WireGuard(WG) aims to provide a VPN that is both simple and highly effective.
Also to make a really good alternative technology to the existing like IPsec or OpenVPN.
WG is a free and open-source software application and communication protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations.
I tried WG in a complex high availability datacenter setup and replaced a couple of existing OpenVPN connections with wireguard.
The result was performant and simple at once.
We have two sites, one with a static ISP address(zeta) and the other with a dynamic one. The goal is to connect the both sides over the WG.
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable apt update apt install wireguard-dkms wireguard-tools
zypper addrepo -f obs://network:vpn:wireguard wireguard zypper ref zypper install wireguard-kmp-default wireguard-tools
Currently WG is not within the kernel and there are no official packages available. So you can build an own version or just trust to other third party sources with pre build versions and install it from there. WG-project promises to get the official kernel support in the near future. But for now, this is how it is.
On Zeta site:
wg genkey > wgprivate_zeta.key chmod 700 wgprivate_zeta.key wg pubkey < wgprivate_zeta.key
On Gamma site:
wg genkey > wgprivate_gamma.key chmod 700 wgprivate_gamma.key wg pubkey < wgprivate_gamma.key
On Zeta site:
ip link add dev wg0 type wireguard ip address add dev wg0 10.0.0.3 dev wg0 wg set wg0 private-key ./wgprivate_zeta.key ip link set wg0 up wg set wg0 peer g5k9FzKAmhzwt2HLZ2+1rbGGyvqtHPbG6RK1vkn1KgU= allowed-ips 0.0.0.0/0 persistent-keepalive 25
On Gamma site:
ip link add dev wg0 type wireguard ip address add dev wg0 10.0.0.4 dev wg0 wg set wg0 private-key ./wgprivate_gamma.key ip link set wg0 up wg set wg0 peer v2m8GnJAmhzjq2HUZ2+1dyWUyvqtHPbG6RK1vkn1KgU= allowed-ips 0.0.0.0/0 persistent-keepalive 25 endpoint 22.214.171.124:56922
You have also to set required routes on Gamma site to reach Zeta site:
ip r r 10.0.0.3 dev wg0
The same also on the Zeta site to reach Gamma site.
The allowed-ips part can contain host or network restrictions.
Use the wg command to call the actual status of your WG configurations and connections.
WG is a pretty solid alternative to OpenVPN, simple in use and for sure easy to configure as described in this post.
Also the network performance is a bit better than through OpenVPN. Which was tested during dozen transfer-cases of a binary file[90MB].
Measured transfer Times:
|OpenVPN||1:23 one minute and 23 seconds|
|WireGuard||1:15 one minute and 15 seconds|