Starting from SOHO #008, everyone inside home network can:
reach the Internet thanks to NAT translation described inSOHO #004
reach now their favorite Internet service by name thanks forSOHO #005
and get IPv4 (or IPv6) address from DHCP server (we took as a switch connected to sdn6)
this applies to all wired host but also all mobile host connected to the home wireless network
And you get a Great UPNP server forwarder
Requirement
Basic Linux/Unix knowledge
Service provider networking knowledge
Overview
Wireguard gained a lot popularity and attention when it went into Linux kernel in March 2020. And pure coincidence or not, 1 month later, Wireguard made its way through ubuntu 20.04 LTS. Csaba MATE, freeRtr maintainer took "the Taurus by his horns" (sorry for the pure French translation of the proverb ) and in turn, he added Wireguard support into freeRtr few months later ...
In the current pandemic context, Wireguard is highly used to establish software VPN connectivity toward office resources. In my context, among other usages, I'm using it in order to reach DN42, an overlay network very good for learning protocol like BGP and explore routing technology.
Article objective
There are plenty of web resources debating Wireguard based VPN topics. The purpose of this article will simply put the focus on how to configure a Wireguard tunnel between:
ubuntu 20.04 host
RARE/freeRtr
Diagrams
In this example, I'll use my home router as Wireguard tunnel end point and a ubuntu 20.04 server in my home LAN.
The steps at RARE/freeRtr level are:
configure vrf v1234.
configure loopback1234 with IPv6 network 1234::666/64 at freeRtr level and bind it to vrf v1234
configure Wireguard crypto stanza
configure tunnel1234
with Wireguard crypto stanza defined above,
configure tunnel source, destination underlay in vrf inet
finally configure tunnel interface in vrf v1234
As RARE/freeRtr is oriented toward the future we will just forget about legacy IPv4, therefore the underlay tunnel will be established with IPv6 only. (←Joke )
Tip
As we are running RARE/freeRtr with DPDK dataplane do not forget to update server p4lang p4 stanza:
::1 dev lo proto kernel metric 256 pref medium
1234::/64 dev wg0 metric 1024 pref medium
2a01:e0a:159:2856::/64 dev enp0s3 proto ra metric 100 expires 2419185sec pref medium
6789::/64 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev enp0s3 proto kernel metric 256 pref medium
fe80::/64 dev enp0s8 proto kernel metric 256 pref medium
default via fe80::24c:73ff:fe07:a77 dev enp0s3 proto ra metric 100 expires 1785sec mtu 1500 pref medium
ping freeRtr tunnel endpoint
ping 6789::666
PING 6789::666(6789::666) 56 data bytes
64 bytes from 6789::666: icmp_seq=1 ttl=255 time=2.07 ms
64 bytes from 6789::666: icmp_seq=2 ttl=255 time=1.99 ms
64 bytes from 6789::666: icmp_seq=3 ttl=255 time=2.20 ms
64 bytes from 6789::666: icmp_seq=4 ttl=255 time=2.26 ms
ping cascaded loopback1234
ping 1234::1
PING 1234::1(1234::1) 56 data bytes
64 bytes from 1234::1: icmp_seq=1 ttl=255 time=2.04 ms
64 bytes from 1234::1: icmp_seq=2 ttl=255 time=1.92 ms
64 bytes from 1234::1: icmp_seq=3 ttl=255 time=2.10 ms
64 bytes from 1234::1: icmp_seq=4 ttl=255 time=1.96 ms
Congratulations !
Now let's proceed to verification at freeRtr level
Check Wireguard interface
show interface tunnel1234
tunnel1234 is up (since 05:18:05, 1 changes)
description:
type is wireguard, hwaddr=none, mtu=1400, bw=8000kbps, vrf=v1234
ip4 address=7.8.9.254/24, netmask=255.255.255.0, ifcid=1052271466
ip6 address=6789::666/64, netmask=ffff:ffff:ffff:ffff::, ifcid=823043043
received 28 packets (2488 bytes) dropped 0 packets (0 bytes)
transmitted 665 packets (51318 bytes) promisc=false macsec=false
Check ipv6 routing @ freeRtr
show ipv6 route v1234
typ prefix metric iface hop time
C 1234::/64 0/0 loopback1234 null 02:20:16
LOC 1234::1/128 0/1 loopback1234 null 02:20:16
C 6789::/64 0/0 tunnel1234 null 01:25:49
LOC 6789::666/128 0/1 tunnel1234 null 01:25:49
Check IPv6 underlay reachability in vrf inet
show ipv6 route inet
typ prefix metric iface hop time
S ::/0 1/0 sdn1 2a01:e0a:159:2850::1 05:21:27
...
C 2a01:e0a:159:2856::/64 0/0 sdn6 null 05:21:27
LOC 2a01:e0a:159:2856::6/128 0/1 sdn6 null 05:21:27
...
In this article we learned how to configure a Wireguard tunnel between ubuntu 20.04 and RARE/freeRouter. Configuring Wireguard is a simple 2 steps operation:
We used ubuntu 20.04 but of course you can enabled Wireguard with any host supporting Wireguard protocol
IPv6 is used here. But of course IPv4 is also available
Last but not least do not forget to export VRF and Wireguard tunnel interface in "server p4lang p4" should you run RARE/freeRtr with a dedicated dataplane (p4emu, dpdk)
This is a pretty unique freeRouter feature ! Are you aware of any other router able to set up a Wireguard VPN ?