User Tools

Site Tools


documentation:examples:gre_ipsec_and_openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
documentation:examples:gre_ipsec_and_openvpn [2020/01/12 18:35] – [VTI Tunnel without IKE] olivierdocumentation:examples:gre_ipsec_and_openvpn [2023/07/10 12:40] (current) – [Router 4] olivier
Line 1: Line 1:
-====== VPN with GRE, GIF, IPSec and OpenVPN ======+====== VPN with GRE, GIF, IPSecOpenVPN and Wireguard ======
  
-This lab shows some VPN examples with BSDRP 1.59 (FreeBSD 10.3 based).+This lab shows some VPN examples with BSDRP 1.991.
  
 ===== Presentation ===== ===== Presentation =====
Line 238: Line 238:
  
 If you have previous gre configuration from the gre example: remove them. If you have previous gre configuration from the gre example: remove them.
- 
-Here is the line to ADD to /etc/rc.conf file: 
  
 <code> <code>
Line 252: Line 250:
 service routing restart service routing restart
 config save config save
 +</code>
 +
 +Take care of avoiding fragmentation, TCP-MSS should be reduced on a gif using inet6, like with this pf.conf example:
 +<code>
 +set skip on lo0
 +scrub on gif1 inet all max-mss 1200
 +scrub on gif1 inet6 all max-mss 1180
 +pass
 </code> </code>
 ==== Router 4 ==== ==== Router 4 ====
Line 257: Line 263:
 Configure the 2 gif tunnel using VM2 addresses as end-point. Configure the 2 gif tunnel using VM2 addresses as end-point.
  
-Here are the changes to apply to rc file: 
 <code> <code>
 sysrc cloned_interfaces="gif0 gif1" sysrc cloned_interfaces="gif0 gif1"
Line 679: Line 684:
  
 Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan. Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan.
- 
-Strongswan use Left (for Local) and Right (for Remote). 
  
 === Router 2 === === Router 2 ===
  
 Configure strongswan on VM2 with: Configure strongswan on VM2 with:
-  * IKEv2 +  * IKEv2 (version = 2) 
-  * Preshared-key +  * Preshared-key (psk) 
-  * Disabling Mobile IP +  * Disabling Mobile IP (mobike = no) 
-  * forcing the tunnel going UP (auto=start)+  * forcing the tunnel going UP (start_action trap)
   * configuring Dead-Peer-Detection at 5 seconds   * configuring Dead-Peer-Detection at 5 seconds
  
 <code> <code>
-cat > /usr/local/etc/ipsec.conf <<'EOF' +cat > /usr/local/etc/swanctl/conf.d/vm4.conf <<EOF 
-config setup+connections { 
 +  net-net { 
 +    local_addrs = 10.0.23.2 
 +    remote_addrs = 10.0.34.4 
 +    local { 
 +      auth = psk 
 +      id = vm2 
 +    } 
 +    remote { 
 +      auth = psk 
 +      id = vm4 
 +    } 
 +    children { 
 +      net-net { 
 +        local_ts  = 10.0.12.0/24 
 +        remote_ts = 10.0.45.0/24 
 +        start_action = trap 
 +      } 
 +    } 
 +    version = 2 
 +    mobike = no 
 +    dpd_delay = 5s 
 +  } 
 +}
  
-conn %default +secrets { 
-     authby=secret +  ike-1 { 
-     keyexchange=ikev2 +    id-1 vm4 
-     mobike=no +    secret "This is a strong password" 
-     dpdaction=restart +  } 
-     dpddelay=5 +} 
- +EOF
-conn VM4 +
-    left=10.0.23.2 +
-    leftsubnet=10.0.12.0/24 +
-    leftid=VM2 +
-    right=10.0.34.4 +
-    rightsubnet=10.0.45.0/24 +
-    rightid=VM4 +
-    auto=start +
-'EOF'+
 </code> </code>
  
-Then define the password to use for the remote site:+Enable strongswan:
  
 <code> <code>
-cat > /usr/local/etc/ipsec.secrets <<'EOF' +service strongswan enable 
-VM4 VM2 : PSK "This is a strong password" +service strongswan restart
-'EOF'+
 </code> </code>
  
-Enable strongswan: +And check if it correctly loaded its configuration:
 <code> <code>
-sysrc strongswan_enable=YES +root@VM2:~ # swanctl --list-conns 
-service strongswan restart+net-net: IKEv2, no reauthentication, rekeying every 14400s 
 +  local:  10.0.23.2 
 +  remote: 10.0.34.4 
 +  local pre-shared key authentication: 
 +    id: vm2 
 +  remote pre-shared key authentication: 
 +    id: vm4 
 +  net-net: TUNNEL, rekeying every 3600s 
 +    local:  10.0.12.0/24 
 +    remote: 10.0.45.0/24
 </code> </code>
  
Line 734: Line 758:
   * Preshared-key   * Preshared-key
   * Disabling Mobile IP   * Disabling Mobile IP
-  * automatic traffic detection (auto=route)+  * automatic traffic detection
   * configuring Dead-Peer-Detection at 5 seconds   * configuring Dead-Peer-Detection at 5 seconds
  
 <code> <code>
-cat > /usr/local/etc/ipsec.conf <<'EOF' +cat > /usr/local/etc/swanctl/conf.d/vm2.conf <<EOF 
-config setup+connections { 
 +  net-net { 
 +    remote_addrs = 10.0.23.2 
 +    local_addrs = 10.0.34.4 
 +    remote { 
 +      auth = psk 
 +      id = vm2 
 +    } 
 +    local { 
 +      auth = psk 
 +      id = vm4 
 +    } 
 +    children { 
 +      net-net { 
 +        remote_ts  = 10.0.12.0/24 
 +        local_ts = 10.0.45.0/24 
 +        start_action = trap 
 +      } 
 +    } 
 +    version = 2 
 +    mobike = no 
 +    dpd_delay = 5s 
 +  } 
 +}
  
-conn %default +secrets { 
-    authby=secret +  ike-1 { 
-    keyexchange=ikev2 +    id-1 vm2 
-    mobike=no +    secret "This is a strong password" 
-    dpdaction=restart +  } 
-    dpddelay=5 +} 
-conn VM2 +EOF
-    left=10.0.34.4 +
-    leftsubnet=10.0.45.0/24 +
-    leftid=VM4 +
-    right=10.0.23.2 +
-    rightsubnet=10.0.12.0/24 +
-    rightid=VM2 +
-    auto=route +
-'EOF+
-</code> +
- +
-Then define the password to use for the remote site:+
  
-<code> 
-cat > /usr/local/etc/ipsec.secrets <<'EOF' 
-VM4 VM2 : PSK "This is a strong password" 
-'EOF' 
 </code> </code>
  
Line 769: Line 801:
  
 <code> <code>
-sysrc strongswan_enable=YES+service strongswan enable
 service strongswan restart service strongswan restart
 +</code>
 +
 +And check the status:
 +<code>
 +root@VM4: # swanctl --list-conns
 +net-net: IKEv2, no reauthentication, rekeying every 14400s
 +  local:  10.0.34.4
 +  remote: 10.0.23.2
 +  local pre-shared key authentication:
 +    id: vm4
 +  remote pre-shared key authentication:
 +    id: vm2
 +  net-net: TUNNEL, rekeying every 3600s
 +    local:  10.0.45.0/24
 +    remote: 10.0.12.0/24
 +
 +root@VM4: # grep charon /var/log/daemon.log
 +Jul  8 12:39:44 router charon[79963]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.6, FreeBSD 14.0-CURRENT, amd64)
 +Jul  8 12:39:44 router charon[79963]: 00[KNL] unable to set UDP_ENCAP: Invalid argument
 +Jul  8 12:39:44 router charon[79963]: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG]   loaded IKE secret for VM4 VM2
 +Jul  8 12:39:44 router charon[79963]: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation co
 +nstraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pf
 +key kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whit
 +elist addrblock counters
 +Jul  8 12:39:44 router charon[79963]: 00[JOB] spawning 16 worker threads
 +Jul  8 12:39:45 router charon[79963]: 13[CFG] loaded IKE shared key with id 'ike-1' for: 'vm2'
 +Jul  8 12:39:45 router charon[79963]: 12[CFG] added vici connection: net-net
 +Jul  8 12:39:45 router charon[79963]: 12[CFG] installing 'net-net'
 </code> </code>
  
Line 799: Line 866:
 00:46:56.918092 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: child_sa  inf2[I] 00:46:56.918092 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: child_sa  inf2[I]
 00:46:56.919263 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: child_sa  inf2[R] 00:46:56.919263 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: child_sa  inf2[R]
-</code> 
- 
-Log file on VM2: 
-<code> 
-[root@VM2]~# tail -f /var/log/auth.log 
-Jun  8 00:24:28 VM2 ipsec_starter[981]: no netkey IPsec stack detected 
-Jun  8 00:24:28 VM2 ipsec_starter[981]: no KLIPS IPsec stack detected 
-Jun  8 00:24:28 VM2 ipsec_starter[981]: no known IPsec stack detected, ignoring! 
-Jun  8 00:24:28 VM2 ipsec_starter[984]: charon (986) started after 20 ms 
-Jun  8 00:25:26 VM2 login: login on ttyu0 as root 
-Jun  8 00:25:26 VM2 login: ROOT LOGIN (root) ON ttyu0 
-Jun  8 00:34:53 VM2 charon: 12[IKE] initiating IKE_SA VM4[1] to 10.0.34.4 
-Jun  8 00:34:53 VM2 charon: 12[IKE] establishing CHILD_SA VM4 
-Jun  8 00:34:53 VM2 charon: 12[IKE] IKE_SA VM4[1] established between 10.0.23.2[VM2]...10.0.34.4[VM4] 
-Jun  8 00:34:53 VM2 charon: 12[IKE] CHILD_SA VM4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/24 === 10.0.45.0/24 
 </code> </code>
  
Line 1010: Line 1062:
 </code> </code>
  
-==== VM2: OpenVPN server ====+==== Standard userland mode (slow) ==== 
 + 
 +=== VM2: OpenVPN server ===
  
 Create the openvpn configuration file for server mode as /usr/local/etc/openvpn/openvpn.conf: Create the openvpn configuration file for server mode as /usr/local/etc/openvpn/openvpn.conf:
Line 1054: Line 1108:
 passwd passwd
 </code> </code>
-==== VM4: OpenVPN client ==== 
  
-As OpenVPN client, VM4 should get these files from VM2 and put them in /usr/local/etc/openvpn: +Now Generate client configuration file with embedded certificates:
-  * ca.crt +
-  * VM4.crt +
-  * VM4.key+
  
-On this lab, scp can be used for getting these files: 
 <code> <code>
-mkdir /usr/local/etc/openvpn +cat > /usr/local/etc/openvpn/VM4-openvpn.conf <<EOF 
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/ca.crt /usr/local/etc/openvpn +client 
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/issued/VM4.crt /usr/local/etc/openvpn +dev tun 
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/private/VM4.key /usr/local/etc/openvpn+remote 10.0.23.2 
 +<ca> 
 +EOF 
 +cat /usr/local/etc/easy-rsa/pki/ca.crt >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +echo '</ca>' >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +echo '<cert>' >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +cat /usr/local/etc/easy-rsa/pki/issued/VM4.crt >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +echo '</cert>' >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +echo '<key>' >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +cat /usr/local/etc/easy-rsa/pki/private/VM4.key >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +echo '</key>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
 </code> </code>
  
-Configure openvpn as a client:+=== VM4OpenVPN client ===
  
 +As OpenVPN client, VM4 should get its openvpn configuration file (that embedded certificate and key) from VM2 and put them in /usr/local/etc/openvpn.
 +
 +On this lab, scp can be used for getting these files:
 <code> <code>
-cat > /usr/local/etc/openvpn/openvpn.conf <<'EOF' +mkdir /usr/local/etc/openvpn 
-client +scp 10.0.23.2:/usr/local/etc/openvpn/VM4-openvpn.conf /usr/local/etc/openvpn/openvpn.conf
-dev tun +
-remote 10.0.23.2 +
-ca ca.crt +
-cert VM4.crt +
-key VM4.key +
-'EOF'+
 </code> </code>
  
Line 1087: Line 1143:
 service openvpn start service openvpn start
 </code> </code>
-==== Testing ====+ 
 +=== Testing ===
  
 Pinging VM5 from VM1: Pinging VM5 from VM1:
Line 1160: Line 1217:
 16:52:40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 114 16:52:40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 114
 16:52:40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 22 16:52:40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 22
 +</code>
 +
 +==== Data Channel Offload (DCO), kernel mode (fast) ====
 +
 +Start with a working userland configuration, then modify existing configuration files like that:
 +  * Need to load if_ovpn module on both side
 +  * Need to enable subnet topology on the server side
 +
 +=== VM2: OpenVPN server ===
 +
 +<code>
 +service openvpn stop
 +sysrc kld_list="if_ovpn"
 +kldload if_ovpn
 +echo "topology subnet" >> /usr/local/etc/openvpn/openvpn.conf
 +service openvpn start
 +</code>
 +
 +=== VM4: OpenVPN client ===
 +
 +<code>
 +service openvpn stop
 +sysrc kld_list="if_ovpn"
 +kldload if_ovpn
 +service openvpn start
 +</code>
 +
 +=== Testing ===
 +
 +Pinging VM5 from VM1:
 +<code>
 +root@VM1:~ # ping -c 2 10.0.45.5
 +PING 10.0.45.5 (10.0.45.5): 56 data bytes
 +64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=1.700 ms
 +64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=1.629 ms
 +
 +--- 10.0.45.5 ping statistics ---
 +2 packets transmitted, 2 packets received, 0.0% packet loss
 +round-trip min/avg/max/stddev = 1.629/1.665/1.700/0.035 ms
 +root@VM1:~ # ping -c 2 2001:db8:45::5
 +PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 +16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=2.699 ms
 +16 bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=1.618 ms
 +
 +--- 2001:db8:45::5 ping6 statistics ---
 +2 packets transmitted, 2 packets received, 0.0% packet loss
 +round-trip min/avg/max/std-dev = 1.618/2.158/2.699/0.541 ms
 +
 +</code>
 +
 +OpenVPN log file on VM2 (error installing route are due to DCO restriction):
 +<code>
 +Oct  4 18:29:40 VM2 openvpn[89399]: OpenVPN 2.6_git [git:734de8f9aa2df56bcb45ebab7cfa799a23f36403] amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO] built on Oct  4 2022
 +Oct  4 18:29:40 VM2 openvpn[89399]: library versions: OpenSSL 1.1.1q-freebsd  5 Jul 2022, LZO 2.10
 +Oct  4 18:29:40 VM2 openvpn[89399]: WARNING: --keepalive option is missing from server config
 +Oct  4 18:29:40 VM2 openvpn[89399]: DCO device tun0 opened
 +Oct  4 18:29:40 VM2 openvpn[89399]: /sbin/ifconfig tun0 10.0.24.1 10.0.24.2 mtu 1500 netmask 255.255.255.0 up
 +Oct  4 18:29:40 VM2 openvpn[89399]: /sbin/ifconfig tun0 inet6 2001:db8:24::1/64 mtu 1500 up
 +Oct  4 18:29:41 VM2 openvpn[89399]: /sbin/ifconfig tun0 inet6 -ifdisabled
 +Oct  4 18:29:41 VM2 openvpn[89399]: add_route_ipv6(2001:db8:45::/64 -> 2001:db8:24::2 metric 200) dev tun0
 +Oct  4 18:29:41 VM2 openvpn[89399]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
 +Oct  4 18:29:41 VM2 openvpn[89399]: setsockopt(IPV6_V6ONLY=0)
 +Oct  4 18:29:41 VM2 openvpn[89399]: UDPv6 link local (bound): [AF_INET6][undef]:1194
 +Oct  4 18:29:41 VM2 openvpn[89399]: UDPv6 link remote: [AF_UNSPEC]
 +Oct  4 18:29:41 VM2 openvpn[89399]: NOTE: IPv4 pool size is 253, IPv6 pool size is 65536. IPv4 pool size limits the number of clients that can be served from the pool
 +Oct  4 18:29:41 VM2 openvpn[89399]: ifconfig_pool_read(), in='VM4,10.0.24.4,2001:db8:24::1002'
 +Oct  4 18:29:41 VM2 openvpn[89399]: succeeded -> ifconfig_pool_set(hand=2)
 +Oct  4 18:29:41 VM2 openvpn[89399]: Initialization Sequence Completed
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_VER=2.6_git
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_PLAT=freebsd
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_TCPNL=1
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_NCP=2
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_PROTO=94
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_LZO_STUB=1
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_COMP_STUB=1
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_COMP_STUBv2=1
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 [VM4] Peer Connection Initiated with [AF_INET6]::ffff:10.0.34.4:10468
 +Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 MULTI_sva: pool returned IPv4=10.0.24.4, IPv6=2001:db8:24::1002
 +Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 /sbin/route add -net 10.0.45.0/24 10.0.24.4 -fib 0
 +Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 ERROR: FreeBSD route add command failed: external program exited with error status: 1
 +Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 /sbin/route -6 add -net 2001:db8:45::/64 2001:db8:24::1002 -fib 0
 +Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 ERROR: FreeBSD route add command failed: external program exited with error status: 1
 +</code>
 +
 +OpenVPN log file on VM4:
 +<code>
 +Oct  4 18:30:11 VM4 openvpn[86737]: OpenVPN 2.6_git [git:734de8f9aa2df56bcb45ebab7cfa799a23f36403] amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO] built on Oct  4 2022
 +Oct  4 18:30:11 VM4 openvpn[86737]: library versions: OpenSSL 1.1.1q-freebsd  5 Jul 2022, LZO 2.10
 +Oct  4 18:30:11 VM4 openvpn[86737]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
 +Oct  4 18:30:11 VM4 openvpn[86737]: TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.23.2:1194
 +Oct  4 18:30:11 VM4 openvpn[86737]: UDPv4 link local: (not bound)
 +Oct  4 18:30:11 VM4 openvpn[86737]: UDPv4 link remote: [AF_INET]10.0.23.2:1194
 +Oct  4 18:30:11 VM4 openvpn[86737]: [VM2] Peer Connection Initiated with [AF_INET]10.0.23.2:1194
 +Oct  4 18:30:11 VM4 openvpn[86737]: DCO device tun0 opened
 +Oct  4 18:30:11 VM4 openvpn[86737]: /sbin/ifconfig tun0 10.0.24.4 10.0.24.1 mtu 1500 netmask 255.255.255.0 up
 +Oct  4 18:30:11 VM4 openvpn[86737]: /sbin/ifconfig tun0 inet6 2001:db8:24::1002/64 mtu 1500 up
 +Oct  4 18:30:12 VM4 openvpn[86737]: /sbin/ifconfig tun0 inet6 -ifdisabled
 +Oct  4 18:30:12 VM4 openvpn[86737]: add_route_ipv6(2001:db8:12::/64 -> 2001:db8:24::1 metric 200) dev tun0
 +Oct  4 18:30:12 VM4 openvpn[86737]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
 +Oct  4 18:30:12 VM4 openvpn[86737]: Initialization Sequence Completed
 +</code>
 +
 +===== Wireguard =====
 +
 +On current (14.0) needs only wireguard-tools (kernel module included), on older (12 or 13) needs wireguard-kmod.
 +==== Key pairs generation on VM2 and VM4 ====
 +
 +The first step is to generate a couple of private and public keys on each wireguard endpoint.
 +
 +The standard way of generating keys is using this command:
 +
 +<code>
 +cd /usr/local/etc/wireguard
 +wg genkey > private
 +chmod 600 private
 +wg pubkey < private > public
 +</code>
 +
 +But on this example, we will use static keys as example.
 +==== Router 2 ====
 +
 +Write example-only static and public key, on real-life, used the one generated by wg.
 +
 +<code>
 +echo "oFsqDWpgtlma4Dy3YkPd918d3Nw9xdV9MBVn4YT1N38=" > /usr/local/etc/wireguard/private
 +echo "z9wBhxr/K405uQeYnCoGRi6VGWu/QAhym7JgH1BguxE=" > /usr/local/etc/wireguard/public
 +cat > /usr/local/etc/wireguard/wg0.conf <<EOF
 +[Interface]
 +PrivateKey = oFsqDWpgtlma4Dy3YkPd918d3Nw9xdV9MBVn4YT1N38=
 +ListenPort = 51820
 +
 +[Peer]
 +PublicKey = o267Qf43WlVTawLq/8nrET4GQKijrjWFKiux9iNLv04=
 +AllowedIPs = 10.0.45.0/24,2001:db8:45::/64
 +Endpoint = 10.0.34.4:51820
 +EOF
 +
 +sysrc wireguard_interfaces=wg0
 +service wireguard enable
 +service wireguard start
 +</code>
 +
 +==== Router 4 ====
 +
 +Generate example-only router 4 wg keys, and declare 2 public key.
 +
 +<code>
 +echo "4HRXmxN77CVb5VykdNX6mqkzCh2ycu4hfWfYHTvkLGE=" > /usr/local/etc/wireguard/private
 +echo "o267Qf43WlVTawLq/8nrET4GQKijrjWFKiux9iNLv04=" > /usr/local/etc/wireguard/public
 +cat > /usr/local/etc/wireguard/wg0.conf <<EOF
 +[Interface]
 +PrivateKey = 4HRXmxN77CVb5VykdNX6mqkzCh2ycu4hfWfYHTvkLGE=
 +ListenPort = 51820
 +
 +[Peer]
 +PublicKey = z9wBhxr/K405uQeYnCoGRi6VGWu/QAhym7JgH1BguxE=
 +AllowedIPs = 10.0.12.0/24,2001:db8:12::/64
 +Endpoint = 10.0.23.2:51820
 +EOF
 +
 +sysrc wireguard_interfaces=wg0
 +service wireguard enable
 +service wireguard start
 +</code>
 +
 +==== Testing ====
 +
 +Pinging VM5 from VM1:
 +
 +<code>
 +[root@VM1]~# ping -c2 10.0.45.5
 +PING 10.0.45.5 (10.0.45.5): 56 data bytes
 +64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=2.135 ms
 +64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=0.783 ms
 +
 +--- 10.0.45.5 ping statistics ---
 +2 packets transmitted, 2 packets received, 0.0% packet loss
 +round-trip min/avg/max/stddev = 0.783/1.459/2.135/0.676 ms
 +
 +[root@VM1]~# ping6 -c2 2001:db8:45::5
 +PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 +16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.779 ms
 +16 bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=0.764 ms
 +
 +--- 2001:db8:45::5 ping6 statistics ---
 +2 packets transmitted, 2 packets received, 0.0% packet loss
 +round-trip min/avg/max/std-dev = 0.764/1.272/1.779/0.507 ms
 +</code>
 +
 +Are we using the kernel module?
 +<code>
 +root@VM2:~ # kldstat -v -n if_wg.ko
 +Id Refs Address                Size Name
 +    1 0xffffffff82b17000    2e550 if_wg.ko (/boot/kernel/if_wg.ko)
 +        Contains modules:
 +                 Id Name
 +                473 wg
 +</code>
 +
 +Displaying wg status on VM2:
 +<code>
 +root@VM2:~ # ifconfig wg0
 +wg0: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
 +        options=80000<LINKSTATE>
 +        groups: wg
 +        nd6 options=101<PERFORMNUD,NO_DAD>
 +root@VM2:~ # netstat -rn | grep "Dest\|wg0"
 +Destination        Gateway            Flags     Netif Expire
 +10.0.45.0/24       link#            US          wg0
 +Destination                       Gateway                       Flags     Netif Expire
 +2001:db8:45::/64                  link#                       US          wg0
 +root@VM2:~ # wg show
 +interface: wg0
 +  public key: z9wBhxr/K405uQeYnCoGRi6VGWu/QAhym7JgH1BguxE=
 +  private key: (hidden)
 +  listening port: 51820
 +
 +peer: o267Qf43WlVTawLq/8nrET4GQKijrjWFKiux9iNLv04=
 +  endpoint: 10.0.34.4:51820
 +  allowed ips: 2001:db8:45::/64, 10.0.45.0/24
 +  latest handshake: 32 seconds ago
 +  transfer: 356 B received, 436 B sent
 </code> </code>
documentation/examples/gre_ipsec_and_openvpn.1578850556.txt.gz · Last modified: 2020/01/12 18:35 by olivier

Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki