add AzireVPN and MullvadVPN to Wireguard examples (#49)

6 years ago · fd49accdd0
parent f1faa6692d
commit fd49accdd0
4 changed files with 128 additions and 1 deletions
--- a/source/manual/how-tos/wireguard-client-azire.rst
+++ b/source/manual/how-tos/wireguard-client-azire.rst
@ -0,0 +1,62 @@
+=====================================
+WireGuard AzireVPN Road Warrior Setup
+=====================================
+
+.. Warning::
+    WireGuard Plugin is still in development, use at your own risk!
+    
+------------
+Introduction
+------------
+
+AzireVPN is an international VPN provider, co-locating in multiple datacenters and offering secure
+tunneling in respect to privacy. To set up a WireGuard VPN to AzireVPN we assume you are familiar
+with the concepts of WireGuard you that you have read the basic howto :doc:`how-tos/wireguard-client`.
+
+-----------------------------------
+Step 1 - Get AzireVPN configuration
+-----------------------------------
+
+For an automated rollout of configuration, AzireVPN will create a private key in your browser and send
+the public key via an API call to their servers.
+To get a configuration login to your account_
+
+.. _account: https://www.azirevpn.com/cfg/wireguard
+
+Via **Options** you can select the country where you want to break out, choose a port (default ist fine),
+and set the protocol to tunnel (we only cover IPv4).
+
+Hit **Download** at the end of the page to get the preconfigured text file and open it in your
+favorite text editor. 
+
+----------------------------------
+Step 2 - Setup WireGuard Instance
+----------------------------------
+
+Go to tab **Server** and create a new instance. Give it a **Name** and set a desired **Listen Port**. 
+If you have more than one server instance be aware that you can use the **Listen Port** only once. In 
+the field **Private Key** insert the value from your text file and leave **Public Key** empty. **DNS** 
+and **Tunnel Address** has also to be taken from the configuration. Hit **Save** and go to **Endpoint** 
+tab.
+
+On **Endpoint** tab create a new Endpoint, give it a **Name**, set 0.0.0.0/0 in **Tunnel Address** and set
+the DNS name from your configuration in **Endpoint Address**. Don't forget to do this also for the port.
+
+Go back to tab **Server**, open the instance and choose the newly created endpoint in **Peers**.
+
+Now we can **Enable** the VPN in tab **General** and continue with the setup.
+
+--------------------------------
+Step 3 - Assignments and Routing
+--------------------------------
+
+To let you internal clients go through the tunnel you have to add a NAT entry. Go to 
+**Firewall->NAT->Outbound** and add a rule. Check that rule generation is set to manual 
+or hybrid. Add a rule and select Wireguard as **Interface**. **Source** should be your
+LAN network and set **Translation / target** to **interface address**.
+
+When assigning interfaces we can also add gateways to them. This would  offer you the chance to 
+balance traffic via different VPN providers or do more complex routing scenarios. 
+
+
+
--- a/source/manual/how-tos/wireguard-client-mullvad.rst
+++ b/source/manual/how-tos/wireguard-client-mullvad.rst
@ -0,0 +1,63 @@
+=======================================
+WireGuard MullvadVPN Road Warrior Setup
+=======================================
+
+.. Warning::
+    WireGuard Plugin is still in development, use at your own risk!
+    
+------------
+Introduction
+------------
+
+MullvadVPN is a cloud-based VPN provider, offering secure tunneling in respect to privacy. 
+To set up a WireGuard VPN to MullvadVPN we assume you are familiar with the concepts of WireGuard you that
+you have read the basic howto :doc:`how-tos/wireguard-client`.
+
+----------------------------------
+Step 1 - Setup WireGuard Instance
+----------------------------------
+
+Go to tab **Server** and create a new instance. Give it a **Name** and set a desired **Listen Port**. 
+If you have more than one server instance be aware that you can use the **Listen Port** only once. In 
+the field **Tunnel Address** insert an unsused private IP address and subnet mask. We don't need it in
+the first step, but as it is required we can't go on without it. Every other field can be left blank.
+
+Hit **Save** and open your instance again to write down your public key. You need it to get the rest
+of the configuration from the Mullvad API servers. 
+
+Now change to your OPNsense CLI via SSH or Console and execute the curl string below. Please replace the
+**account** data with your own ID you got from MullvadVPN and **pubkey** with the one in your **Server**
+
+.. code-block:: sh
+
+    curl -sSL https://api.mullvad.net/wg/ -d account=123 --data-urlencode pubkey=PUBKEY
+    
+What you receive it the **Tunnel Addres** for your server instance, so edit your instance again, remove
+the **Tunnel Address** you used when setting up and change it to the one you got.
+
+On **Endpoint** tab create a new Endpoint, give it a **Name**, set 0.0.0.0/0 in **Tunnel Address** and set
+the **DNS** to 193.138.219.228. This is the one MulladVPN provides for privacy.
+
+Now go to the WireGuard server list_ and choose the one you like to use as your breakout. Write down it's
+public key and set it as **Public Key**. Also don't forget **Endpoint Address** and **Endpoint Port**.
+
+.. _list: https://www.mullvad.net/en/servers/#wireguard
+
+Go back to tab **Server**, open the instance and choose the newly created endpoint in **Peers**.
+
+Now we can **Enable** the VPN in tab **General** and continue with the setup.
+
+--------------------------------
+Step 2 - Assignments and Routing
+--------------------------------
+
+To let you internal clients go through the tunnel you have to add a NAT entry. Go to 
+**Firewall->NAT->Outbound** and add a rule. Check that rule generation is set to manual 
+or hybrid. Add a rule and select Wireguard as **Interface**. **Source** should be your
+LAN network and set **Translation / target** to **interface address**.
+
+When assigning interfaces we can also add gateways to them. This would  offer you the chance to 
+balance traffic via different VPN providers or do more complex routing scenarios. 
+
+
+
--- a/source/manual/how-tos/wireguard-client.rst
+++ b/source/manual/how-tos/wireguard-client.rst
@ -64,7 +64,7 @@ But what if you want to push all traffic via VPN in order to filter some streams
 Then we have to assign the interface via **Interface->Assignments**, choose our instance (e.g. instance
 0 is interface wg0), enable it, hit **Prevent Interface Removal** and don't configure an IP address.

-After ths we can go to **Firewall->NAT->Outbound** and add a rule. Check that rule generation is set
+After this we can go to **Firewall->NAT->Outbound** and add a rule. Check that rule generation is set
 to manual or hybrid. Add a rule and select your WAN as **Interface**. **Source** should be the Tunnel
 Network you use and **Translation / target** set to WAN address.

--- a/source/manual/vpnet.rst
+++ b/source/manual/vpnet.rst
@ -91,6 +91,8 @@ WireGuard Site-to-Site
 WireGuard Road Warrior
 ------------------
 :doc:`how-tos/wireguard-client`
+:doc:`how-tos/wireguard-client-azire`
+:doc:`how-tos/wireguard-client-mullvad`

 Zerotier
 --------