Starting from SOHO #008, everyone inside home network can:

  • reach the Internet thanks to NAT translation described in SOHO #004 
  • reach now their favorite Internet service by name thanks for SOHO #005
  • and get IPv4 (or IPv6) address from DHCP server (we took as a switch connected to sdn6)
  • this applies to all wired host but also all mobile host connected to the home wireless network
  • And you get a Great UPNP server forwarder

Requirement

  • Basic Linux/Unix knowledge
  • Service provider networking knowledge

Overview

Wireguard gained a lot popularity and attention when it went into Linux kernel in March 2020. And pure coincidence or not, 1 month later, Wireguard made its way through ubuntu 20.04 LTS. Csaba MATE, freeRtr maintainer took "the Taurus by his horns" (sorry for the pure French translation of the proverb (smile)) and in turn, he added Wireguard support into freeRtr few months later ...

In the current pandemic context, Wireguard is highly used to establish software VPN connectivity toward office resources. In my context, among other usages, I'm using it in order to reach DN42, an overlay network very good for learning protocol like BGP and explore routing technology.

Article objective

There are plenty of web resources debating Wireguard based VPN topics. The purpose of this article will simply put the focus on how to configure a Wireguard tunnel between:

  • ubuntu 20.04 host
  • RARE/freeRtr

Diagrams

In this example, I'll use my home router as Wireguard tunnel end point and a ubuntu 20.04 server in my home LAN.

The steps at RARE/freeRtr level are:

  • configure vrf v1234.
  • configure loopback1234 with IPv6 network 1234::666/64 at freeRtr level and bind it to vrf v1234
  • configure Wireguard crypto stanza
  • configure tunnel1234
    • with Wireguard crypto stanza defined above,
    • configure tunnel source, destination underlay in vrf inet
    • finally configure tunnel interface in vrf v1234
  • As RARE/freeRtr is oriented toward the future we will just forget about legacy IPv4, therefore the underlay tunnel will be established with IPv6 only. (←Joke (smile))

Tip

As we are running RARE/freeRtr with DPDK dataplane do not forget to update server p4lang p4 stanza:

  • add vrf v1234
  • add tunnel1234

[ SOHO #009 ] - "Network 1234::/64 ? Please follow tunnel1234 Wireguard tunnel !"

  • Install Wireguard
Update system and install Wireguard
sudo apt-get update
sudo apt-get upgrade
sudo apt install wireguard
  • generate for ubuntu private/public key pair
Generate key private/public key pair for ubuntu-20.04
umask 077
wg genkey > ubi20-private-key
wg pubkey < ubi20-private-key > ubi20-public-key
  • generate for freeRtr private/public key pair
Generate private/public key pair for freeRtr
umask 077
wg genkey > freertr-private-key
wg pubkey < freertr-private-key > freertr-public-key
  • edit ubuntu 20.04 Wireguard configuration
vi /etc/wireguard/wg0.conf
cat /etc/wireguard/wg0.conf 
[Interface]
Address = 6789::10/64 
PrivateKey = <ubuntu-private-key> 

ListenPort = 51820

[Peer]
PublicKey = <freertr-public-key> 
AllowedIPs = 1234::/64,6789::/64 
Endpoint = 2a01:e0a:159:2856::6:51820 
  • Activate wireguard tunnel
As root
wg-quick up wg0
  • First thing first configure vrf v1234
vrf v1234 configuration
!
vrf definition v1234
 exit
!
  • Configure loopback1234 and bind it to vrf v1234
Loopback1234 configuration
!
interface loopback1234
 description Wireguard allowed IPv6 network
 vrf forwarding v1234
 ipv6 address 1234::1 ffff:ffff:ffff:ffff::
 no shutdown
 no log-link-change
 exit
!
  • Configure Wireguard crypto stanza
vrf v1234 configuration
!
crypto ipsec wg-1234
 key <freertr-private-key><ubuntu-public-key>
 replay 0
 exit
!
  • Configure tunnel1234 Wireguard tunnel
Wireguard tunnel1234 configuration
!
interface tunnel1234
 description RARE/freeRtr Wireguard tunnel 
 tunnel key 51820
 tunnel vrf inet
 tunnel protection wg-1234
 tunnel source sdn6
 tunnel destination 2a01:e0a:159:2856:a00:27ff:fe5f:f085
 tunnel mode wireguard
 vrf forwarding v1234
 ipv6 address 6789::666 ffff:ffff:ffff:ffff::
 no shutdown
 no log-link-change
 exit
! 
  • if you are using a dataplane please add Wireguard tunnel and corresponding VRF in "server p4lang p4"
sh run p4lang
!
server p4lang p4
...
 export-vrf v1234 5
...
 export-port tunnel1234 45 0 0 0 0
...
 exit
!
! Where 45 is an ID not already used in server p4lang 

Verification

  • Check Wireguard  interface
ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet6 6789::10  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 980  bytes 44240 (44.2 KB)
        RX errors 204  dropped 0  overruns 0  frame 204
        TX packets 191  bytes 15768 (15.7 KB)
        TX errors 0  dropped 64 overruns 0  carrier 0  collisions 0
  • Check ipv6 routing @ ubuntu 
ip -6 route
::1 dev lo proto kernel metric 256 pref medium
1234::/64 dev wg0 metric 1024 pref medium
2a01:e0a:159:2856::/64 dev enp0s3 proto ra metric 100 expires 2419185sec pref medium
6789::/64 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev enp0s3 proto kernel metric 256 pref medium
fe80::/64 dev enp0s8 proto kernel metric 256 pref medium
default via fe80::24c:73ff:fe07:a77 dev enp0s3 proto ra metric 100 expires 1785sec mtu 1500 pref medium
  • ping freeRtr tunnel endpoint
ping 6789::666
PING 6789::666(6789::666) 56 data bytes
64 bytes from 6789::666: icmp_seq=1 ttl=255 time=2.07 ms
64 bytes from 6789::666: icmp_seq=2 ttl=255 time=1.99 ms
64 bytes from 6789::666: icmp_seq=3 ttl=255 time=2.20 ms
64 bytes from 6789::666: icmp_seq=4 ttl=255 time=2.26 ms
  • ping cascaded loopback1234
ping 1234::1
PING 1234::1(1234::1) 56 data bytes
64 bytes from 1234::1: icmp_seq=1 ttl=255 time=2.04 ms
64 bytes from 1234::1: icmp_seq=2 ttl=255 time=1.92 ms
64 bytes from 1234::1: icmp_seq=3 ttl=255 time=2.10 ms
64 bytes from 1234::1: icmp_seq=4 ttl=255 time=1.96 ms

Congratulations ! 

Now let's proceed to verification at freeRtr level

  • Check Wireguard  interface
show interface tunnel1234
tunnel1234 is up (since 05:18:05, 1 changes)
 description: 
 type is wireguard, hwaddr=none, mtu=1400, bw=8000kbps, vrf=v1234
 ip4 address=7.8.9.254/24, netmask=255.255.255.0, ifcid=1052271466
 ip6 address=6789::666/64, netmask=ffff:ffff:ffff:ffff::, ifcid=823043043
 received 28 packets (2488 bytes) dropped 0 packets (0 bytes)
 transmitted 665 packets (51318 bytes) promisc=false macsec=false
  • Check ipv6 routing @ freeRtr
show ipv6 route v1234
typ  prefix         metric  iface         hop   time
C    1234::/64      0/0     loopback1234  null  02:20:16
LOC  1234::1/128    0/1     loopback1234  null  02:20:16
C    6789::/64      0/0     tunnel1234    null  01:25:49
LOC  6789::666/128  0/1     tunnel1234    null  01:25:49
  • Check IPv6 underlay reachability in vrf inet
show ipv6 route inet
typ  prefix                      metric  iface      hop                   time
S    ::/0                        1/0     sdn1       2a01:e0a:159:2850::1  05:21:27
...
C    2a01:e0a:159:2856::/64      0/0     sdn6       null                  05:21:27
LOC  2a01:e0a:159:2856::6/128    0/1     sdn6       null                  05:21:27
...
  • ping ubuntu 20.04 tunnel endpoint
ping 6789::10 /vrf v1234
pinging 6789::10, src=null, vrf=v1234, cnt=5, len=64, tim=1000, gap=0, ttl=255, tos=0, fill=0, sweep=false, multi=false, detail=false
!!!!!
result=100%, recv/sent/lost/err=5/5/0/0, rtt min/avg/max/total=2/2/2/10

Congratulations ! 

Conclusion

In this article we learned how to configure a Wireguard tunnel between ubuntu 20.04 and  RARE/freeRouter. Configuring Wireguard is a simple 2 steps operation:

  • Configure Wireguard crypto stanza
  • and bind it to a Wireguard tunnel


RARE validated design: [ SOHO #009 ] - key take-away

In this example the key take-away are:

  • Wireguard configuration is simple
  • We used ubuntu 20.04 but of course you can enabled Wireguard with any host supporting Wireguard protocol
  • IPv6 is used here. But of course IPv4 is also available (wink)
  • Last but not least do not forget to export VRF and Wireguard tunnel interface in "server p4lang p4" should you run RARE/freeRtr with a dedicated dataplane (p4emu, dpdk)

This is a pretty unique freeRouter feature ! Are you aware of any other router able to set up a Wireguard VPN ?