Starting from SOHO #008, everyone inside home network can:

reach the Internet thanks to NAT translation described in SOHO #004
reach now their favorite Internet service by name thanks for SOHO #005
and get IPv4 (or IPv6) address from DHCP server (we took as a switch connected to sdn6)
this applies to all wired host but also all mobile host connected to the home wireless network
And you get a Great UPNP server forwarder

Requirement

Basic Linux/Unix knowledge
Service provider networking knowledge

RARE > 2021/05/10 > RARE validated design: [ SOHO #009 ] - "Network 1234::/64 ? Please follow Wireguard tunnel1234 !" > image2021-5-14_9-57-26.png

Overview

Wireguard gained a lot popularity and attention when it went into Linux kernel in March 2020. And pure coincidence or not, 1 month later, Wireguard made its way through ubuntu 20.04 LTS. Csaba MATE, freeRtr maintainer took "the Taurus by his horns" (sorry for the pure French translation of the proverb ) and in turn, he added Wireguard support into freeRtr few months later ...

In the current pandemic context, Wireguard is highly used to establish software VPN connectivity toward office resources. In my context, among other usages, I'm using it in order to reach DN42, an overlay network very good for learning protocol like BGP and explore routing technology.

Article objective

There are plenty of web resources debating Wireguard based VPN topics. The purpose of this article will simply put the focus on how to configure a Wireguard tunnel between:

ubuntu 20.04 host
RARE/freeRtr

Diagrams

In this example, I'll use my home router as Wireguard tunnel end point and a ubuntu 20.04 server in my home LAN.

RARE > 2021/05/10 > RARE validated design: [ SOHO #009 ] - "Network 1234::/64 ? Please follow Wireguard tunnel1234 !" > image2021-5-11_18-16-11.png

The steps at RARE/freeRtr level are:

configure vrf v1234.
configure loopback1234 with IPv6 network 1234::666/64 at freeRtr level and bind it to vrf v1234
configure Wireguard crypto stanza
configure tunnel1234
- with Wireguard crypto stanza defined above,
- configure tunnel source, destination underlay in vrf inet
- finally configure tunnel interface in vrf v1234
As RARE/freeRtr is oriented toward the future we will just forget about legacy IPv4, therefore the underlay tunnel will be established with IPv6 only. (←Joke )

As we are running RARE/freeRtr with DPDK dataplane do not forget to update server p4lang p4 stanza:

add vrf v1234
add tunnel1234

[ SOHO #009 ] - "Network 1234::/64 ? Please follow tunnel1234 Wireguard tunnel !"

Install Wireguard

sudo apt-get update
sudo apt-get upgrade
sudo apt install wireguard

generate for ubuntu private/public key pair

umask 077
wg genkey > ubi20-private-key
wg pubkey < ubi20-private-key > ubi20-public-key

generate for freeRtr private/public key pair

umask 077
wg genkey > freertr-private-key
wg pubkey < freertr-private-key > freertr-public-key

edit ubuntu 20.04 Wireguard configuration

cat /etc/wireguard/wg0.conf 
[Interface]
Address = 6789::10/64 
PrivateKey = <ubuntu-private-key> 

ListenPort = 51820

[Peer]
PublicKey = <freertr-public-key> 
AllowedIPs = 1234::/64,6789::/64 
Endpoint = 2a01:e0a:159:2856::6:51820

Activate wireguard tunnel

wg-quick up wg0

First thing first configure vrf v1234

!
vrf definition v1234
 exit
!

Configure loopback1234 and bind it to vrf v1234

!
interface loopback1234
 description Wireguard allowed IPv6 network
 vrf forwarding v1234
 ipv6 address 1234::1 ffff:ffff:ffff:ffff::
 no shutdown
 no log-link-change
 exit
!

Configure Wireguard crypto stanza

!
crypto ipsec wg-1234
 key <freertr-private-key><ubuntu-public-key>
 replay 0
 exit
!

Configure tunnel1234 Wireguard tunnel

!
interface tunnel1234
 description RARE/freeRtr Wireguard tunnel 
 tunnel key 51820
 tunnel vrf inet
 tunnel protection wg-1234
 tunnel source sdn6
 tunnel destination 2a01:e0a:159:2856:a00:27ff:fe5f:f085
 tunnel mode wireguard
 vrf forwarding v1234
 ipv6 address 6789::666 ffff:ffff:ffff:ffff::
 no shutdown
 no log-link-change
 exit
!

if you are using a dataplane please add Wireguard tunnel and corresponding VRF in "server p4lang p4"

!
server p4lang p4
...
 export-vrf v1234 5
...
 export-port tunnel1234 45 0 0 0 0
...
 exit
!
! Where 45 is an ID not already used in server p4lang

Verification

Check Wireguard interface

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet6 6789::10  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 980  bytes 44240 (44.2 KB)
        RX errors 204  dropped 0  overruns 0  frame 204
        TX packets 191  bytes 15768 (15.7 KB)
        TX errors 0  dropped 64 overruns 0  carrier 0  collisions 0

Check ipv6 routing @ ubuntu

::1 dev lo proto kernel metric 256 pref medium
1234::/64 dev wg0 metric 1024 pref medium
2a01:e0a:159:2856::/64 dev enp0s3 proto ra metric 100 expires 2419185sec pref medium
6789::/64 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev enp0s3 proto kernel metric 256 pref medium
fe80::/64 dev enp0s8 proto kernel metric 256 pref medium
default via fe80::24c:73ff:fe07:a77 dev enp0s3 proto ra metric 100 expires 1785sec mtu 1500 pref medium

ping freeRtr tunnel endpoint

PING 6789::666(6789::666) 56 data bytes
64 bytes from 6789::666: icmp_seq=1 ttl=255 time=2.07 ms
64 bytes from 6789::666: icmp_seq=2 ttl=255 time=1.99 ms
64 bytes from 6789::666: icmp_seq=3 ttl=255 time=2.20 ms
64 bytes from 6789::666: icmp_seq=4 ttl=255 time=2.26 ms

ping cascaded loopback1234

PING 1234::1(1234::1) 56 data bytes
64 bytes from 1234::1: icmp_seq=1 ttl=255 time=2.04 ms
64 bytes from 1234::1: icmp_seq=2 ttl=255 time=1.92 ms
64 bytes from 1234::1: icmp_seq=3 ttl=255 time=2.10 ms
64 bytes from 1234::1: icmp_seq=4 ttl=255 time=1.96 ms

Congratulations !

Now let's proceed to verification at freeRtr level

Check Wireguard interface

tunnel1234 is up (since 05:18:05, 1 changes)
 description: 
 type is wireguard, hwaddr=none, mtu=1400, bw=8000kbps, vrf=v1234
 ip4 address=7.8.9.254/24, netmask=255.255.255.0, ifcid=1052271466
 ip6 address=6789::666/64, netmask=ffff:ffff:ffff:ffff::, ifcid=823043043
 received 28 packets (2488 bytes) dropped 0 packets (0 bytes)
 transmitted 665 packets (51318 bytes) promisc=false macsec=false

Check ipv6 routing @ freeRtr

typ  prefix         metric  iface         hop   time
C    1234::/64      0/0     loopback1234  null  02:20:16
LOC  1234::1/128    0/1     loopback1234  null  02:20:16
C    6789::/64      0/0     tunnel1234    null  01:25:49
LOC  6789::666/128  0/1     tunnel1234    null  01:25:49

Check IPv6 underlay reachability in vrf inet

typ  prefix                      metric  iface      hop                   time
S    ::/0                        1/0     sdn1       2a01:e0a:159:2850::1  05:21:27
...
C    2a01:e0a:159:2856::/64      0/0     sdn6       null                  05:21:27
LOC  2a01:e0a:159:2856::6/128    0/1     sdn6       null                  05:21:27
...

ping ubuntu 20.04 tunnel endpoint

pinging 6789::10, src=null, vrf=v1234, cnt=5, len=64, tim=1000, gap=0, ttl=255, tos=0, fill=0, sweep=false, multi=false, detail=false
!!!!!
result=100%, recv/sent/lost/err=5/5/0/0, rtt min/avg/max/total=2/2/2/10

Congratulations !

Conclusion

In this article we learned how to configure a Wireguard tunnel between ubuntu 20.04 and RARE/freeRouter. Configuring Wireguard is a simple 2 steps operation:

Configure Wireguard crypto stanza
and bind it to a Wireguard tunnel

In this example the key take-away are:

Wireguard configuration is simple
We used ubuntu 20.04 but of course you can enabled Wireguard with any host supporting Wireguard protocol
IPv6 is used here. But of course IPv4 is also available
Last but not least do not forget to export VRF and Wireguard tunnel interface in "server p4lang p4" should you run RARE/freeRtr with a dedicated dataplane (p4emu, dpdk)

This is a pretty unique freeRouter feature ! Are you aware of any other router able to set up a Wireguard VPN ?