Wireguard

From Gentoo Wiki
(Redirected from WireGuard)
Jump to: navigation, search
Resources

WireGuard is a modern, simple, and secure VPN that utilizes start-of-the-art cryptography. Considered an alternative to OpenVPN, it can be used to create secure point-to-point, site-to-point, and site-to-site connections. Its goals are to be fast, simple, lean, and easy to configure. Wireguard consists of two components: userspace tools and a kernel module.

Wireguard is written and maintained by Jason A. Donenfeld (zx2c4), a Gentoo developer.

Official and potentially more up-to-date installation instructions can be found upstream.

Installation

Kernel

Kernels less than 5.6

Linux kernels less than 5.6 (<=5.5) did not include Wireguard as a feature in the upstream kernel code. Adding Wireguard support to these (older) kernels is possible via additional modules emerged below.

Attempting to add WireGuard support without having a few specific kernel symbols enabled will cause the emerge to fail. A few of the symbols are dependencies and can only be set by setting other options. Perform the necessary work to have the following symbols enabled before moving on to the next section:

  • CONFIG_NET - For basic networking support.
  • CONFIG_INET - For basic IP support.
  • CONFIG_NET_UDP_TUNNEL - For sending and receiving UDP packets.
  • CONFIG_NF_CONNTRACK - For determining the source address when constructing ICMP packets.
  • CONFIG_NETFILTER_XT_MATCH_HASHLIMIT - For ratelimiting when under DoS attacks.
  • CONFIG_IP6_NF_IPTABLES - Only if using CONFIG_IPV6 for ratelimiting when under DoS attacks.
  • CONFIG_CRYPTO_BLKCIPHER - For doing scatter-gather I/O.
  • CONFIG_PADATA - For parallel crypto (only available on multi-core machines).[1]
KERNEL Enable kernel support for WireGuard[2]
[*] Networking support -->
    Networking options -->
        [*] TCP/IP networking
        [*]   IP: Foo (IP protocols) over UDP
        [*] Network packet filtering framework (Netfilter) -->
            [*] Advanced netfilter configuration
            Core Netfilter Configuration -->
                [*] Netfilter connection tracking support
                [*] Netfilter Xtables support
                [*]   "hashlimit" match support
            [*] IPv6: Netfilter Configuration (only if using IPv6)
[*] Cryptographic API -->
    [*] Cryptographic algorithm manager
    [*] Parallel crypto engine

Kernel 5.6 and higher

Starting with kernel 5.6, Wireguard is included in the upstream kernel sources. It is enabled via the following menuconfig option:

KERNEL Enable CONFIG_WIREGUARD
Device Drivers  --->
    [*] Network device support  --->
        [*] Network core driver support
        <*>   WireGuard secure network tunnel

USE flags

USE flags for net-vpn/wireguard-tools Required tools for WireGuard, such as wg(8) and wg-quick(8)

wg-quick Install the wg-quick(8) helper tool. Most users want to use this.

Emerge

Install the wireguard-tools package to generate encryption keys and manage Wireguard interfaces:

root #emerge --ask net-vpn/wireguard-tools

Less than 5.6

For Linux kernels less than 5.6 also install the modules:

root #emerge --ask net-vpn/wireguard-modules

Configuration

Kernel module loading

When Wireguard support has been added as a module, be sure to instruct the selected init system to load the WireGuard kernel modules when the system boots. This will be slightly different for each init system.

OpenRC

FILE /etc/conf.d/modules
modules="wireguard"

Be sure the modules service is set to run in the boot runlevel:

root #rc-update add modules boot

systemd

systemd users will need to create a new file in the /etc/modules-load.d/ directory in order to instruct the module loading service to get the module loaded on boot:

FILE /etc/modules-load.d/wireguard.conf
wireguard

Generate a keypair

Before using WireGuard a keypair has to be generated. This can be accomplished using wg(8):

user $umask 077
user $wg genkey | tee privatekey | wg pubkey > publickey

Quick configuration

Configuration can be automated using the wg-quick utility, which will create tunnels using configuration files in the /etc/wireguard file.

For more information on wg-quick consult man 8 wg-quick.

Removal

Unmerge

When removing Wireguard support be sure to each for all installed packages:

root #emerge --ask --search wireguard

For example, to remove the userspace tools:

root #emerge --ask --depclean --verbose net-vpn/wireguard-tools

Troubleshooting

Rebuilding modules on kernel upgrades for kernels less than 5.6

When upgrading to a newer kernel that is less than version 5.6 (version 4.9.x LTS is a fitting example), it is important to re-emerge the kernel modules. This is handled by default when using genkernel, but can be quickly performed using the following auto-generated Portage set:

root #emerge --ask @module-rebuild

See also

  • OpenVPN — software that enables the creation of secure point-to-point or site-to-site connections.

External resources

References