OpenBSD Wireguard - Large network

From WTFwiki
Revision as of 09:43, 9 March 2021 by Anexit (talk | contribs) (Created page with "I've been doing a lot of testing in wireguard as of late and I'm impressed. We had some significant speed gains in all platforms of services with the cha cha cryptography. S...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

I've been doing a lot of testing in wireguard as of late and I'm impressed. We had some significant speed gains in all platforms of services with the cha cha cryptography. Setup is extremely easy, below I've included a small setup where I have three locations using wireguard;

  1. This is file /etc/hostname.wg0
  1. Poughkeepsie

wgpeer asdasdasdasdasdasdasdasdasE= wgaip $(cat /etc/routept) wgendpoint 10.0.2.2 600

  1. elmira

wgpeer QcyFJK3YgM/jV/X/asdasdasdasdxczxczxczxczo= wgaip $(cat /etc/routeelmira) wgendpoint 10.0.3.2 600

  1. uticaga

wgpeer N8SS55iuyioiuyoiuyoiuyoiuyoiuyoyiuoyu3CBOhE= wgaip $(cat /etc/routeutga) wgendpoint 10.0.4.2 600


  1. shop

wgpeer TwyNwYY4AVy3243543532452435432zIhFxjk9PrKIr04tUU4= wgaip $(cat /etc/routeshp2) wgendpoint 10.0.5.2 600

  1. Main config (your router config)

10.0.11.13 255.255.255.0 wgkey OOfSxdOjUzftm8FYwjc3tGnvjtXCj8QpPfaON6f8Rns= wgport 700 up

This router can accept traffic from all of those offices. Of course you need to make sure that IP traffic is allowed so if you take note "routept" would look like the below; This ensures that traffic is routable and also makes sure other up traffic can't snoop.

10.0.9.0/24 wgaip 10.1.9.0/24

The branch office config would look as follows

  1. This is file /etc/hostname.wg0

10.0.4.254 255.255.255.0 wgkey +K4q9asdasdasdasdasdasKRy0YrIJcxnYW1E= wgpeer v6udCue+7asdasdasdasdasdasdasdasdasdaasdd6CKC0= wgaip $(cat /etc/routesfile) wgendpoint 24.213.203.67 700 wgport 600 up

In my route file, since I have several network I have the below; You could certainly do this by masks but I would like strict filtering in my case;

  1. This is file /etc/routesfile

10.0.1.0/24 wgaip 10.0.2.0/24 wgaip 10.0.3.0/24 wgaip 10.0.4.0/24 wgaip 10.0.5.0/24 wgaip 10.0.6.0/24 wgaip 10.0.7.0/24 wgaip 10.0.8.0/24 wgaip 10.0.10.0/24 wgaip 10.0.11.0/24 wgaip 10.0.12.0/24 wgaip 10.0.13.0/24 wgaip 10.0.14.0/24 wgaip 10.0.15.0/24 wgaip 10.0.16.0/24 wgaip 10.0.17.0/24 wgaip 10.7.0.0/24

wgaip 10.1.1.0/24 wgaip 10.1.2.0/24 wgaip 10.1.3.0/24 wgaip 10.1.4.0/24 wgaip 10.1.5.0/24 wgaip 10.1.6.0/24 wgaip 10.1.7.0/24 wgaip 10.1.8.0/24 wgaip 10.1.10.0/24 wgaip 10.1.11.0/24 wgaip 10.1.12.0/24 wgaip 10.1.13.0/24 wgaip 10.1.14.0/24 wgaip 10.1.15.0/24 wgaip 10.1.16.0/24

Some of these networks don't exist yet but are added for future reference.