireguard tunnel can be set up between the branch gateway and headquarters gateway because they communicate over the internet procedure device1 sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 10 1 1 1/24 sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 1 1 1 1/24 sonic(config)# wireguard 1 sonic(config wireguard 1)# ip4 listen port 51820 private key ugsbrshnypix0xkldpq6z8wat2k6yd3ybylmd4je6vg= intf addr 10 0 0 1/24 sonic(config wireguard 1)# peer ip4 public key h1ewr2onesu9ndjfvbo7pskwnkxt5j25vl1zit0r3ms= persistent keepalive 300 sonic(config wireguard 1)# peer public key h1ewr2onesu9ndjfvbo7pskwnkxt5j25vl1zit0r3ms= allowed ip 0 0 0 0/0 sonic(config)# ip route 10 1 2 0/24 10 0 0 1 wg 1 device2 sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 10 1 2 1/24 sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 1 1 1 2/24 sonic(config)# wireguard 1 sonic(config wireguard 1)# ip4 listen port 51820 private key uchpw7lmoymmzsvkhvz88cs/0pv8imf2pr7wangle24= intf addr 10 0 0 2/24 sonic(config wireguard 1)# peer ip4 public key oau/e535arzn2cpuojhz5i9jwv7bfkodg3a0gtma3v8= endpoint ip 1 1 1 1 endpoint port 51820 persistent keepalive 300 sonic(config wireguard 1)# peer public key oau/e535arzn2cpuojhz5i9jwv7bfkodg3a0gtma3v8= allowed ip 10 0 0 0/24,10 1 1 0/24 sonic(config)# ip route 10 1 1 0/24 10 0 0 2 wg 1 example of wireguard configuration in pppoe scenario example of wireguard configuration in pppoe scenario network requirements the enterprise seeks to secure traffic exchanged between branch subnets and the headquarters subnet since communication between branches and headquarters occurs over the public internet, establishing a wireguard tunnel between the branch gateway and headquarters gateway can implement this security measure because the branch gateway obtains its ip address as a pppoe client and enables nat translation, the headquarters cannot obtain its ip address consequently, the headquarters gateway can only respond to wireguard handshakes initiated by the branch gateway procedure sonic(config)# interface ethernet 2 sonic(config if 2)# acl test sonic(config if 2)# ip address 80 0 0 1/24 sonic(config)# interface ethernet 1 sonic(config if 1)# pppoe client 1 sonic(config)# access list l3 test ingress sonic(config)# rule 1 dst ip 192 168 1 0/24 packet action permit sonic(config)# wireguard 1 sonic(config wireguard 1)# ip4 listen port 51829 private key iejulvrfw8bsr6sokbhuo0mma4qbvntgnu+9lstds3m= intf addr 172 16 20 22/24 sonic(config wireguard 1)# nat zone 1 sonic(config wireguard 1)# peer ip4 public key td2jtqg8nkzzxdx1wqye5eohi/avrduwkpfjzrp5ove= endpoint ip 52 83 127 133 endpoint port 54321 sonic(config wireguard 1)# peer public key td2jtqg8nkzzxdx1wqye5eohi/avrduwkpfjzrp5ove= allowed ip 172 16 20 0/24,192 168 1 0/24 sonic(config)# nat enable sonic(config)# nat pool pool1 172 16 20 22 sonic(config)# nat binding test1 pool1 test sonic(config)# interface dialer 1 sonic(config dialerif 1)# ppp chap username test1 test123 sonic(config dialerif 1)# nat zone 1 sonic(config)# ip route 52 83 127 0/24 dialer 1 sonic(config)# ip route 192 168 1 0/24 172 16 20 22 wg 1