User Tools

Site Tools


documentation:examples:gre_ipsec_and_openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
documentation:examples:gre_ipsec_and_openvpn [2019/11/05 22:25] – [VTI Tunnel without IKE] olivierdocumentation:examples:gre_ipsec_and_openvpn [2020/01/13 14:19] – [Testing] olivier
Line 1: Line 1:
-====== VPN with GRE, GIF, IPSec and OpenVPN ======+====== VPN with GRE, GIF, IPSecOpenVPN and Wireguard ======
  
-This lab shows some VPN examples with BSDRP 1.59 (FreeBSD 10.3 based).+This lab shows some VPN examples with BSDRP 1.97.
  
 ===== Presentation ===== ===== Presentation =====
Line 79: Line 79:
  
 <code> <code>
-sysrc hostname=R1 +sysrc hostname=VM1 \ 
-sysrc gateway_enable=NO + gateway_enable=NO \ 
-sysrc ipv6_gateway_enable=NO + ipv6_gateway_enable=NO \ 
-sysrc ifconfig_em0="inet 10.0.12.1/24" + ifconfig_em0="inet 10.0.12.1/24" \ 
-sysrc ifconfig_em0_ipv6="inet6 2001:db8:12::1 prefixlen 64" + ifconfig_em0_ipv6="inet6 2001:db8:12::1 prefixlen 64" \ 
-sysrc defaultrouter=10.0.12.2 + defaultrouter=10.0.12.2 \ 
-sysrc ipv6_defaultrouter=2001:db8:12::2+ ipv6_defaultrouter=2001:db8:12::2
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R1+hostname VM1
 service netif restart service netif restart
 service routing restart service routing restart
Line 94: Line 94:
 ==== Router 2 ==== ==== Router 2 ====
  
-Router 2 base configuration: A simple connected-network router with a default route pointing to R3.+Router 2 base configuration: A simple connected-network router with a default route pointing to VM3.
  
 <code> <code>
-sysrc hostname=R2 +sysrc hostname=VM2 \ 
-sysrc ifconfig_em0="inet 10.0.12.2/24" +  ifconfig_em0="inet 10.0.12.2/24" \ 
-sysrc ifconfig_em0_ipv6="inet6 2001:db8:12::2 prefixlen 64" +  ifconfig_em0_ipv6="inet6 2001:db8:12::2 prefixlen 64" \ 
-sysrc ifconfig_em1="inet 10.0.23.2/24" +  ifconfig_em1="inet 10.0.23.2/24" \ 
-sysrc ifconfig_em1_ipv6="inet6 2001:db8:23::2 prefixlen 64" +  ifconfig_em1_ipv6="inet6 2001:db8:23::2 prefixlen 64" \ 
-sysrc defaultrouter="10.0.23.3" +  defaultrouter="10.0.23.3" \ 
-sysrc ipv6_defaultrouter="2001:db8:23::3"+  ipv6_defaultrouter="2001:db8:23::3"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R2+hostname VM2
 service netif restart service netif restart
 service routing restart service routing restart
Line 115: Line 115:
  
 <code> <code>
-sysrc hostname=R3 +sysrc hostname=VM3 \ 
-sysrc ifconfig_em1="inet 10.0.23.3/24" + ifconfig_em1="inet 10.0.23.3/24" \ 
-sysrc ifconfig_em1_ipv6="inet6 2001:db8:23::3 prefixlen 64" + ifconfig_em1_ipv6="inet6 2001:db8:23::3 prefixlen 64" \ 
-sysrc ifconfig_em2="inet 10.0.34.3/24" + ifconfig_em2="inet 10.0.34.3/24" \ 
-sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64"+ ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R3+hostname VM3
 service netif restart service netif restart
 config save config save
Line 127: Line 127:
 ==== Router 4 ==== ==== Router 4 ====
  
-Router 4 base configuration, like R2: A simple connected-network router with a default route pointing to R3.+Router 4 base configuration, like VM2: A simple connected-network router with a default route pointing to VM3.
  
 <code> <code>
-sysrc hostname=R4 +sysrc hostname=VM4 \ 
-sysrc ifconfig_em2="inet 10.0.34.4/24" + ifconfig_em2="inet 10.0.34.4/24" \ 
-sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::4 prefixlen 64" + ifconfig_em2_ipv6="inet6 2001:db8:34::4 prefixlen 64" \ 
-sysrc ifconfig_em3="inet 10.0.45.4/24" + ifconfig_em3="inet 10.0.45.4/24" \ 
-sysrc ifconfig_em3_ipv6="inet6 2001:db8:45::4 prefixlen 64" + ifconfig_em3_ipv6="inet6 2001:db8:45::4 prefixlen 64" \ 
-sysrc defaultrouter="10.0.34.3" + defaultrouter="10.0.34.3" \ 
-sysrc ipv6_defaultrouter="2001:db8:34::3"+ ipv6_defaultrouter="2001:db8:34::3"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R4+hostname VM4
 service netif restart service netif restart
 service routing restart service routing restart
Line 145: Line 145:
 ==== Router 5 ==== ==== Router 5 ====
  
-Router 5 has the same workstation mode configuration as R1.+Router 5 has the same workstation mode configuration as VM1.
  
 <code> <code>
-sysrc hostname=R5 +sysrc hostname=VM5 \ 
-sysrc gateway_enable=NO + gateway_enable=NO \ 
-sysrc ipv6_gateway_enable=NO + ipv6_gateway_enable=NO \ 
-sysrc ifconfig_em3="inet 10.0.45.5/24" + ifconfig_em3="inet 10.0.45.5/24" \ 
-sysrc ifconfig_em3_ipv6="inet6 2001:db8:45::5 prefixlen 64" + ifconfig_em3_ipv6="inet6 2001:db8:45::5 prefixlen 64" \ 
-sysrc defaultrouter="10.0.45.4" + defaultrouter="10.0.45.4" \ 
-sysrc ipv6_defaultrouter="2001:db8:45::4"+ ipv6_defaultrouter="2001:db8:45::4"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R5+hostname VM5
 service netif restart service netif restart
 service routing restart service routing restart
Line 174: Line 174:
 Here is the parameters to add: Here is the parameters to add:
 <code> <code>
-sysrc cloned_interfaces=gre0 +sysrc cloned_interfaces=gre0 \ 
-sysrc ifconfig_gre0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up" + ifconfig_gre0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up" \ 
-sysrc ifconfig_gre0_ipv6="inet6 2001:db8:24::2 prefixlen 64" + ifconfig_gre0_ipv6="inet6 2001:db8:24::2 prefixlen 64" \ 
-sysrc static_routes="tunnel4" + static_routes="tunnel4" \ 
-sysrc route_tunnel4="10.0.45.0/24 10.0.24.4" + route_tunnel4="10.0.45.0/24 10.0.24.4" \ 
-sysrc ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4" + ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4" \ 
-sysrc ipv6_static_routes="tunnel6"+ ipv6_static_routes="tunnel6"
 service netif restart service netif restart
 service routing restart service routing restart
Line 187: Line 187:
 ==== Router 4 ==== ==== Router 4 ====
  
-Configure the GRE tunnel using R2 IPv4 as end-point.+Configure the GRE tunnel using VM2 IPv4 as end-point.
  
 === Modify configuration === === Modify configuration ===
Line 193: Line 193:
 Here is the parameters to add: Here is the parameters to add:
 <code> <code>
-sysrc cloned_interfaces=gre0 +sysrc cloned_interfaces=gre0 \ 
-sysrc ifconfig_gre0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" + ifconfig_gre0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" \ 
-sysrc ifconfig_gre0_ipv6="inet6 2001:db8:24::4 prefixlen 64" + ifconfig_gre0_ipv6="inet6 2001:db8:24::4 prefixlen 64" \ 
-sysrc static_routes="tunnel4" + static_routes="tunnel4" \ 
-sysrc route_tunnel4="10.0.12.0/24 10.0.24.2" + route_tunnel4="10.0.12.0/24 10.0.24.2" \ 
-sysrc ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2" + ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2" \ 
-sysrc ipv6_static_routes="tunnel6"+ ipv6_static_routes="tunnel6"
 service netif restart service netif restart
 service routing restart service routing restart
Line 207: Line 207:
  
 <code> <code>
-[root@R1]~# ping -c 3 10.0.45.5+[root@VM1]~# ping -c 3 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms
Line 216: Line 216:
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 1.019/7.012/18.659/8.237 ms round-trip min/avg/max/stddev = 1.019/7.012/18.659/8.237 ms
-[root@R1]~# ping6 -c3 2001:db8:45::5+[root@VM1]~# ping6 -c3 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.142 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.142 ms
Line 255: Line 255:
 ==== Router 4 ==== ==== Router 4 ====
  
-Configure the 2 gif tunnel using R2 addresses as end-point.+Configure the 2 gif tunnel using VM2 addresses as end-point.
  
 Here are the changes to apply to rc file: Here are the changes to apply to rc file:
Line 273: Line 273:
  
 <code> <code>
-[root@R1]~# ping -c 3 10.0.45.5+[root@VM1]~# ping -c 3 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms
Line 282: Line 282:
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 1.019/7.012/18.659/8.237 ms round-trip min/avg/max/stddev = 1.019/7.012/18.659/8.237 ms
-[root@R1]~# ping6 -c3 2001:db8:45::5+[root@VM1]~# ping6 -c3 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.142 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.142 ms
Line 329: Line 329:
 And check it: And check it:
 <code> <code>
-[root@R2]~# setkey -DP+[root@VM2]~# setkey -DP
 10.0.45.0/24[any] 10.0.12.0/24[any] any 10.0.45.0/24[any] 10.0.12.0/24[any] any
         in ipsec         in ipsec
Line 350: Line 350:
         spid=3 seq=0 pid=66654 scope=global         spid=3 seq=0 pid=66654 scope=global
         refcnt=1         refcnt=1
-[root@R2]~# setkey -D+[root@VM2]~# setkey -D
 2001:db8:34::4 2001:db8:23::2 2001:db8:34::4 2001:db8:23::2
         esp mode=any spi=4099(0x00001003) reqid=0(0x00000000)         esp mode=any spi=4099(0x00001003) reqid=0(0x00000000)
Line 402: Line 402:
 </code> </code>
  
-Create a file /etc/ipsec.conf with these lines (same as R2: only to have to invert the in/out keyword):+Create a file /etc/ipsec.conf with these lines (same as VM2: only to have to invert the in/out keyword):
  
 <code> <code>
Line 427: Line 427:
 === Testing === === Testing ===
  
-Start a tcpdump on R3-em1 and from R1 ping R5:+Start a tcpdump on VM3-em1 and from VM1 ping VM5:
  
 <code> <code>
-[root@R3]~# tcpdump -pni em1+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Line 446: Line 446:
  
 <code> <code>
-[root@R1]/etc/rc.d# ping 10.0.45.5+[root@VM1]/etc/rc.d# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.014 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.014 ms
 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.851 ms 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.851 ms
 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.942 ms 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.942 ms
-[root@R1]~# ping6 2001:db8:45::5+[root@VM1]~# ping6 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=70.074 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=70.074 ms
Line 583: Line 583:
 === Testing === === Testing ===
  
-Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2:+Like previous test, ping VM5 from VM1 with a tcpdump on VM3, and racoon log displayed on VM2:
  
-R3 tcpdump paquets:+VM3 tcpdump paquets:
  
 <code> <code>
-[root@R3]~# tcpdump -pni em1+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Line 629: Line 629:
 </code> </code>
  
-Racoon log file on R2:+Racoon log file on VM2:
 <code> <code>
-[root@R2]~# tail -f /var/log/racoon.log+[root@VM2]~# tail -f /var/log/racoon.log
 2013-10-26 09:28:01: INFO: 2001:db8:23::2[500] used as isakmp port (fd=16) 2013-10-26 09:28:01: INFO: 2001:db8:23::2[500] used as isakmp port (fd=16)
 2013-10-26 09:28:01: INFO: 2001:db8:23::2[4500] used as isakmp port (fd=17) 2013-10-26 09:28:01: INFO: 2001:db8:23::2[4500] used as isakmp port (fd=17)
Line 661: Line 661:
 </code> </code>
  
-Ping result on R1:+Ping result on VM1:
  
 <code> <code>
-[root@R1]# ping 10.0.45.5+[root@VM1]# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms
Line 670: Line 670:
 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms
 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms
-[root@R1]~# ping6 2001:db8:45::5+[root@VM1]~# ping6 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.264 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.264 ms
Line 684: Line 684:
 === Router 2 === === Router 2 ===
  
-Configure strongswan on R2 with:+Configure strongswan on VM2 with:
   * IKEv2   * IKEv2
   * Preshared-key   * Preshared-key
Line 702: Line 702:
      dpddelay=5      dpddelay=5
  
-conn R4+conn VM4
     left=10.0.23.2     left=10.0.23.2
     leftsubnet=10.0.12.0/24     leftsubnet=10.0.12.0/24
-    leftid=R2+    leftid=VM2
     right=10.0.34.4     right=10.0.34.4
     rightsubnet=10.0.45.0/24     rightsubnet=10.0.45.0/24
-    rightid=R4+    rightid=VM4
     auto=start     auto=start
 'EOF' 'EOF'
Line 717: Line 717:
 <code> <code>
 cat > /usr/local/etc/ipsec.secrets <<'EOF' cat > /usr/local/etc/ipsec.secrets <<'EOF'
-R4 R2 : PSK "This is a strong password"+VM4 VM2 : PSK "This is a strong password"
 'EOF' 'EOF'
 </code> </code>
Line 730: Line 730:
 === Router 4 === === Router 4 ===
  
-Configure strongswan on R4 with:+Configure strongswan on VM4 with:
   * IKEv2   * IKEv2
   * Preshared-key   * Preshared-key
Line 747: Line 747:
     dpdaction=restart     dpdaction=restart
     dpddelay=5     dpddelay=5
-conn R2+conn VM2
     left=10.0.34.4     left=10.0.34.4
     leftsubnet=10.0.45.0/24     leftsubnet=10.0.45.0/24
-    leftid=R4+    leftid=VM4
     right=10.0.23.2     right=10.0.23.2
     rightsubnet=10.0.12.0/24     rightsubnet=10.0.12.0/24
-    rightid=R2+    rightid=VM2
     auto=route     auto=route
 'EOF' 'EOF'
Line 762: Line 762:
 <code> <code>
 cat > /usr/local/etc/ipsec.secrets <<'EOF' cat > /usr/local/etc/ipsec.secrets <<'EOF'
-R4 R2 : PSK "This is a strong password"+VM4 VM2 : PSK "This is a strong password"
 'EOF' 'EOF'
 </code> </code>
Line 775: Line 775:
 === Testing === === Testing ===
  
-Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2:+Like previous test, ping VM5 from VM1 with a tcpdump on VM3, and racoon log displayed on VM2:
  
-R3 tcpdump paquets:+VM3 tcpdump paquets:
  
 <code> <code>
-[root@R3]~# tcpdump -pni em1+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Line 801: Line 801:
 </code> </code>
  
-Log file on R2:+Log file on VM2:
 <code> <code>
-[root@R2]~# tail -f /var/log/auth.log +[root@VM2]~# tail -f /var/log/auth.log 
-Jun  8 00:24:28 R2 ipsec_starter[981]: no netkey IPsec stack detected +Jun  8 00:24:28 VM2 ipsec_starter[981]: no netkey IPsec stack detected 
-Jun  8 00:24:28 R2 ipsec_starter[981]: no KLIPS IPsec stack detected +Jun  8 00:24:28 VM2 ipsec_starter[981]: no KLIPS IPsec stack detected 
-Jun  8 00:24:28 R2 ipsec_starter[981]: no known IPsec stack detected, ignoring! +Jun  8 00:24:28 VM2 ipsec_starter[981]: no known IPsec stack detected, ignoring! 
-Jun  8 00:24:28 R2 ipsec_starter[984]: charon (986) started after 20 ms +Jun  8 00:24:28 VM2 ipsec_starter[984]: charon (986) started after 20 ms 
-Jun  8 00:25:26 R2 login: login on ttyu0 as root +Jun  8 00:25:26 VM2 login: login on ttyu0 as root 
-Jun  8 00:25:26 R2 login: ROOT LOGIN (root) ON ttyu0 +Jun  8 00:25:26 VM2 login: ROOT LOGIN (root) ON ttyu0 
-Jun  8 00:34:53 R2 charon: 12[IKE] initiating IKE_SA R4[1] to 10.0.34.4 +Jun  8 00:34:53 VM2 charon: 12[IKE] initiating IKE_SA VM4[1] to 10.0.34.4 
-Jun  8 00:34:53 R2 charon: 12[IKE] establishing CHILD_SA R4 +Jun  8 00:34:53 VM2 charon: 12[IKE] establishing CHILD_SA VM4 
-Jun  8 00:34:53 R2 charon: 12[IKE] IKE_SA R4[1] established between 10.0.23.2[R2]...10.0.34.4[R4+Jun  8 00:34:53 VM2 charon: 12[IKE] IKE_SA VM4[1] established between 10.0.23.2[VM2]...10.0.34.4[VM4
-Jun  8 00:34:53 R2 charon: 12[IKE] CHILD_SA R4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/24 === 10.0.45.0/24+Jun  8 00:34:53 VM2 charon: 12[IKE] CHILD_SA VM4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/24 === 10.0.45.0/24
 </code> </code>
  
-Ping result on R1:+Ping result on VM1:
  
 <code> <code>
-[root@R1]# ping 10.0.45.5+[root@VM1]# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms
Line 825: Line 825:
 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms
 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms
-[root@R1]~# ping6 2001:db8:45::5+[root@VM1]~# ping6 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.264 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.264 ms
Line 838: Line 838:
  
 <code> <code>
-sysrc cloned_interfaces=ipsec0 +sysrc cloned_interfaces=ipsec0 \ 
-sysrc create_args_ipsec0="reqid 100" + create_args_ipsec0="reqid 100" \ 
-sysrc ifconfig_ipsec0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up" + ifconfig_ipsec0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up" \ 
-sysrc ifconfig_ipsec0_ipv6="inet6 2001:db8:24::2 prefixlen 64" + ifconfig_ipsec0_ipv6="inet6 2001:db8:24::2 prefixlen 64" \ 
-sysrc static_routes="tunnel4" + static_routes="tunnel4" \ 
-sysrc route_tunnel4="10.0.45.0/24 10.0.24.4" + route_tunnel4="10.0.45.0/24 10.0.24.4" \ 
-sysrc ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4" + ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4" \ 
-sysrc ipv6_static_routes="tunnel6"+ ipv6_static_routes="tunnel6"
 cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
 flush; flush;
Line 853: Line 853:
 EOF EOF
 service netif restart service netif restart
-sysrc ipsec_enable=YES+service ipsec enable
 service ipsec restart service ipsec restart
 service routing restart service routing restart
Line 861: Line 861:
  
 <code> <code>
-[root@R2]~# setkey -DP+[root@VM2]~# setkey -DP
 0.0.0.0/0[any] 0.0.0.0/0[any] any 0.0.0.0/0[any] 0.0.0.0/0[any] any
         in ipsec         in ipsec
Line 882: Line 882:
         spid=4 seq=0 pid=778 scope=ifnet ifname=ipsec0         spid=4 seq=0 pid=778 scope=ifnet ifname=ipsec0
         refcnt=1         refcnt=1
-[root@R2]~# setkey -D+[root@VM2]~# setkey -D
 10.0.34.4 10.0.23.2 10.0.34.4 10.0.23.2
         esp mode=tunnel spi=4097(0x00001001) reqid=100(0x00000064)         esp mode=tunnel spi=4097(0x00001001) reqid=100(0x00000064)
Line 903: Line 903:
         allocated: 2    hard: 0 soft: 0         allocated: 2    hard: 0 soft: 0
         sadb_seq=0 pid=1649 refcnt=1         sadb_seq=0 pid=1649 refcnt=1
-[root@R2]~# ifconfig ipsec0+[root@VM2]~# ifconfig ipsec0
 ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400 ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
         tunnel inet 10.0.23.2 --> 10.0.34.4         tunnel inet 10.0.23.2 --> 10.0.34.4
Line 917: Line 917:
  
 <code> <code>
-sysrc cloned_interfaces=ipsec0 +sysrc cloned_interfaces=ipsec0 \ 
-sysrc create_args_ipsec0="reqid 200" + create_args_ipsec0="reqid 200" \ 
-sysrc ifconfig_ipsec0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" + ifconfig_ipsec0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" \ 
-sysrc ifconfig_ipsec0_ipv6="inet6 2001:db8:24::4 prefixlen 64" + ifconfig_ipsec0_ipv6="inet6 2001:db8:24::4 prefixlen 64" \ 
-sysrc static_routes="tunnel4" + static_routes="tunnel4" \ 
-sysrc route_tunnel4="10.0.12.0/24 10.0.24.2" + route_tunnel4="10.0.12.0/24 10.0.24.2" \ 
-sysrc ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2" + ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2" \ 
-sysrc ipv6_static_routes="tunnel6"+ ipv6_static_routes="tunnel6"
 cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
 flush; flush;
Line 932: Line 932:
 EOF EOF
 service netif restart service netif restart
-sysrc ipsec_enable=YES+service ipsec enable
 service ipsec restart service ipsec restart
 service routing restart service routing restart
Line 940: Line 940:
  
 <code> <code>
-[root@R1]~# ping -c 3 10.0.45.5+[root@VM1]~# ping -c 3 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=0.944 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=0.944 ms
Line 949: Line 949:
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 0.382/0.589/0.944/0.252 ms round-trip min/avg/max/stddev = 0.382/0.589/0.944/0.252 ms
-[root@R1]~# ping6 -c3 2001:db8:45::5+[root@VM1]~# ping6 -c3 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=0.617 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=0.617 ms
Line 964: Line 964:
 ==== CA and certificates generation ==== ==== CA and certificates generation ====
  
-All these step will be done on R2 (OpenVPN server)+All these step will be done on VM2 (OpenVPN server)
  
 Start by copying easyrsa3 configuration folder and define new configuration file: Start by copying easyrsa3 configuration folder and define new configuration file:
Line 970: Line 970:
 cp -r /usr/local/share/easy-rsa /usr/local/etc/ cp -r /usr/local/share/easy-rsa /usr/local/etc/
 setenv EASYRSA /usr/local/etc/easy-rsa setenv EASYRSA /usr/local/etc/easy-rsa
 +setenv EASYRSA_PKI $EASYRSA/pki
 </code> </code>
  
Line 980: Line 981:
 Build a root certificate: Build a root certificate:
 <code> <code>
-[root@R2]~# easyrsa build-ca nopass+[root@VM2]~# easyrsa build-ca nopass
  
 Note: using Easy-RSA configuration from: /usr/local/etc/easy-rsa/vars Note: using Easy-RSA configuration from: /usr/local/etc/easy-rsa/vars
Line 1003: Line 1004:
  
 </code> </code>
-Make a server certificate called R2, and client certificate called R4 using a locally generated root certificate:+Make a server certificate called VM2, and client certificate called VM4 using a locally generated root certificate:
 <code> <code>
-easyrsa build-server-full R2 nopass +easyrsa build-server-full VM2 nopass 
-easyrsa build-client-full R4 nopass+easyrsa build-client-full VM4 nopass
 </code> </code>
  
-==== R2: OpenVPN server ====+==== VM2: OpenVPN server ====
  
 Create the openvpn configuration file for server mode as /usr/local/etc/openvpn/openvpn.conf: Create the openvpn configuration file for server mode as /usr/local/etc/openvpn/openvpn.conf:
Line 1018: Line 1019:
 tun-ipv6 tun-ipv6
 ca /usr/local/etc/easy-rsa/pki/ca.crt ca /usr/local/etc/easy-rsa/pki/ca.crt
-cert /usr/local/etc/easy-rsa/pki/issued/R2.crt +cert /usr/local/etc/easy-rsa/pki/issued/VM2.crt 
-key /usr/local/etc/easy-rsa/pki/private/R2.key+key /usr/local/etc/easy-rsa/pki/private/VM2.key
 dh /usr/local/etc/easy-rsa/pki/dh.pem dh /usr/local/etc/easy-rsa/pki/dh.pem
 server 10.0.24.0 255.255.255.0 server 10.0.24.0 255.255.255.0
Line 1032: Line 1033:
 </code> </code>
  
-Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client R4:+Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client VM4:
 <code> <code>
 mkdir /usr/local/etc/openvpn/ccd mkdir /usr/local/etc/openvpn/ccd
-cat > /usr/local/etc/openvpn/ccd/R4 <<'EOF'+cat > /usr/local/etc/openvpn/ccd/VM4 <<'EOF'
 iroute 10.0.45.0 255.255.255.0 iroute 10.0.45.0 255.255.255.0
 iroute-ipv6 2001:db8:45::/64 iroute-ipv6 2001:db8:45::/64
Line 1043: Line 1044:
 Enable and start openvpn and sshd (we will get certificates files by SCP later): Enable and start openvpn and sshd (we will get certificates files by SCP later):
 <code> <code>
-sysrc sshd_enable=YES +service sshd enable 
-sysrc openvpn_enable=YES+service openvpn enable
 service openvpn start service openvpn start
 service sshd start service sshd start
Line 1053: Line 1054:
 passwd passwd
 </code> </code>
-==== R4: OpenVPN client ====+==== VM4: OpenVPN client ====
  
-As OpenVPN client, R4 should get these files from R2 and put them in /usr/local/etc/openvpn:+As OpenVPN client, VM4 should get these files from VM2 and put them in /usr/local/etc/openvpn:
   * ca.crt   * ca.crt
-  * R4.crt +  * VM4.crt 
-  * R4.key+  * VM4.key
  
 On this lab, scp can be used for getting these files: On this lab, scp can be used for getting these files:
Line 1064: Line 1065:
 mkdir /usr/local/etc/openvpn mkdir /usr/local/etc/openvpn
 scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/ca.crt /usr/local/etc/openvpn scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/ca.crt /usr/local/etc/openvpn
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/issued/R4.crt /usr/local/etc/openvpn +scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/issued/VM4.crt /usr/local/etc/openvpn 
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/private/R4.key /usr/local/etc/openvpn+scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/private/VM4.key /usr/local/etc/openvpn
 </code> </code>
  
Line 1076: Line 1077:
 remote 10.0.23.2 remote 10.0.23.2
 ca ca.crt ca ca.crt
-cert R4.crt +cert VM4.crt 
-key R4.key+key VM4.key
 'EOF' 'EOF'
 </code> </code>
Line 1083: Line 1084:
 Enable and start openvpn: Enable and start openvpn:
 <code> <code>
-sysrc openvpn_enable=YES+service openvpn enable
 service openvpn start service openvpn start
 </code> </code>
 ==== Testing ==== ==== Testing ====
  
-Pinging R5 from R1:+Pinging VM5 from VM1:
 <code> <code>
-[root@R1]~# ping6 2001:db8:45::5+[root@VM1]~# ping6 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.453 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.453 ms
Line 1100: Line 1101:
 round-trip min/avg/max/std-dev = 3.652/4.442/5.453/0.752 ms round-trip min/avg/max/std-dev = 3.652/4.442/5.453/0.752 ms
  
-[root@R1]~# ping 10.0.45.5+[root@VM1]~# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.192 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.192 ms
Line 1111: Line 1112:
 </code> </code>
  
-OpenVPN log file on R2:+OpenVPN log file on VM2:
 <code> <code>
-Oct 26 16:58:32 R2 openvpn[2769]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013 +Oct 26 16:58:32 VM2 openvpn[2769]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013 
-Oct 26 16:58:32 R2 openvpn[2769]: WARNING: --keepalive option is missing from server config +Oct 26 16:58:32 VM2 openvpn[2769]: WARNING: --keepalive option is missing from server config 
-Oct 26 16:58:32 R2 openvpn[2769]: TUN/TAP device /dev/tun0 opened +Oct 26 16:58:32 VM2 openvpn[2769]: TUN/TAP device /dev/tun0 opened 
-Oct 26 16:58:32 R2 kernel: tun0: link state changed to UP +Oct 26 16:58:32 VM2 kernel: tun0: link state changed to UP 
-Oct 26 16:58:32 R2 openvpn[2769]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 +Oct 26 16:58:32 VM2 openvpn[2769]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 
-Oct 26 16:58:32 R2 openvpn[2769]: /sbin/ifconfig tun0 10.0.24.1 10.0.24.2 mtu 1500 netmask 255.255.255.255 up +Oct 26 16:58:32 VM2 openvpn[2769]: /sbin/ifconfig tun0 10.0.24.1 10.0.24.2 mtu 1500 netmask 255.255.255.255 up 
-Oct 26 16:58:32 R2 openvpn[2769]: /sbin/ifconfig tun0 inet6 2001:db8:24::1/64 +Oct 26 16:58:32 VM2 openvpn[2769]: /sbin/ifconfig tun0 inet6 2001:db8:24::1/64 
-Oct 26 16:58:32 R2 openvpn[2769]: add_route_ipv6(2001:db8:45::/64 -> 2001:db8:24::2 metric -1) dev tun0 +Oct 26 16:58:32 VM2 openvpn[2769]: add_route_ipv6(2001:db8:45::/64 -> 2001:db8:24::2 metric -1) dev tun0 
-Oct 26 16:58:32 R2 openvpn[2789]: UDPv4 link local (bound): [undef] +Oct 26 16:58:32 VM2 openvpn[2789]: UDPv4 link local (bound): [undef] 
-Oct 26 16:58:32 R2 openvpn[2789]: UDPv4 link remote: [undef] +Oct 26 16:58:32 VM2 openvpn[2789]: UDPv4 link remote: [undef] 
-Oct 26 16:58:32 R2 openvpn[2789]: ifconfig_pool_read(), in='R4,10.0.24.4,2001:db8:24::1000', TODO: IPv6 +Oct 26 16:58:32 VM2 openvpn[2789]: ifconfig_pool_read(), in='VM4,10.0.24.4,2001:db8:24::1000', TODO: IPv6 
-Oct 26 16:58:32 R2 openvpn[2789]: succeeded -> ifconfig_pool_set() +Oct 26 16:58:32 VM2 openvpn[2789]: succeeded -> ifconfig_pool_set() 
-Oct 26 16:58:32 R2 openvpn[2789]: Initialization Sequence Completed +Oct 26 16:58:32 VM2 openvpn[2789]: Initialization Sequence Completed 
-Oct 26 16:58:33 R2 openvpn[2789]: 10.0.34.4:1194 [R4] Peer Connection Initiated with [AF_INET]10.0.34.4:1194 +Oct 26 16:58:33 VM2 openvpn[2789]: 10.0.34.4:1194 [VM4] Peer Connection Initiated with [AF_INET]10.0.34.4:1194 
-Oct 26 16:58:33 R2 openvpn[2789]: R4/10.0.34.4:1194 MULTI_sva: pool returned IPv4=10.0.24.6, IPv6=2001:db8:24::1000 +Oct 26 16:58:33 VM2 openvpn[2789]: VM4/10.0.34.4:1194 MULTI_sva: pool returned IPv4=10.0.24.6, IPv6=2001:db8:24::1000 
-Oct 26 16:58:35 R2 openvpn[2789]: R4/10.0.34.4:1194 send_push_reply(): safe_cap=940+Oct 26 16:58:35 VM2 openvpn[2789]: VM4/10.0.34.4:1194 send_push_reply(): safe_cap=940
 </code> </code>
  
-OpenVPN log file on R4:+OpenVPN log file on VM4:
 <code> <code>
-Oct 26 16:58:32 R4 openvpn[2495]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013 +Oct 26 16:58:32 VM4 openvpn[2495]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013 
-Oct 26 16:58:32 R4 openvpn[2495]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info. +Oct 26 16:58:32 VM4 openvpn[2495]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info. 
-Oct 26 16:58:32 R4 openvpn[2496]: UDPv4 link local (bound): [undef] +Oct 26 16:58:32 VM4 openvpn[2496]: UDPv4 link local (bound): [undef] 
-Oct 26 16:58:32 R4 openvpn[2496]: UDPv4 link remote: [AF_INET]10.0.23.2:1194 +Oct 26 16:58:32 VM4 openvpn[2496]: UDPv4 link remote: [AF_INET]10.0.23.2:1194 
-Oct 26 16:58:32 R4 openvpn[2496]: [R2] Peer Connection Initiated with [AF_INET]10.0.23.2:1194 +Oct 26 16:58:32 VM4 openvpn[2496]: [VM2] Peer Connection Initiated with [AF_INET]10.0.23.2:1194 
-Oct 26 16:58:34 R4 openvpn[2496]: TUN/TAP device /dev/tun0 opened +Oct 26 16:58:34 VM4 openvpn[2496]: TUN/TAP device /dev/tun0 opened 
-Oct 26 16:58:34 R4 kernel: tun0: link state changed to UP +Oct 26 16:58:34 VM4 kernel: tun0: link state changed to UP 
-Oct 26 16:58:34 R4 openvpn[2496]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 +Oct 26 16:58:34 VM4 openvpn[2496]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 
-Oct 26 16:58:34 R4 openvpn[2496]: /sbin/ifconfig tun0 10.0.24.6 10.0.24.5 mtu 1500 netmask 255.255.255.255 up +Oct 26 16:58:34 VM4 openvpn[2496]: /sbin/ifconfig tun0 10.0.24.6 10.0.24.5 mtu 1500 netmask 255.255.255.255 up 
-Oct 26 16:58:34 R4 openvpn[2496]: /sbin/ifconfig tun0 inet6 2001:db8:24::1000/64 +Oct 26 16:58:34 VM4 openvpn[2496]: /sbin/ifconfig tun0 inet6 2001:db8:24::1000/64 
-Oct 26 16:58:34 R4 openvpn[2496]: add_route_ipv6(2001:db8:12::/64 -> 2001:db8:24::1 metric -1) dev tun0 +Oct 26 16:58:34 VM4 openvpn[2496]: add_route_ipv6(2001:db8:12::/64 -> 2001:db8:24::1 metric -1) dev tun0 
-Oct 26 16:58:34 R4 openvpn[2496]: Initialization Sequence Completed+Oct 26 16:58:34 VM4 openvpn[2496]: Initialization Sequence Completed
 </code> </code>
  
-Tcpdump on R3:+Tcpdump on VM3:
  
 <code> <code>
-[root@R3]~# tcpdump -pni em1+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Line 1159: Line 1160:
 16:52:40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 114 16:52:40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 114
 16:52:40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 22 16:52:40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 22
 +</code>
 +
 +===== Wireguard =====
 +
 +==== Key pairs generation ====
 +
 +The first step is to generate a couple of private and public keys on each wireguard endpoint.
 +
 +On VM2 and on VM4, generate the keys:
 +
 +<code>
 +cd /usr/local/etc/wireguard
 +wg genkey > private
 +chmod 600 private
 +wg pubkey < private > public
 +</code>
 +
 +==== Router 2 ====
 +
 +Display router 2 private key, and router 4 public key.
 +
 +<code>
 +cat > /usr/local/etc/wireguard/wg0.conf <<EOF
 +[Interface]
 +PrivateKey = 8Og1cCmvirK+zcGus/EyaA8aiFdzjjtS9GbuBa/bqFQ=
 +ListenPort = 51820
 +
 +[Peer]
 +PublicKey = FSvVqj2s1FZqsSIvPLrE1RRTgbaPLbfG87P36F21M1g=
 +AllowedIPs = 10.0.45.0/24,2001:db8:45::2/64
 +Endpoint = 10.0.34.4:51820
 +EOF
 +
 +sysrc wireguard_interfaces=wg0
 +service wireguard enable
 +service wireguard start
 +</code>
 +
 +==== Router 4 ====
 +
 +Display router 4 private key, and router 2 public key.
 +
 +<code>
 +cat > /usr/local/etc/wireguard/wg0.conf <<EOF
 +[Interface]
 +PrivateKey = ADfm6+sXZnoyDAkG/MXXy062pjSgh2GgfAIKwX+ewGg=
 +ListenPort = 51820
 +
 +[Peer]
 +PublicKey = gaQij176wrz3g+2RTJ/S1oEnc7rx2reU1Z0Thrv4oXc=
 +AllowedIPs = 10.0.12.0/24,2001:db8:12::2/64
 +Endpoint = 10.0.23.2:51820
 +EOF
 +
 +sysrc wireguard_interfaces=wg0
 +service wireguard enable
 +service wireguard start
 +</code>
 +
 +==== Testing ====
 +
 +Pinging VM5 from VM1:
 +
 +<code>
 +[root@VM1]~# ping -c2 10.0.45.5
 +PING 10.0.45.5 (10.0.45.5): 56 data bytes
 +64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=2.135 ms
 +64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=0.783 ms
 +
 +--- 10.0.45.5 ping statistics ---
 +2 packets transmitted, 2 packets received, 0.0% packet loss
 +round-trip min/avg/max/stddev = 0.783/1.459/2.135/0.676 ms
 +
 +[root@VM1]~# ping6 -c2 2001:db8:45::5
 +PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 +16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.779 ms
 +16 bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=0.764 ms
 +
 +--- 2001:db8:45::5 ping6 statistics ---
 +2 packets transmitted, 2 packets received, 0.0% packet loss
 +round-trip min/avg/max/std-dev = 0.764/1.272/1.779/0.507 ms
 </code> </code>
documentation/examples/gre_ipsec_and_openvpn.txt · Last modified: 2023/07/10 12:40 by olivier

Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki