Difference between revisions of "OpenBSD Wireguard - Large network"

From WTFwiki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
I've been doing a lot of testing in wireguard as of late and I'm impressed.  We had some significant speed gains in all platforms of services with the cha cha cryptography.  Setup is extremely easy, below I've included a small setup where I have three locations using wireguard;
+
I've been doing a lot of testing in wireguard as of late and I'm impressed.  We had some significant speed gains in all platforms of services with the cha cha cryptography.  Setup is extremely easy, below I've included a small setup where I have several locations using wireguard;
<code>
+
 
 +
<pre>
  
 
#This is file /etc/hostname.wg0
 
#This is file /etc/hostname.wg0
Line 23: Line 24:
 
up
 
up
  
</code>
+
</pre>
  
This router can accept traffic from all of those offices.  Of course you need to make sure that IP traffic is allowed so if you take note "routept" would look like the below;  This ensures that traffic is routable and also makes sure other up traffic can't snoop.
+
This router can accept traffic from all of those offices as long as both side match the pubkey cert.  Of course you need to make sure that IP traffic is allowed so if you take note "routept and or similar" would look like the below;  This ensures that traffic can be routed and also makes sure other up traffic cannot be intercepted.
  
 +
<pre>
 
10.0.9.0/24
 
10.0.9.0/24
 
wgaip 10.1.9.0/24
 
wgaip 10.1.9.0/24
 +
</pre>
  
 
The branch office config would look as follows
 
The branch office config would look as follows
 
+
<pre>
 
#This is file /etc/hostname.wg0
 
#This is file /etc/hostname.wg0
  
Line 39: Line 42:
 
wgport 600
 
wgport 600
 
up
 
up
 +
</pre>
  
In my route file, since I have several network I have the below;  You could certainly do this by masks but I would like strict filtering in my case;
+
In my route file, since I have several networks, I have the below;  You could certainly do this by masks but I like strict filtering in my case;
 
+
<pre>
 
#This is file /etc/routesfile
 
#This is file /etc/routesfile
  
Line 77: Line 81:
 
wgaip 10.1.15.0/24
 
wgaip 10.1.15.0/24
 
wgaip 10.1.16.0/24
 
wgaip 10.1.16.0/24
 +
</pre>
 +
Some of these networks don't exist yet but are added for future reference.  Wireguard is very easy to setup and with the smart routing it makes it very easy to utilize.  I've done some iperf2 across the networks and it handles traffic properly.  It is very clean and I hope to see some great things in the future with it.  Cisco/Juniper have had talks of adopting the technology which could make networking a little easier and more robust.
  
Some of these networks don't exist yet but are added for future reference.
+
Of course you can read about it in a more technical aspect here; https://man.openbsd.org/ifconfig  There is an entire section dedicated to wireguard.

Latest revision as of 09:50, 9 March 2021

I've been doing a lot of testing in wireguard as of late and I'm impressed. We had some significant speed gains in all platforms of services with the cha cha cryptography. Setup is extremely easy, below I've included a small setup where I have several locations using wireguard;


#This is file /etc/hostname.wg0

#Poughkeepsie
wgpeer asdasdasdasdasdasdasdasdasE= wgaip $(cat /etc/routept) wgendpoint 10.0.2.2 600

#elmira
wgpeer QcyFJK3YgM/jV/X/asdasdasdasdxczxczxczxczo= wgaip $(cat /etc/routeelmira) wgendpoint 10.0.3.2 600

#uticaga
wgpeer N8SS55iuyioiuyoiuyoiuyoiuyoiuyoyiuoyu3CBOhE= wgaip $(cat /etc/routeutga) wgendpoint 10.0.4.2 600


#shop
wgpeer TwyNwYY4AVy3243543532452435432zIhFxjk9PrKIr04tUU4= wgaip $(cat /etc/routeshp2) wgendpoint 10.0.5.2 600

#Main config (your router config)
10.0.11.13 255.255.255.0
wgkey OOfSxdOjUzftm8FYwjc3tGnvjtXCj8QpPfaON6f8Rns= 
wgport 700
up

This router can accept traffic from all of those offices as long as both side match the pubkey cert. Of course you need to make sure that IP traffic is allowed so if you take note "routept and or similar" would look like the below; This ensures that traffic can be routed and also makes sure other up traffic cannot be intercepted.

10.0.9.0/24
wgaip 10.1.9.0/24

The branch office config would look as follows

#This is file /etc/hostname.wg0

10.0.4.254 255.255.255.0
wgkey +K4q9asdasdasdasdasdasKRy0YrIJcxnYW1E= 
wgpeer v6udCue+7asdasdasdasdasdasdasdasdasdaasdd6CKC0= wgaip $(cat /etc/routesfile) wgendpoint 24.213.203.67 700 
wgport 600
up

In my route file, since I have several networks, I have the below; You could certainly do this by masks but I like strict filtering in my case;

#This is file /etc/routesfile

10.0.1.0/24
wgaip 10.0.2.0/24
wgaip 10.0.3.0/24
wgaip 10.0.4.0/24
wgaip 10.0.5.0/24
wgaip 10.0.6.0/24
wgaip 10.0.7.0/24
wgaip 10.0.8.0/24
wgaip 10.0.10.0/24
wgaip 10.0.11.0/24
wgaip 10.0.12.0/24
wgaip 10.0.13.0/24
wgaip 10.0.14.0/24
wgaip 10.0.15.0/24
wgaip 10.0.16.0/24
wgaip 10.0.17.0/24
wgaip 10.7.0.0/24

wgaip 10.1.1.0/24
wgaip 10.1.2.0/24
wgaip 10.1.3.0/24
wgaip 10.1.4.0/24
wgaip 10.1.5.0/24
wgaip 10.1.6.0/24
wgaip 10.1.7.0/24
wgaip 10.1.8.0/24
wgaip 10.1.10.0/24
wgaip 10.1.11.0/24
wgaip 10.1.12.0/24
wgaip 10.1.13.0/24
wgaip 10.1.14.0/24
wgaip 10.1.15.0/24
wgaip 10.1.16.0/24

Some of these networks don't exist yet but are added for future reference. Wireguard is very easy to setup and with the smart routing it makes it very easy to utilize. I've done some iperf2 across the networks and it handles traffic properly. It is very clean and I hope to see some great things in the future with it. Cisco/Juniper have had talks of adopting the technology which could make networking a little easier and more robust.

Of course you can read about it in a more technical aspect here; https://man.openbsd.org/ifconfig There is an entire section dedicated to wireguard.