WireGuard in NetBSD

To: current-users%NetBSD.org@localhost
Subject: WireGuard in NetBSD
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Thu, 20 Aug 2020 22:25:05 +0000

Back in 2018, ozaki-r@ wrote an in-kernel implementation of WireGuard
<https://www.wireguard.com/> for NetBSD -- a point-to-point roaming-
capable virtual private network tunnel with modern cryptography.

Today I imported Ozaki-san's WireGuard code into NetBSD proper.
Here's an example of how to use it, taken from the new wg(4) man page.
You'll need to build a kernel config with `pseudo-device wg' in it --
it's not in any GENERIC kernels yet, and there's no loadable module
yet.  (Both of these will change -- also, you can try it without any
kernel changes using the wg-userspace(8) tool which runs in userland
with a rump server and tun(4); see the man page for details.)

Typical network topology:

     wm0 = 1.2.3.4                               bge0 = 4.3.2.1

     Stationary server:                         Roaming client:
     +---------+                                    +---------+
     |    A    |                                    |    B    |
     |---------|                                    |---------|
     |        [wm0]-------------internet--------[bge0]        |
     |    [wg0] port 1234 - - - (tunnel) - - - - - - [wg0]    |
     |   10.0.1.0                  |               10.0.1.1   |
     |         |                   |                |         |
     +--[wm1]--+          +-----------------+       +---------+
          |               | VPN 10.0.1.0/24 |
          |               +-----------------+
     +-----------------+
     | LAN 10.0.0.0/24 |
     +-----------------+

Generate key pairs on A and B:

     A# wg-keygen > /etc/wireguard/wg0
     A# wg-keygen --pub < /etc/wireguard/wg0 > /etc/wireguard/wg0.pub
     A# cat /etc/wireguard/wg0.pub
     N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y=

     B# wg-keygen > /etc/wireguard/wg0
     B# wg-keygen --pub < /etc/wireguard/wg0 > /etc/wireguard/wg0.pub
     B# cat /etc/wireguard/wg0.pub
     X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU=

Configure A to listen on port 1234 and allow connections from B to
appear in the 10.0.1.0/24 subnet:

     A# ifconfig wg0 create 10.0.1.0/24
     A# wgconfig wg0 set private-key /etc/wireguard/wg0
     A# wgconfig wg0 set listen-port 1234
     A# wgconfig wg0 add peer B \
         X7EGm3T3IfodBcyilkaC89j0SH3XD6+/pwvp7Dgp5SU= \
         --allowed-ips=10.0.1.1/32
     A# ifconfig wg0 up
     A# ifconfig wg0
     wg0: flags=0x51<UP,POINTOPOINT,RUNNING> mtu 1420
             inet 10.0.1.0/24 ->  flags 0

Configure B to connect to A at 1.2.3.4 on port 1234 and the packets
can begin to flow:

     B# ifconfig wg0 create 10.0.1.1/24
     B# wgconfig wg0 set private-key /etc/wireguard/wg0
     B# wgconfig wg0 add peer A \
         N+B4Nelg+4ysvbLW3qenxIwrJVE9MdjMyqrIisH7V0Y= \
         --allowed-ips=10.0.1.0/32 \
         --endpoint=1.2.3.4:1234
     B# ifconfig wg0 up
     B# ifconfig wg0
     wg0: flags=0x51<UP,POINTOPOINT,RUNNING> mtu 1420
             inet 10.0.1.1/24 ->  flags 0
     B# ping -n 10.0.1.0
     PING 10.0.1.0 (10.0.1.0): 56 data bytes
     64 bytes from 10.0.1.0: icmp_seq=0 ttl=255 time=2.721110 ms

Follow-Ups:
- Re: WireGuard in NetBSD
  - From: Robert Swindells

Prev by Date: daily CVS update output
Next by Date: daily CVS update output
Previous by Thread: Possible rust issue on -current
Next by Thread: Re: WireGuard in NetBSD
Indexes:

Home | Main Index | Thread Index | Old Index