Jump to:navigation, search
Wiki





notempty
Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty
Der Artikel für die neueste Version steht hier

notempty
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht



















































De.png
En.png
Fr.png





notempty
This article refers to a version that is no longer current!

notempty
The article for the latest version is here

notempty
There is already a newer version of this article, but it refers to a Reseller-Preview












































































































Configure Roadwarrior VPN (S2E) with Wireguard
Last adaptation to the version: 12.5.1
New:
  • AD-Benutzer als Peer auswählbar
notempty
This article refers to a Resellerpreview

12.2.5

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115
→ VPN →WireGuard








Configure Roadwarrior VPN (S2E) with Wireguard
Last adaptation to the version: 12.5.1
New:
  • Der Endpunkt Port im Einrichtungsschritt 2 ist manuell einstellbar
  • AD-Benutzer als Peer auswählbar
notempty
This article refers to a Resellerpreview

12.2.5

Configuration under → VPN →WireGuard

Requirements

  • Key type x25519 on both sides of the WireGuard connection
  • Public x25519 key of the respective remote terminal is available
Add key
Open key management under → Authentication →Key and with Button Add key UTM v12.2.2 Schlüssel x25519-hinzufügen-en.png
Assign a unique name and select X25519 as type

Close dialog with Save button

Export key
PEM Export key in .pem format UTM v12.2.3 Schlüssel-en.png
Key management

Use clipboard On
PEM
Copies the key in .pem format to the clipboard

Import key
Import key Opens the key import dialog UTM v12.2.3 Schlüssel importieren copy-en.png
Datei Import key from .pem file
Clipboard Imports a key from the clipboard.
A name for the key must be assigned here.

Create WireGuard connection

  • A WireGuard connection provides access for multiple peers if necessary
  • Each connection is secured with its own key pair
  • All peers of a connection use its public key
  • Each peer needs its own key pair for authentication
    In addition, each peer should be secured with a strong PSK.


Given may the following configuration:

UTM network location B Transfer net
FQDN a.vpn.anyideas.de b.vpn.anyideas.de
Local network IPv4 10.1.0.0/16 10.2.0.0/16 10.0.1.0/24
Local tunnel IPv4 10.0.1.1/24 10.0.1.2/24
Local network IPv6 fd00:a:0:0::0/64 fd00:b:0:0::0/64 fd00:0:0:0::0/64
Local tunnel IPv6 fd00:0:0:0::1/64 fd00:0:0:0::2/64
UTM Roadwarrior Transfer net
FQDN a.vpn.anyideas.de
Local network IPv4 10.1.0.0/16 10.0.1.0/24
Local tunnel IPv4 10.0.1.1/24 10.0.1.201/24
Local network IPv6 fd00:a:0:0::0/64 fd00:0:0:0::0/64
Local tunnel IPv6 fd00:0:0:0::1/64 fd00:0:0:0::C9/64
Configuration UTM

Start assistant with the button Add WireGuard Connection

Step 1 - Interface
UTM network Step 1 - Interface
Caption Value Description UTM v12.4 VPN Wireguard Step1-en.png
WireGuard assistant - Step 1
Interface: wg0 Name of the interface that will be created for the connection (automatic default, cannot be changed)
Name: wg_server Unique name for the connection
IPv4 address: 10.0.1.1/24 IPv4 address for the network interface of the transfer network at location A
This determines the network IP of the transfer net (here: 10.0.1.1/24)
IPv6 address: fd00:0:0:0::1/64 IPv6 address for the network interface of the transfer network at location A (optional)
This determines the network IP of the transfer net (here: fd00:0:0:0::1/64)
Listening Port: 51820Link= Default-Port for WireGuard connections
Private key: x25519_a.vpn Private key in x25519 format.
Only those keys that also have a private key part can be selected.
If there is no local key in x25519 format yet, this button can be used to generate one.
Share server networks globally:     Networks on the (local) server side that the WireGuard tunnels of the peers can access in principle.notempty
For the actual access additional network objects and portfilter rules are needed!
Step 2 - Peer
UTM network Step 2 - Peer
Verwende AD Benutzer als Peers: No Bei Aktivierung On können die Daten für Roadwarrior aus einem AD ausgelesen werden. UTM v12.5.0 WireGuard RW Step2-en.png
WireGuard assistant - Step 2
Als Vorgabe sind Werte eingetragen, die unter → Authentifizierung →AD/LDAP AuthentifizierungTab Erweitert konfiguriert wurden.
WireGuard-Attribute (IPv4): extensionAttribute1 Attribut Name im AD, der als Wert die Tunnel-IPv4 für den RW enthält UTM v12.5.0 WireGuard RW Step2 AD.png
WireGuard Assitent - Schritt 2 mit AD Benutzern als Peers
WG-AD-Attribute.png
Werte im AD
WireGuard-Attribute (IPv6): extensionAttribute2 Attribut Name im AD, der als Wert die Tunnel-IPv6 für den RW enthält
WireGuard-Public-Key-Attribute: extensionAttribute3 Der Public-Key des Users. Der User muss über den private-Key verfügen.
Öffne AD/LDAP Dialog: Off Bei Aktivierung wird im Anschluss der Dialog unter → Authentifizierung →AD/LDAP Authentifizierung aufgerufen.
Fertig Beendet den Assistenten
Name: peer-rw Description of remote terminal
Allowed IPs: »10.0.1.201/32 »fd00:0:0:0::C9/128 IP from the transfer network (».../32 or »...128)
  • A roadwarrior uses only the tunnel IP
  • notempty
    For the actual access additional network objects and portfilter rules are needed!
    Endpoint:     Is not needed, because only the remote terminal (the roadwarrior) initiates the connection
  • Endpoint Port:
       Link=
    Public key: x25519_b_vpn Public key of the roadwarrior in x25519 format.
    Only keys that have 'no private key can be selected.
  • Public key present but not selectable?
    Only keys for which there is not yet a connection on this interface can be selected. The PublicKey must be unique within a connection, as the routing of incoming packets is carried out via it.
    If the same PublicKey is to be used for a peer, e.g. for a fallback, another WireGuard connection must be created for this.
  • If the public key of the roadwarrior is not yet known, this button can be used to open the import of the key management.
    Export and import of the keys is also possible via the clipboard
    We recommend creating the key pair for the Roadwarrior on the UTM and then storing it securely.
    Approach:
    1. Click the button. This opens the key management and the import dialog
    2. Import dialog Close
    3. Button Add key
    4. Choose a unique name
    5. Select as Type: the format X25519 and Save
    6. Export private part and public part of the key in the RAW format
      (The format is important, because it's needed in the configuration file of the roadwarrior.)
    7. Afterwards import the public part of the key again
      (This process is necessary, because in the selection dialog of the assistant only keys without private key part are available.
      The private part of the key is used in the counterpart device. It can be entered in the WireGuard Client under PrivateKey.
    Pre-Shared Key: …8DmBioPyPNqZ7Rk= Pre-shared key for further securing the connection (optional)
    Generates a very strong pre-shared key
  • The pre-shared key must be identical at both ends of the VPN connection!
  • Copies the PSK to the clipboard
    Keepalive: Off Regularly sends a signal. This keeps connections open on NAT routers. On Activation is recommended.
    25Link= Sekunden Interval in seconds at which a signal is sent
    Step 3 - Advanced settings
    UTM network Step 3 - Advanced settings
    Create routes to the peer's networks: No Activation On is recommended.
    Routes are created to the networks / hosts that were entered in step 2 under Allowed IPs with the interface as gateway that was displayed in step 1.
    UTM v12.4 VPN Wireguard RW Step3-en.png
    WireGuard assistant - Step 3
    Generate zones: No Generates a new zone for the WireGuard port
    Zone Name: wireguard-wg0 Name for the WireGuard connection zone
    Generate network objects for peer: No
    »net-wg-peer-b
    Creates Yes button when enabled for network objects (IPv4 and if necessary IPv6) of the remote terminal. Automatic suggestion can also be changed.
    Network group: wg0-network Network group of the connection is displayed
    Generate rules between peer and internal-networks: No Generates autogenerated rules that facilitate implementation. notempty
    It is essential to replace these rules with your own rules that allow only necessary services with necessary network objects.
    Fertig Beendet den Assistenten


    Configuration roadwarrior
    Download client

    Download the client under https://www.wireguard.com/install

    WireGuard configuration client
    WireGuard Client
    Open client and add a blank tunnel
  • The entries in the config file each start after an equals sign followed by a space.
  • Windows WireGuard Tunnel bearbeiten.png
    Display the config file in the Windows client (Edit

    [Interface]
    PrivateKey = # PrivatKey für RW
    Address = # Netz-IP für den Roadwarrior
    DNS = # IP_DES_DNServers (optional), # Search Domain (optional)
    MTU = 1420 # (optional)

    [Peer]
    PublicKey = # PublicKey derUTM
    PresharedKey = # PresharedKey
    AllowedIPs = # Local net IPs behind the UTM
    Endpoint = # IP/Hostname of the UTM :PPort of the WG instance
    persistentkeepalive = # (optional)

    Name: wg-vpn-UTM_Network Freely selectable name (without spaces)
    Public key: spyO2… …8uEjBs=
    Configuration window
    [Interface]
    PrivateKey = eE4… …uZjO00k= When creating a blank tunnel, a PrivateKey is assigned automatically
  • We recommend creating the PrivateKey on the UTM to store it securely.
    The PrivateKey can be exported on the UTM in RAW format and then entered here.
  • Address = 10.0.1.201/32 Tunnel IP for the roadwarrior
    [Peer]
    PublicKey = beN9ikz… …Do= PublicKey of the UTM
    PresharedKey = 29… …/FWipaxs= PresharedKEy from the UTM
    AllowedIPs = 10.1.0.0/16 Local net IPs behind the UTM
    Endpoint = a.vpn.anyideas.de:51820 IP/Hostname of the UTM :PPort of the WG instance
    persistentkeepalive = 25 Keepalive

    Widget

    There is a widget in the admin interface for the overview of WireGuard connections. Further information can be found in the Wiki article UTM Widget.