WireGuard CLI configuration

[gsanchietti]

Wireguard configuration from command line interface.

Features:

• support multiple WireGuard server instances
• each instance has its own reserved zone
• all accounts (peers) have a static allocated IP address
• download account configuration as text or qrcode
• net2net mode
• support peer pre-shared key
• if the server instance is linked to a user database, peers will be associated to the existing users
• import a standard wireguard configuration file

Limitations:

• only /24 networks are supported
• the IP of an account can't be changed

Possible improvements:

• use WireGuard account IP address inside firewall objects
• add WireGuard tunnels to the local monitoring
• add WireGuard tunnels to the remote monitoring
• correctly display WireGuard interfaces under the VPN section inside the Network page

Reference: #921

Quickstart

1. Get good defaults

Before creating an instance, retrieve some valid defaults. Use the calculated defaults to create the instance:

/usr/libexec/rpcd/ns.wireguard call get-instance-defaults

Response example:

{"listen_port": 51820, "instance": "wg1", "network": "10.98.95.0/24", "routes": ["192.168.100.0/24"], "public_endpoint": "1.2.3.4"}

Debug

By default, wireguard does not log anything.
To enable logging on /var/log/messages, use the following:

echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

2. Create the instance

Create the instance not connected to a user db:

echo '{"listen_port": 51820, "name": "wg1", "instance": "wg1", "enabled": true, "network": "10.103.1.0/24", "routes": ["192.168.100.0/24"], "public_endpoint": "1.2.3.4", "dns": [], "user_db": ""}' |  /usr/libexec/rpcd/ns.wireguard  call set-instance

The server will automatically get the first IP of the network, in this case 10.98.95.1.

Save and apply:

uci commit network && uci commit firewall
reload_config

Use the same API also the change the configuration of the server instance.

3. Add a new account (peer)

Create a new account, make sure the account field is unique inside the same instance:

echo '{"enabled": true, "instance": "wg1", "account": "user1", "route_all_traffic": false, "client_to_client": false, "ns_routes": [], "preshared_key": true}' | /usr/libexec/rpcd/ns.wireguard call set-peer

Options:

• route_all_traffic: if set to true, when the client connects, it will send all the traffic to the server
• client_to_client: if set to true, the client will be able to communicate with all other peers and not only with the server
• preshared_key: if set to true, automatically create a pre-shared key that will be used in the peer downloaded configuration
• ns_routes: a list of network CIDR, automatically routes the networks to this peer; this is used for net2net

Note: if the server instance is linked to a user_db, the account field must contain the name of an existing user

Save and apply:

uci commit network
reload_config

Use the same API also the change the configuration of the server instance.

4. Download the account configuration

The account configuration can be downloaded both in text format or a QR code.
Download the text format:

echo '{"instance": "wg1", "account": "user1"}' |  /usr/libexec/rpcd/ns.wireguard call download-peer-config | jq -r .config

Configure an Desktop/Mobile device

Print the QR code to the console:

echo '{"instance": "wg1", "account": "user1"}' |  /usr/libexec/rpcd/ns.wireguard call download-peer-config | jq -r .qrcode | base64 -d

You can use the iOS or Android app to scan the QR code and connect.

Import the configuration to another NethSecurity

Print the configuration file in base64 to the console:

 echo '{"instance": "wg1", "account": "user1"}' |  /usr/libexec/rpcd/ns.wireguard call download-peer-config | jq -r .config | base64 -w0; echo

The output will be something like:

IyBBY2NvdW50OiB1c2VyMSBmb3Igd2cxCltJbnRlcmZhY2VdClByaXZhdGVLZXkgPSA0T29WUnFLVzBUdXI1MTFJTDZ0dFg2aXovRW54cmJLelVjQVg4OWJVeGxVPQpBZGRyZXNzID0gMTAuMTAzLjEuMgojIEN1c3RvbSBETlMgZGlzYWJsZWQKCltQZWVyXQpQdWJsaWNLZXkgPSBnbTFjVGFlNnViNFFHdlFja25yYjNGYk40NngxdGJhWEpqT1Fid1gvc2lNPQpQcmVTaGFyZWRLZXkgPSAvM0ViSzlhOERXM0Q3dm4wU0ZwM29LMlhTb2VtMDVEcEc0SXhFWjRxb3lVPQpBbGxvd2VkSVBzID0gMTkyLjE2OC4xMDAuMC8yNCwxMC4xMDMuMS4wLzI0CkVuZHBvaW50ID0gMTkyLjE2OC4xMjIuNDk6NTE4MjAKUGVyc2lzdGVudEtlZXBhbGl2ZSA9IDI1Cg==

Copy the base64 string, than go the the other NethSecurity and execute:

echo '{"config": "IyBBY2NvdW50OiB1c2VyMSBmb3Igd2cxCltJbnRlcmZhY2VdClByaXZhdGVLZXkgPSA0T29WUnFLVzBUdXI1MTFJTDZ0dFg2aXovRW54cmJLelVjQVg4OWJVeGxVPQpBZGRyZXNzID0gMTAuMTAzLjEuMgojIEN1c3RvbSBETlMgZGlzYWJsZWQKCltQZWVyXQpQdWJsaWNLZXkgPSBnbTFjVGFlNnViNFFHdlFja25yYjNGYk40NngxdGJhWEpqT1Fid1gvc2lNPQpQcmVTaGFyZWRLZXkgPSAvM0ViSzlhOERXM0Q3dm4wU0ZwM29LMlhTb2VtMDVEcEc0SXhFWjRxb3lVPQpBbGxvd2VkSVBzID0gMTkyLjE2OC4xMDAuMC8yNCwxMC4xMDMuMS4wLzI0CkVuZHBvaW50ID0gMTkyLjE2OC4xMjIuNDk6NTE4MjAKUGVyc2lzdGVudEtlZXBhbGl2ZSA9IDI1Cg=="}' | /usr/libexec/rpcd/ns.wireguard call import-configuration

Save and apply:

uci commit network && uci commit firewall
reload_config

Remove an instance

To remove an instance use:

echo '{"instance": "wg1"}' |  /usr/libexec/rpcd/ns.wireguard call remove-instance

The command will remove:

• the WireGuard server instance
• the firewall rules to accept the traffic from WAN
• the zone for the VPN
• all associated accounts

Save and apply:

uci commit network && uci commit firewall
reload_config

Remove a peer

To remove a peer use:

echo '{"instance": "wg1", "account": "user1"}' | /usr/libexec/rpcd/ns.wireguard call remove-peer

The command will remove the peer and it's configuration inside the users database, if present.
Save and apply:

uci commit network && uci commit users
reload_config