...
Requirement- Basic Linux/Unix knowledge
- Service provider networking knowledge
| |  Image Removed Image Added
|
Overview
Wireguard gained a lot popularity and attention when it went into Linux kernel in March 2020. And pure coincidence or not, 1 month later, Wireguard made its way through ubuntu 20.04 LTS. Csaba MATE, freeRtr maintainer took "the Taurus by his horns" (sorry for the pure French translation of the proverb 
) and in turn, he added Wireguard support into freeRtr few months later ...
...
| Expand |
|---|
| title | Step -2- Configure RARE/freeRtr Wireguard endpoint |
|---|
|
- First thing first configure vrf v1234
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | vrf v1234 configuration |
|---|
| !
vrf definition v1234
exit
! |
- Configure loopback1234 and bind it to vrf v1234
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | Loopback1234 configuration |
|---|
| !
interface loopback1234
description Wireguard allowed IPv6 network
vrf forwarding v1234
ipv6 address 1234::1 ffff:ffff:ffff:ffff::
no shutdown
no log-link-change
exit
! |
- Configure Wireguard crypto stanza
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | vrf v1234 configuration |
|---|
| !
crypto ipsec wg-1234
key <freertr-private-key><ubuntu-public-key>
replay 0
exit
! |
- Configure tunnel1234 Wireguard tunnel
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | Wireguard tunnel1234 configuration |
|---|
| !
interface tunnel1234
description RARE/freeRtr Wireguard tunnel
tunnel key 51820
tunnel vrf inet
tunnel protection wg-1234
tunnel source sdn6
tunnel destination 2a01:e0a:159:2856:a00:27ff:fe5f:f085
tunnel mode wireguard
vrf forwarding v1234
ipv6 address 6789::666 ffff:ffff:ffff:ffff::
no shutdown
no log-link-change
exit
! |
- if you are using a dataplane please add Wireguard tunnel and corresponding VRF in "server p4lang p4"
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | sh run p4lang |
|---|
| !
server p4lang p4
...
export-vrf v1234 5
...
export-port tunnel1234 45 0 0 0 0
...
exit
!
! Where 45 is an ID not already used in server p4lang |
|
Verification
| Expand |
|---|
| title | Verification @ ubuntu 20.04 |
|---|
|
- Check Wireguard interface
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | ifconfig wg0 |
|---|
| wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet6 6789::10 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 980 bytes 44240 (44.2 KB)
RX errors 204 dropped 0 overruns 0 frame 204
TX packets 191 bytes 15768 (15.7 KB)
TX errors 0 dropped 64 overruns 0 carrier 0 collisions 0 |
- Check ipv6 routing @ ubuntu
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | ip -6 route |
|---|
| ::1 dev lo proto kernel metric 256 pref medium
1234::/64 dev wg0 metric 1024 pref medium
2a01:e0a:159:2856::/64 dev enp0s3 proto ra metric 100 expires 2419185sec pref medium
6789::/64 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev enp0s3 proto kernel metric 256 pref medium
fe80::/64 dev enp0s8 proto kernel metric 256 pref medium
default via fe80::24c:73ff:fe07:a77 dev enp0s3 proto ra metric 100 expires 1785sec mtu 1500 pref medium |
- ping freeRtr tunnel endpoint
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | ping 6789::666 |
|---|
| PING 6789::666(6789::666) 56 data bytes
64 bytes from 6789::666: icmp_seq=1 ttl=255 time=2.07 ms
64 bytes from 6789::666: icmp_seq=2 ttl=255 time=1.99 ms
64 bytes from 6789::666: icmp_seq=3 ttl=255 time=2.20 ms
64 bytes from 6789::666: icmp_seq=4 ttl=255 time=2.26 ms |
- ping cascaded loopback1234
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | ping 1234::1 |
|---|
| PING 1234::1(1234::1) 56 data bytes
64 bytes from 1234::1: icmp_seq=1 ttl=255 time=2.04 ms
64 bytes from 1234::1: icmp_seq=2 ttl=255 time=1.92 ms
64 bytes from 1234::1: icmp_seq=3 ttl=255 time=2.10 ms
64 bytes from 1234::1: icmp_seq=4 ttl=255 time=1.96 ms |
Congratulations ! Now let's proceed to verification at freeRtr level |
...
| Tip |
|---|
| title | RARE validated design: [ SOHO #006 #009 ] - key take-away |
|---|
|
In this example the key take-away are: - Wireguard configuration is simple
- We used ubuntu 20.04 but of course you can enabled Wireguard with any host supporting Wireguard protocol
- IPv6 is used here. But of course IPv4 is also available
 - Last but not least do not forget to export VRF and Wireguard tunnel interface in "server p4lang p4" should you run RARE/freeRtr with a dedicated dataplane (p4emu, dpdk)
This is a pretty unique freeRouter feature ! Are you aware of any other router able to set up a Wireguard VPN ? |
...
