diff --git a/source/manual/how-tos/wireguard-client-azire.rst b/source/manual/how-tos/wireguard-client-azire.rst new file mode 100644 index 00000000..4a2701a5 --- /dev/null +++ b/source/manual/how-tos/wireguard-client-azire.rst @@ -0,0 +1,62 @@ +===================================== +WireGuard AzireVPN Road Warrior Setup +===================================== + +.. Warning:: + WireGuard Plugin is still in development, use at your own risk! + +------------ +Introduction +------------ + +AzireVPN is an international VPN provider, co-locating in multiple datacenters and offering secure +tunneling in respect to privacy. To set up a WireGuard VPN to AzireVPN we assume you are familiar +with the concepts of WireGuard you that you have read the basic howto :doc:`how-tos/wireguard-client`. + +----------------------------------- +Step 1 - Get AzireVPN configuration +----------------------------------- + +For an automated rollout of configuration, AzireVPN will create a private key in your browser and send +the public key via an API call to their servers. +To get a configuration login to your account_ + +.. _account: https://www.azirevpn.com/cfg/wireguard + +Via **Options** you can select the country where you want to break out, choose a port (default ist fine), +and set the protocol to tunnel (we only cover IPv4). + +Hit **Download** at the end of the page to get the preconfigured text file and open it in your +favorite text editor. + +---------------------------------- +Step 2 - Setup WireGuard Instance +---------------------------------- + +Go to tab **Server** and create a new instance. Give it a **Name** and set a desired **Listen Port**. +If you have more than one server instance be aware that you can use the **Listen Port** only once. In +the field **Private Key** insert the value from your text file and leave **Public Key** empty. **DNS** +and **Tunnel Address** has also to be taken from the configuration. Hit **Save** and go to **Endpoint** +tab. + +On **Endpoint** tab create a new Endpoint, give it a **Name**, set 0.0.0.0/0 in **Tunnel Address** and set +the DNS name from your configuration in **Endpoint Address**. Don't forget to do this also for the port. + +Go back to tab **Server**, open the instance and choose the newly created endpoint in **Peers**. + +Now we can **Enable** the VPN in tab **General** and continue with the setup. + +-------------------------------- +Step 3 - Assignments and Routing +-------------------------------- + +To let you internal clients go through the tunnel you have to add a NAT entry. Go to +**Firewall->NAT->Outbound** and add a rule. Check that rule generation is set to manual +or hybrid. Add a rule and select Wireguard as **Interface**. **Source** should be your +LAN network and set **Translation / target** to **interface address**. + +When assigning interfaces we can also add gateways to them. This would offer you the chance to +balance traffic via different VPN providers or do more complex routing scenarios. + + + diff --git a/source/manual/how-tos/wireguard-client-mullvad.rst b/source/manual/how-tos/wireguard-client-mullvad.rst new file mode 100644 index 00000000..2109e004 --- /dev/null +++ b/source/manual/how-tos/wireguard-client-mullvad.rst @@ -0,0 +1,63 @@ +======================================= +WireGuard MullvadVPN Road Warrior Setup +======================================= + +.. Warning:: + WireGuard Plugin is still in development, use at your own risk! + +------------ +Introduction +------------ + +MullvadVPN is a cloud-based VPN provider, offering secure tunneling in respect to privacy. +To set up a WireGuard VPN to MullvadVPN we assume you are familiar with the concepts of WireGuard you that +you have read the basic howto :doc:`how-tos/wireguard-client`. + +---------------------------------- +Step 1 - Setup WireGuard Instance +---------------------------------- + +Go to tab **Server** and create a new instance. Give it a **Name** and set a desired **Listen Port**. +If you have more than one server instance be aware that you can use the **Listen Port** only once. In +the field **Tunnel Address** insert an unsused private IP address and subnet mask. We don't need it in +the first step, but as it is required we can't go on without it. Every other field can be left blank. + +Hit **Save** and open your instance again to write down your public key. You need it to get the rest +of the configuration from the Mullvad API servers. + +Now change to your OPNsense CLI via SSH or Console and execute the curl string below. Please replace the +**account** data with your own ID you got from MullvadVPN and **pubkey** with the one in your **Server** + +.. code-block:: sh + + curl -sSL https://api.mullvad.net/wg/ -d account=123 --data-urlencode pubkey=PUBKEY + +What you receive it the **Tunnel Addres** for your server instance, so edit your instance again, remove +the **Tunnel Address** you used when setting up and change it to the one you got. + +On **Endpoint** tab create a new Endpoint, give it a **Name**, set 0.0.0.0/0 in **Tunnel Address** and set +the **DNS** to 193.138.219.228. This is the one MulladVPN provides for privacy. + +Now go to the WireGuard server list_ and choose the one you like to use as your breakout. Write down it's +public key and set it as **Public Key**. Also don't forget **Endpoint Address** and **Endpoint Port**. + +.. _list: https://www.mullvad.net/en/servers/#wireguard + +Go back to tab **Server**, open the instance and choose the newly created endpoint in **Peers**. + +Now we can **Enable** the VPN in tab **General** and continue with the setup. + +-------------------------------- +Step 2 - Assignments and Routing +-------------------------------- + +To let you internal clients go through the tunnel you have to add a NAT entry. Go to +**Firewall->NAT->Outbound** and add a rule. Check that rule generation is set to manual +or hybrid. Add a rule and select Wireguard as **Interface**. **Source** should be your +LAN network and set **Translation / target** to **interface address**. + +When assigning interfaces we can also add gateways to them. This would offer you the chance to +balance traffic via different VPN providers or do more complex routing scenarios. + + + diff --git a/source/manual/how-tos/wireguard-client.rst b/source/manual/how-tos/wireguard-client.rst index 5789159d..77dd3293 100644 --- a/source/manual/how-tos/wireguard-client.rst +++ b/source/manual/how-tos/wireguard-client.rst @@ -64,7 +64,7 @@ But what if you want to push all traffic via VPN in order to filter some streams Then we have to assign the interface via **Interface->Assignments**, choose our instance (e.g. instance 0 is interface wg0), enable it, hit **Prevent Interface Removal** and don't configure an IP address. -After ths we can go to **Firewall->NAT->Outbound** and add a rule. Check that rule generation is set +After this we can go to **Firewall->NAT->Outbound** and add a rule. Check that rule generation is set to manual or hybrid. Add a rule and select your WAN as **Interface**. **Source** should be the Tunnel Network you use and **Translation / target** set to WAN address. diff --git a/source/manual/vpnet.rst b/source/manual/vpnet.rst index 2c82ac38..7aa9bf92 100644 --- a/source/manual/vpnet.rst +++ b/source/manual/vpnet.rst @@ -91,6 +91,8 @@ WireGuard Site-to-Site WireGuard Road Warrior ------------------ :doc:`how-tos/wireguard-client` +:doc:`how-tos/wireguard-client-azire` +:doc:`how-tos/wireguard-client-mullvad` Zerotier --------