Reply
Regular Member
Posts: 434
Registered: ‎08-03-2013
Kudos: 102
Solutions: 12

Re: Release: WireGuard for EdgeRouter


BranoB wrote:

Gents, here is a ready product waiting to be integrated into EdgeOS. It'll give the system great functionality and competitive advantage.

 

@UBNT-afomins @UBNT-sandisn @UBNT-benpin@UBNT-Fenng @UBNT-cmb


Yes indeed, and from my standpoint WireGuard delivers REMARKABLE performance -- an understatement.

David Mozer
IT-Expert on Call
Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

The package has now been bumped to 0.0.20170918-1.

 

Download here: https://github.com/Lochnair/vyatta-wireguard/releases

 

Release notes are here: https://lists.zx2c4.com/pipermail/wireguard/2017-September/001709.html

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

@madrian

I didn't notice your question before now, but better late then never I guess.

 

Builds for the USG should be fully possible. IIRC the USG uses the same hardware as the ERL does, so in theory the Octeon package should work with it as-is.

Established Member
Posts: 1,618
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: Release: WireGuard for EdgeRouter

Is there any attempt to get the VPN service providers to support WG? That would rock.
Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

@karog

I don't know if there's anyone actively trying to get providers to add WireGuard support, but there's a thread on the mailing list here on what providers that are known to have WireGuard support.

Established Member
Posts: 1,618
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: Release: WireGuard for EdgeRouter

@Lochnair thanks. I will look into mullvad.
New Member
Posts: 31
Registered: ‎05-25-2017
Kudos: 2

Re: Release: WireGuard for EdgeRouter

[ Edited ]

I've upgraded yesterday to the latest release (working great!) and thought it might be useful to share my learnings/howto:

 

Download .deb: https://github.com/Lochnair/vyatta-wireguard/releases (use octeon for ERL) ('curl -L -O <packagelink>' does the trick from the prompt)

 

Install deb:

 

sudo dpkg -i wireguard-octeon-0.0.20170918-1.deb

 

Show messages from wireguard:

 

dmesg|grep wireguard

 

Show version of loaded version:

 

modinfo wireguard

 

Reload new version of the module after install:

 

rmmod wireguard && modprobe wireguard

 

If you have configured wireguard manually you need to redo it again, because the config is lost after reloading the module (at least that was the case with me). If you have the config in config.boot under interfaces (example in the thread above), it should automatically load after a reboot. Don't forget to add a static route to the subnet on the other side via interface wg0. You can do this via the gui. It will be saved to config.boot as well (under protocols)..

 

If everything went well, the following command should show the status of the link(s) (you might need admin rights (sudo su)):

 

wg show

 

I hope this helps... Pease feel free to comment/correct/add. Happy upgrading! :-)

 

 

 

 

 

 

 

New Member
Posts: 28
Registered: ‎12-24-2015
Kudos: 10

Re: Release: WireGuard for EdgeRouter

Are there any chances making it work for the UBNT CloudKey?

Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 110
Solutions: 2

Re: Release: WireGuard for EdgeRouter

FYI, in case anybody wants some neat WireGuard stickers for their EdgeRouter, I'm sending them out to anybody who asks, per this mailing list post. Essentially just email team [at] wireguard {d0t} com your mailing address and how many you want, and I'll toss them in an envelope.

New Member
Posts: 34
Registered: ‎12-21-2016
Kudos: 8
Solutions: 1

Re: Release: WireGuard for EdgeRouter

Is there a noob friendly guide for getting a WireGuard client working on ER, like there was for OpenVPN (https://community.ubnt.com/t5/EdgeMAX/Private-Internet-Access-Open-VPN-Step-by-Step-Configuration/m-...)?
Member
Posts: 115
Registered: ‎06-05-2016
Kudos: 11

Re: Release: WireGuard for EdgeRouter

Thank you. Before I am going to install this, one more question:

 

 

Currently I have configured  on two Raspberry Pies, named rPiA and rPiB. rPiA is on my home network, rPiB is placed on an external network (subnet 192.168.2.0/24). So to access this subnet I have set on rPiA: ip route add 192.168.2.0/24 dev wg0. In this way I can access any devices on the remote side.

 

My question is: how do I set "ip route add 192.168.2.0/24 dev wg0" on the USG/Edgerouter?

New Member
Posts: 31
Registered: ‎05-25-2017
Kudos: 2

Re: Release: WireGuard for EdgeRouter

Just use: 'ip route add 192.168.2.0/24 dev wg0' 

 

Or if you want to do this permanently, you can create a static route using the web ui, so it will be saved and it survives a reboot...

Emerging Member
Posts: 47
Registered: ‎03-26-2014
Kudos: 5

Re: Release: WireGuard for EdgeRouter

Overal I like the simplicity and the concept, but two questions:

 

I can treat it like a normal interface for most Edgerouter functions, but not "show interfaces wireguard wg0," unless I missed it under one of the other functions.  I'm sure there's other ways to capture packets on it, etc., but it'd be nice to have it more integrated.

 

How big a risk is a DoS attack?  Since there's no authorization checks until after the packet is decrypted, could a flood of packets with a bogus public key cause issues?  What if the public key was discovered?  

 

Assuming it is a risk, maybe some kind of Fail2Ban implementation that drops all packets from an IP after X unsuccessful attempts?  

 

I think I'm having the same issue with the ER-X not recognizing my private key as someone else was earlier but I've had to stop testing that for some other issues.  I regenerated the passkey, started over from scratch, followed the exact same process as on the three ER-8s I've used, but can't get back to that for a few minutes.

 

 

Emerging Member
Posts: 47
Registered: ‎03-26-2014
Kudos: 5

Re: Release: WireGuard for EdgeRouter

Using the Ralink version on ER-X, I can't commit the changes.  The errors swap between the following.  The same steps work fine on th ER-8 using the Octeon build.

 

commit
[ interfaces wireguard wg0 ]
RTNETLINK answers: File exists

 

commit
[ interfaces wireguard wg0 private-key iGeR9dhtny8kHUFbqnvO66UhbVtvIzgbbcPkIZQ+mXw= ]
fopen: No such file or directory

 

commit
[ interfaces wireguard wg0 ]
RTNETLINK answers: File exists

 

commit
[ interfaces wireguard wg0 ]
RTNETLINK answers: Cannot allocate memory

 

Thanks,

Kevin

 

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

The package has now been bumped to 0.0.201701001-1. Sorry for the delay.

 

Download here: https://github.com/Lochnair/vyatta-wireguard/releases

 

Release notes are here: https://lists.zx2c4.com/pipermail/wireguard/2017-October/001770.html

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

@kshrwood02

"show interfaces wireguard" isn't implemented no. I've opened an issue to remind myself to do it.

 

Very small. I don't remember the details, but if you'd like to read up on it, there's a thorough explanation in chapter 5.3 in the WireGuard whitepaper.

 

There's an issue about this on the GitHub repository. At first I thought this was a simple user-error, but it seems vyatta-wireguard on the ER-X is FUBAR. As I don't have an ER-X I haven't been able to debug this yet.

 

As for the other errors you're getting, if you've set allowed-IPs to 0.0.0.0/0 and you've already got a default route you'll get the "File exist" error. You can disable automatic adding of routes by setting route-allowed-ips to false. I have no clue what "Cannot allocate memory" means, and a quick search wasn't very enlighting.

New Member
Posts: 2
Registered: ‎05-10-2017

Re: Release: WireGuard for EdgeRouter

im still new to vpns but can i install wireguard on a digitalocean droplet and use the edgerouter as client?

im trying to setup a whole home vpn but not lose too much speed or performance.

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

@alexy

Sure.

New Member
Posts: 22
Registered: ‎05-20-2016
Kudos: 1

Re: Release: WireGuard for EdgeRouter

[ Edited ]

First of all,

 

Thank you immensely for this port. It's a real life saver for edgemax routers as OpenVPN is very slow indeed.

I'm getting about 50 Mbps between two ERLITE-3 routers some 200 km appart on two ISPs.

 

Now for the not so good part:

1st: Both endopoints are on dynamic IPV4 addresses and have in place ddns  for both. 

The tunnel stops working as soon as one endpoint changes address in which case the defined configuration showed by sudo wg showconf wg0 is not in sync anymore with the actual ip address that the DDNS already updated for the host.

 

example:

 

ER1:$ sudo wg showconf wg0
[Interface]
ListenPort = 51820
PrivateKey = 

[Peer]
PublicKey = 
AllowedIPs = 10.0.0.0/8
Endpoint = 93.115.66.178:51820

 

ER1:$ ping endpoint2.ddns.url 

PING  endpoint2.ddns (188.213.155.30) 56(84) bytes of data.

 

the endpoints are configured with the proper ddns names but the IPs never gets updated on the run. Till now to get the VPN going again I have to reboot the router (the one with the mismatched IPs from the wg standpoind vs the real one)

 

Is there a solution to this ? 

Also is there a way to reset the connection ? Already tried sudo ifconfig wg0 down and then up and it doesn't reset the connection.

 

-----------------------

 

2nd problem:

I want to get GRE-Bridge working on this tunnel because I need Layer2 for Steam in-home Streaming and very easily did (there's a very simple tutorial about it somewhere) .

The problem is that whenever there's high traffic involved one or both endpoint routers reboot (kernel panic?).

iperf3 for example ALWAYS makes one router reboot immediately.

 

Thank you very much !

Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 110
Solutions: 2

Re: Release: WireGuard for EdgeRouter

Hi @dlbogdan - for your dynamic DNS issue, simply add PersistentKeepalive = 25 or so to both ends.

 

For your GRE reboot, would you send the kernel output on the reboot? Send it as an email to team {at} wireguard {dot} com. Alternatively, find me in #wireguard on Freenode/IRC.

 

Reply