diff --git a/source/manual/how-tos/wireguard-s2s b/source/manual/how-tos/wireguard-s2s new file mode 100644 index 00000000..81a7a387 --- /dev/null +++ b/source/manual/how-tos/wireguard-s2s @@ -0,0 +1,64 @@ +============================ +WireGuard Site-to-Site Setup +============================ + +.. Warning:: + **IMPORTANT NOTE** : + WireGuard Plugin is still in development, use at your own risk! + +------------ +Introduction +------------ + +WireGuard is a simple and fast modern VPN. It aims to be faster and simpler than IPSec. It intends to be +considerably more performant than OpenVPN. Initially released for the Linux kernel, it is now cross-platform +and widely deployable. It is currently under heavy development. + +--------------------- +Step 1 - Installation +--------------------- + +Since WireGuard Plugin is still in development you have to switch via **System->Firmware->Settings** +the **Release Type** to **Development**. After this go to **System->Firmware->Plugins->** and search +for **os-wireguard-devel**. Install the plugin as usual, refresh and page and the you'll find the client +via **VPN->WireGuard**. + +------------------------ +Step 2 - Setup WireGuard +------------------------ + +The setup of a Site-2-Site VPN is very simple. Just go to tab **Server** and create a new instance. +Give it a **Name** and set a desired **Listen Port**. If you have more than one server instance be +aware that you can use the **Listen Port** only once. For **Tunnel Address** choose a new virtual +network to run communication over it, just like with OpenVPN or GRE (e.g. 192.168.0.1/24). +**Peers** can not be chosen yet since we have not created them yet. +After hitting **Save changes** you can reopen the newly created instance, write down your new public +key and give it to the other side. + +When this VPN is set up on OPNsense only do the same on the second machine and exchange the public +keys. Now go to tab **Endpoints** and add the remote site, give it a **Name**, insert the **Public +Key** and the **Tunnel Address** (e.g. 192.168.0.2/24). **Endpoint Address** is the public IP of the +remote site and you can also set optionally the **Endpoint Port**, now hit **Save changes**. + +Go back to tab **Server**, open the instance and choose the newly created endpoint in **Peers**. + +Now we can **Enable** the VPN in tab **General** and go on with the setup. + +----------------------- +Step 3 - Setup Firewall +----------------------- + +On **Firewall->Rules** add a new rule on your WAN interface allowing the port you set in your +instance (Protocol UDP). You also have a new interace **Wireguard** in rules, where you can +set granular rules on connection inside your tunnel. + +Your tunnel is now up and running. + +------------------------- +Step 4 - Routing networks +------------------------- + +If you want to route your internal networks via this VPN just add the network in the +**Tunnel Address** in **Endpoints** tab (e.g. 10.0.1.0/24). + +That's it! diff --git a/source/manual/vpnet.rst b/source/manual/vpnet.rst index 574dcad6..09051b26 100644 --- a/source/manual/vpnet.rst +++ b/source/manual/vpnet.rst @@ -49,7 +49,9 @@ Plugin VPN options Via plugins additional VPN technologies are offered, including: * **Legacy L2TP & PPTP** +* **OpenConnect** - SSLVPN client, initially build to connect to commercial vendor appliances like Cisco ASA or Juniper. * **Tinc** - Automatic Full Mesh Routing +* **WireGuard** - Very simple and fast VPN wokring with public and private keys. * **Zerotier** - seamlessly connect everything, requires account from zerotier.com, free for up to 100 devices. @@ -82,6 +84,10 @@ OpenConnect Client ------------------ :doc:`how-tos/openconnect` +WireGuard Site-to-Site +------------------ +:doc:`how-tos/wireguard-s2s` + Zerotier -------- :doc:`how-tos/zerotier`