Reply
Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

The package has now been bumped to 0.0.20170612-1.

 

Download here: https://github.com/Lochnair/vyatta-wireguard/releases

 

Release notes are here: https://lists.zx2c4.com/pipermail/wireguard/2017-June/001416.html

New Member
Posts: 34
Registered: ‎01-02-2016
Kudos: 2
Solutions: 1

Re: Release: WireGuard for EdgeRouter

Trying to configure an ER-POE5 to connect to an ERL, it seems like its trying to install som routes and that failes?

 

 

ubnt@erpoe5# compare
[edit interfaces]
+wireguard wg0 {
+ address 1.2.3.1/30
+ peer iVtoj2RubcdpENZUMg29JnRklE5V0SrRbegMWfghLxE= {
+ allowed-ips 0.0.0.0/0
+ endpoint SOME-SERVER:51820
+ persistent-keepalive 25
+ }
+ private-key SOME-KEY
+ route-allowed-ips false
+}
[edit]
ubnt@erpoe5# commit
[ interfaces wireguard wg0 ]
RTNETLINK answers: File exists

Commit failed
[edit]
ubnt@erpoe5#

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

@trrunde, we've added the option route-allowed-ips in 0.0.20160612-2 which allows you to change the default behaviour of adding routes for allowed-ips entries. You shouldn't however need to use this for most configurations.

 

The reason you're getting an error is because you've set allowed-ips to 0.0.0.0/0 (default route), which there's already an entry for in the routing table. In most cases you don't want to do that. Could you explain in more detail your network topology and how you're trying to use WireGuard, so that I may help you further?

New Member
Posts: 34
Registered: ‎01-02-2016
Kudos: 2
Solutions: 1

Re: Release: WireGuard for EdgeRouter

the way I thought the "route-allowed-ips" are working is to enable/disable that the subnet I put in "allowed-ips" will be added as a kernel route?

 

Here are the config I am running on another ERL:

 

set interfaces wireguard wg0 peer rWCWSRj/CNL5qt+NxiKrYZqgzhAsuf7TDEuKlB77Yj8= allowed-ips 192.168.55.0/24,10.10.10.8/30

 

and if I check route table the 192.168.55.0/24 is installed as a kernel route:

 

K    *> 192.168.55.0/24 [0/0] via wg0

 

I want to not be able to use ospf or bgp between two routers and want wireguard to accept any subnet so I can use a route policy to set which subnets to be sent over wireguard link.

 

New Member
Posts: 34
Registered: ‎01-02-2016
Kudos: 2
Solutions: 1

Re: Release: WireGuard for EdgeRouter

and another small thing; why are you using true/false for the route-allowed-ips when it seems like most other edgeos config are using enable/disable ?

New Member
Posts: 34
Registered: ‎01-02-2016
Kudos: 2
Solutions: 1

Re: Release: WireGuard for EdgeRouter

I reloaded the er-poe and its working now, I believe that it failed because at the first attempt I did not use a version that had the option for "route-allowed-ips" and then wireguard tried to change my default route. I used exit discard and upgraded to the latest version of wireguard, it seems like when I tried to apply the config again it was still trying to change my default route but after a reload it was working.

 

ubnt@erpoe5:~$ show configuration commands | match wireg
set interfaces wireguard wg0 peer iVtoj2RubcdpENZUMg29JnRklE5V0SrRbegMWfghLxE= allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer iVtoj2RubcdpENZUMg29JnRklE5V0SrRbegMWfghLxE= endpoint 'SOME-DOMAIN:51820'
set interfaces wireguard wg0 peer iVtoj2RubcdpENZUMg29JnRklE5V0SrRbegMWfghLxE= persistent-keepalive 25
set interfaces wireguard wg0 private-key SOME-KEY=
set interfaces wireguard wg0 route-allowed-ips false

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

Correct, set "route-allowed-ips" to false and your config on the ERPoE should work.

New Member
Posts: 34
Registered: ‎01-02-2016
Kudos: 2
Solutions: 1

Re: Release: WireGuard for EdgeRouter

seems like its installing some route anyway:

ubnt@erpoe5:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via x.x.x.x eth0
C *> 0.0.0.0/30 is directly connected, wg0
C *> 1.2.3.0/30 is directly connected, wg0

But I doubt that it matters much that traffic towards 0.0.0.1 and 0.0.0.2 would potentially go via wg0

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

The package has now been bumped to 0.0.20170628-1.

 

Download here: https://github.com/Lochnair/vyatta-wireguard/releases

 

Release notes are here: https://lists.zx2c4.com/pipermail/wireguard/2017-June/001493.html

Established Member
Posts: 1,558
Registered: ‎05-15-2013
Kudos: 615
Solutions: 19

Re: Release: WireGuard for EdgeRouter

 
Member
Posts: 115
Registered: ‎06-05-2016
Kudos: 11

Re: Release: WireGuard for EdgeRouter

Guys, any chance for USG version?
Senior Member
Posts: 5,692
Registered: ‎01-04-2017
Kudos: 795
Solutions: 286

Re: Release: WireGuard for EdgeRouter

What is the time frame on a stable 1.0 release for this?
New Member
Posts: 10
Registered: ‎04-02-2017

Re: Release: WireGuard for EdgeRouter

Congrats on making it run better and better. Im following Wireguard for some time, since it offers so much more security/easier to use. And of course... it's out performing open-vpn/ipsec. Man Wink

 

Keep up the good work. Hopefully one day it can also be implemented in the usg, since then even more users will profit from it.

Member
Posts: 244
Registered: ‎09-16-2011
Kudos: 46
Solutions: 2

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@Lochnair @zx2c4 No download links for .deb

Only source...

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

@alawadhi

Sorry about that, fixed now.

 

Thanks for the heads up!

Member
Posts: 244
Registered: ‎09-16-2011
Kudos: 46
Solutions: 2

Re: Release: WireGuard for EdgeRouter


Lochnair wrote:

@alawadhi

Sorry about that, fixed now.

 

Thanks for the heads up!


Thank you Man Happy

New Member
Posts: 4
Registered: ‎12-22-2016

Re: Release: WireGuard for EdgeRouter

Can confirm this works on ERX with 1.9.7+hotfix.2. And man, does it every fly.

Thank you guys so much for the work on this. It's a bit of a game changer for a few of my design considerations.
Senior Member
Posts: 3,937
Registered: ‎05-15-2014
Kudos: 1416
Solutions: 269

Re: Release: WireGuard for EdgeRouter

[ Edited ]

Gents, here is a ready product waiting to be integrated into EdgeOS. It'll give the system great functionality and competitive advantage.

 

@UBNT-afomins @UBNT-sandisn @UBNT-benpin@UBNT-Fenng @UBNT-cmb

Senior Member
Posts: 5,692
Registered: ‎01-04-2017
Kudos: 795
Solutions: 286

Re: Release: WireGuard for EdgeRouter

@BranoB I agree but theres still one thing probably keeping them from implementing this....

 

From the website:

Spoiler
Work in Progress
WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.

Source

Hence why I asked when they plan on releasing a stable version which I never got a reply to.

Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 110
Solutions: 2

Re: Release: WireGuard for EdgeRouter

[ Edited ]

BranoB wrote:

Gents, here is a ready product waiting to be integrated into EdgeOS. It'll give the system great functionality and competitive advantage.

 

@UBNT-afomins @UBNT-sandisn @UBNT-benpin@UBNT-Fenng @UBNT-cmb


UBNT - I'm happy to work with you to make this happen when the time is right. Feel free to reach out to me. @UBNT-cmb has my contact information.

Reply