Jump to:navigation, search
Wiki

WireGuard Roadwarrior VPN (S2E)

From Securepoint Wiki




























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden








































































































{{var | Schlüsselmanagement Schlüssel tauschen | notempty<div class="Hinweis-Container__einblenden color-box-shadow em1 fs__icon__em1 bc__hgrau g}
Mit den Schlüsseln vom Typ x25519 muss noch folgendes getan werden: " ><i class="UTM fal fa-exclamation-triangle g}
Mit den Schlüsseln vom Typ x25519 muss noch folgendes getan werden:

em1 pdr2 pdt1 baseline" title="">
Diese Schritte sind unnötig, wenn die Schlüsselwerte direkt im Einrichtungsassistenten generiert werden.
<i class="UTM fal none g}
Mit den Schlüsseln vom Typ x25519 muss noch folgendes getan werden: em1 pdl5 pdt1 baseline">


In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden




































































Configure Roadwarrior VPN (S2E) with Wireguard

Last adaptation to the version: 12.7.1

New:
Last updated: 
notempty
This article refers to a Beta version
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 VPN WireGuard









Configure Roadwarrior VPN (S2E) with Wireguard

Last adaptation to the version: 12.6.2

New:
Last updated: 
    12.2024
notempty
This article refers to a Beta version
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 VPN WireGuard
notempty
New as of: v12.6

Key management

When creating a WireGuard connection, there are several options for generating and managing the necessary key values. Each of these options has its advantages and disadvantages.
For two options, the required private or public key value is created directly in the WireGuard connection setup wizard.
The third option requires existing keys of type x25519.

Add key
Open key management under Authentication Key  with button Add key
Caption Value Description Add key UTMuser@firewall.name.fqdnAuthenticationKey
Name: x25519-device Freely selectable name (without spaces)
Type: X25519 Select X25519 as type
Close dialog with Save and close button.
Export key
Public part (PEM) Private part (PEM) Export key in .pem format Key UTMuser@firewall.name.fqdnAuthentication Key management

Export target: clipboard
ED25519/X25519 Export Format: PEM
Public part (PEM) Private part (PEM)		 Copies the key in .pem format to the clipboard
Import key
Import key Opens the key import dialog Import key UTMuser@firewall.name.fqdnAuthenticationKey Upload
Source: file Import key from .pem file
Source: Clipboard Imports a key from the clipboard.
A name for the key must be assigned here.


Create WireGuard connection



Given may the following configuration:

UTM network location B Transfer network
FQDN a.vpn.anyideas.de b.vpn.anyideas.de
Local network IPv4 10.1.0.0/16 10.2.0.0/16 10.0.1.0/24
Local tunnel IPv4 10.0.1.1/24 10.0.1.2/24
Local network IPv6 fd00:a:0:0::0/64 fd00:b:0:0::0/64 fd00:0:0:0::0/64
Local tunnel IPv6 fd00:0:0:0::1/128 fd00:0:0:0::2/128
UTM Roadwarrior Transfer network
FQDN a.vpn.anyideas.de
Local network IPv4 10.1.0.0/16 10.0.1.0/24
Local tunnel IPv4 10.0.1.1/24 10.0.1.201/24
Local network IPv6 fd00:a:0:0::0/64 fd00:0:0:0::0/64
Local tunnel IPv6 fd00:0:0:0::1/128 fd00:0:0:0::C9/128
Configuration UTM

Start assistant with the button Add WireGuard Connection

Step 1 - Import configuration
UTM network Step 1 - Import configuration
Caption Value Description Add WireGuard connection UTMuser@firewall.name.fqdnVPNWireGuard WireGuard assistant - Step 1
file: Select a file If a WireGuard server configuration already exists, the server configuration can be uploaded as a file.
The corresponding settings are automatically entered in the respective elements in the following steps.
  • If several peers are available, only the first peer is used.
    • Configuration:     If a WireGuard server configuration already exists, the server configuration can be copied into this configuration field.
    The corresponding settings are automatically entered in the respective elements in the following steps.
  • If several peers are available, only the first peer is accepted.

    • [Interface] Address = 10.0.0.1/24 Address = C0FF::EEEE/64 ListenPort = 51824 PrivateKey = interfacePrivateKeyaaaaaaaaaaaaaaaaaaaaaaaa= [Peer] AllowedIPs = 10.0.0.2/32, 10.0.0.3/32 AllowedIPs = 10.0.0.4/32 Endpoint = 1.2.3.4:51825 PersistentKeepalive = 30 PresharedKey = peerPresharedKeyaaaaaaaaaaaaaaaaaaaaaaaaaaa= PublicKey = peerPublicKeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=

    Step 2 - Interface
    UTM network Step 2 - Interface
    Interface: wg0 Name of the interface that will be created for the connection (automatic default, cannot be changed)
    WireGuard assistant - Step 2
    Name: wg_server Unique name for the connection
    IPv4 address: 10.0.1.1/24 IPv4 address for the network interface of the transfer network at location A
    This determines the network IP of the transfer net (here: 10.0.1.1/24)
    IPv6 address: fd00:0:0:0::1/64 IPv6 address for the network interface of the transfer network at location A (optional)
    This determines the network IP of the transfer net (here: fd00:0:0:0::1/64)
    Listening Port: 51820 Default-Port for WireGuard connections
    Private key:
    Generate automatically A private key value is generated automatically.
  • This key value is not displayed!
  • This key is not added in Authentication Key !
    • Enter key value directly     The key value is entered directly.
  • This key is not added in Authentication Key !

    • notempty
    The key value cannot be read out later for security reasons.

    notempty
    If a file was imported or the configuration entered in Step 1 - Import configuration, this option is automatically selected and the private key value is read from the configuration file and entered here.
    View
    Hide    		 Views / hides the key value
    Generate The key value is generated
    Select from keys x25519_a.vpn Private key in x25519 format.
    Only those keys that also have a private key part can be selected.
    Add key If there is no local key in x25519 format yet, this button can be used to generate one.
    Share server networks globally:     Networks on the (local) server side that the WireGuard tunnels of the peers can access in principle.notempty
    For the actual access additional network objects and portfilter rules are needed!
    Step 3 - Peer
    UTM network Step 3 - Peer
    Peer type: PeerAD user Local user The type of peers
    S2S connections should always be set up with the Peer type
    Instructions for step 3 - Peer with AD connection
    Instructions for step 3 - Peer with local users
    WireGuard assistant - Step 3
    Name: peer-b Description of remote terminal
    Share peer networks: »10.0.1.201/32 »fd00:0:0:0::C9/128 IP from the transfer network (».../32 or »...128)
  • A roadwarrior uses only the tunnel IP
    • notempty
    For the actual access additional network objects and portfilter rules are needed!
    Endpoint: b.vpn.anyideas.de Public IP or within the public DNS resolvable FQDN of the remote terminal (here: Location B)
  • Is not required, if only the remote terminal (here: Location B) initiates the connection
    • Endpoint Port: 51820 Listening-port of the remote terminal (here: Location B)
    Public key:
    Enter key value directly     Public key value of the remote peer.
  • This key is not added in Authentication Key !

    • notempty
    If a file was imported or the configuration entered in Step 1 - Import configuration, this option is automatically selected and the private key value is read from the configuration file and entered here.
    Calculate from private key value     Calculates the key value from the private key value entered in Step 2 - Interface'
  • This key is not added in Authentication Key !

    • notempty
    The key value cannot be read out later for security reasons.
    View
    Hide    		 Views / hides the key value
    Generate The key value is generated
    Copy to clipboard Copies the key value to the clipboard
    Select from keys x25519 b vpn pub pem Public key of the roadwarrior in x25519 format.
    Only keys that have 'no private key can be selected.
  • Public key present but not selectable?
    Only keys for which there is not yet a connection on this interface can be selected. The PublicKey must be unique within a connection, as the routing of incoming packets is carried out via it.
    If the same PublicKey is to be used for a peer, e.g. for a fallback, another WireGuard connection must be created for this.
    • Add key If the public key of the roadwarrior is not yet known, this button can be used to open the import of the key management.
    Export and import of the keys is also possible via the clipboard
    We recommend creating the key pair for the Roadwarrior on the UTM and then storing it securely.
    Approach:
    1. Press the button. This will open the Add Key dialog.
    2. Choose a meaningful name in Name:.
    3. As Type: select the X25519 form and Save and close
    4. The key created will be inserted and is listed under Authentication Key
    Pre-Shared Key (optional): ••••••••••••••••••••••••••• Pre-shared key for further securing the connection
    View
    Hide    		 Views / hides the key value
    Generate Generates a very strong pre-shared key notempty
    The pre-shared key must be identical at both ends of the VPN connection! It may only be generated on one side and must then be inserted on the other side.
    Copy to clipboard Copies the PSK to the clipboard
    Keepalive: Off Regularly sends a signal. This keeps connections open on NAT routers. On Activation is recommended.
  • For this function to work without complications, the system time must be set correctly!
    • 25 Seconds Interval in seconds at which a signal is sent
    Step 3 - Peer AD user
    UTM network Step 3 - Peer AD user
    The default values are those configured under Authentication AD/LDAP Authentication  Area Advanced.
    Caption Value Description
    WireGuard Wizard - Step 3 with AD users as peers
    Values in the AD
    Peer type: PeerAD userLocal user AD user as peer
    WireGuard-Attributes (IPv4): extensionAttribute1 Attribute name in the AD, which contains the tunnel IPv4 for the RW as a value
    WireGuard-Attributes (IPv6): extensionAttribute2 Attribute name in the AD, which contains the tunnel IPv6 for the RW as a value
    WireGuard-public-key-attributes: extensionAttribute3 The public key of the user. The user must have the private key.
    Open AD/LDAP dialog: Off When activated, the dialog under Authentication AD/LDAP Authentication is opened.
    Finished Exits the wizard
    Step 3 - Peer Local user
    UTM network Step 3 - Peer Local user
    notempty
    New as of v12.7.1
    Caption Value Description
    WireGuard Wizard - Step 3 with local user as peers
    Peer type: PeerAD user Local user Local user as peer
    Open user dialogue: Off Opens the user settings after completing the wizard
    Finished Exits the wizard
    WireGuard can then be configured for the desired user under VPN WireGuard  button Add local user as peer by clicking edit. More detailed information can be found here.
    Step 4 - Advanced settings
    UTM network Step 4 - Advanced settings
    Create routes to the peer's networks:
    Yes
    No
    		Activation is not required.
    A Roadwarrior can be reached directly via its tunnel IP address. A route is therefore not necessary.
    WireGuard assistant - Step 4

































    Initial situation

    It may be desirable to set the routes for VPN connections only when the connection is actually established.

    • This prevents packets from being routed to the Internet and stored by Conntrack, thus preventing the connection from being established correctly
    • This can be advantageous, for example, if VoIP is to go through the tunnel
    • Load balancing via a second firewall is significantly simplified if only the UTM receives a route where the tunnel is actually established

    CLI command

    Connection via SSH or via menu Extras CLI :

    route get determines the correct connection ID

    route set id <ID> flags BLACKHOLE_IF_OFFLINE

    E.G.: route set id "2" flags BLACKHOLE_IF_OFFLINE
    This command discards packets to this destination if the route does not exist.
    With SSL VPN or Wireguard, for example, if the tunnel is not available.

    Generate zones: Yes Generates a new zone for the WireGuard port
    Zone Name: wireguard-wg0 Name for the WireGuard connection zone
    Generate network objects for peer: Yes
    »wg-net-peer_rw»wg-net6-peer_rw    		 Creates Yes button when enabled for network objects (IPv4 and if necessary IPv6) of the remote terminal. Automatic suggestion can also be changed.
    Network group: wg0-network Network group of the connection is displayed
    Generate rules between peer and internal-networks: No Generates Yes autogenerated rules that make commissioning easier. notempty
    It is essential to replace these rules with your own rules that allow only necessary services with necessary network objects.
     notempty
    These custom rules must always be created with the WireGuard interface and the internal network, even if the WireGuard tunnel leads to a DMZ network.
    Finished Exits the wizard


    Configuration roadwarrior
    Download client

    Download the client under https://www.wireguard.com/install

    WireGuard configuration client
    WireGuard Client
    Open client and add a blank tunnel
  • The entries in the config file each start after an equals sign followed by a space.
    		•
    Display the config file in the Windows client (Edit

    [Interface] PrivateKey = # PrivatKey für RW Address = # Netz-IP für den Roadwarrior DNS = # IP_DES_DNServers (optional), # Search Domain (optional) MTU = 1420 # (optional)
    [Peer] PublicKey = # PublicKey derUTM PresharedKey = # PresharedKey AllowedIPs = # Local net IPs behind the UTM Endpoint = # IP/Hostname of the UTM :PPort of the WG instance persistentkeepalive = # (optional)

    Name: wg-vpn-UTM_Network Freely selectable name (without spaces)
    Public key: sFWO… …LmDM=
    Configuration window
    [Interface]
    PrivateKey = uIp… …9E3XA= When creating a blank tunnel, a PrivateKey is assigned automatically
  • We recommend creating the PrivateKey on the UTM to store it securely.
    The PrivateKey can be exported on the UTM in RAW format and then entered here.
    • Address = 10.0.1.201/32 Tunnel IP for the roadwarrior
    DNS = 10.0.1.1, beispiel.local Optional Server via which the client should resolve names during an existing connection. In addition, a search domain can be entered here so that computers can be found using their host name without specifying the FQDN. Entries are separated by a comma and a space.
    MTU = 1420 Optional Defines the size of a data packet. Must be between 1300 and 1500. 1420 is the default.
    ListenPort = 51820 Optional' The port on which data reaches the client. Is assigned dynamically and unset by the client. The same port can be used on the server and client side (even with multiple clients).
    [Peer]
    PublicKey = beN9ikz… …Do= PublicKey of the UTM
    PresharedKey = 29… …/Wipaxs= PresharedKEy from the UTM
    AllowedIPs = 10.1.0.0/16 Local net IPs behind the UTM
    Endpoint = a.vpn.anyideas.de:51820 IP/Hostname of the UTM :PPort of the WG instance
    persistentkeepalive = 25 Keepalive

    Widget

    There is a widget in the admin interface for the overview of WireGuard connections. Further information can be found in the Wiki article UTM Widget.





























    In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden





















    Connection Rate Limit

    Throttling of access from certain source IPs to recurring ports

    notempty

    The function is still in the testing phase and will be further expanded.
    The function can initially only be configured via the CLI

    The function aims to protect against attacks.
    SSL-VPN accesses can be protected against aggressive scans or login attempts, for example.

    From v12.6.2, the UTM can limit the number of TCP and/or UDP connections from an external IP address to one port.
    The following conditions apply:

    • Only incoming connections for which a default route exists are monitored
    • The connections from an IP address to a port of the UTM are counted within one minute
    • When activated, 5 connections / connection attempts per minute are permitted.
      The connections are then limited:
      • The additionally permitted connections are distributed evenly within 60 seconds of the first connection.
      • With a CONNECTION_RATE_LIMIT value of 20, an additional connection is added every 3 seconds.
      • 10 seconds after the first login, 3 further connections could be established (each from the same IP address to the same destination port)
    • Blocking an IP address only affects access to the port that has been used too often.


    Other ports can still be accessed.

    • The function is activated by default for new installations on 20 UDP connections / minute on all ports
    • For Updates the function must be manually activated
    extc-Variable Default Description
    CONNECTION_RATE_LIMIT_TCP 0 Number of permitted TCP connections of an IP address per port
    0 = Function deactivated, no blocking is performed
    CONNECTION_RATE_LIMIT_TCP_PORTS Ports to be monitored. Empty by default=all ports would be monitored (if activated).
    Individual ports are separated by spaces: [ 1194 1195 ]
    CONNECTION_RATE_LIMIT_UDP 20 / 0
    Default setting for new installations from v12.6.2: 20
    For update installations the value is 0, so the function is deactivated.
    		Number of permitted UDP connections of an IP address per port
    CONNECTION_RATE_LIMIT_UDP_PORTS Ports to be monitored. Empty by default=all ports are monitored (only for new installations!).
    Individual ports are separated by spaces: [ 1194 1195 ]

    Configuration with CLI commands

    CLI command Function
    extc value get application securepoint_firewall
    Alternatively as root user:
    spcli extc value get application securepoint_firewall | grep RATE     		Lists all variables of the securepoint_firewall application.
    The variables beginning with CONNECTION_RATE_LIMIT_ are responsible for the connection limit.

    application |variable |value --------------------+-------------------------------+----- securepoint_firewall |… |… |CONNECTION_RATE_LIMIT_TCP |0 |CONNECTION_RATE_LIMIT_TCP_PORTS| |CONNECTION_RATE_LIMIT_UDP |20 |CONNECTION_RATE_LIMIT_UDP_PORTS|

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    system update rule    		 Limits the allowed number of TCP connections from a single IP address to a specific port to 20 per minute
  • A change is made directly by a rule update.
    The value must not be set to 0 first!
    • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0
    system update rule    		 Deactivates the monitoring of TCP connections
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    system update rule     		Restricts the monitoring of TCP connections to ports 443 and 11115
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ]
    system update rule    		 There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    system update rule    		 Limits the allowed number of UDP connections from a single IP address to a specific port to 20 per minute
    Default setting for new installations from v12.6.2: 20
    For update installations the value is 0, so the function is deactivated.
  • A change is made directly by a rule update.
    The value must not be set to 0 first!
    • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0
    system update rule    		 Deactivates the monitoring of UDP connections
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ]
    system update rule     		Restricts the monitoring of UDP connections to ports 1194 and 1195.
    (Example for 2 created SSL-VPN tunnels).
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule    		 There must be spaces before and after the square brackets [ ]!

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule

    notempty

    Finally, the CLI command system update rule must be entered so that the values in the rules are applied.

    		For example, to allow a maximum of 20 connections per minute per IP address and port. For TCP, monitoring is restricted to ports 443 and 11115. All ports are monitored for UDP connections.
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/WireGuard-S2E&oldid=99149"