Wireguard Site-to-Site VPN (S2S) v12.2.5

notempty

Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty

Der Artikel für die neueste Version steht hier

notempty

Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht

Configure Site-to-Site VPN (S2S) with Wireguard

Last adaptation to the version: 12.2.5

New:

Copy psk to clippboard
The wizard updates: (v12.2.3)
- The interface name is displayed with in the wizard (v12.2.3)
- Export and import of the keys is also possible via the clipboard (v12.2.3)
- The time period for the Keepalive signal is configurable (v12.2.3)

notempty

This article refers to a Resellerpreview

-

Configuration under → VPN →WireGuard

Requirements

Key type x25519 on both sides of the WireGuard connection
Public x25519 key of the respective remote terminal is available

Add key
Open key management under → Authentication →Key and with Button Add key
Assign a unique name and select X25519 as type Close dialog with Save button
Export key
PEM	Export key in .pem format	Key management
new as of v12.2.3 Use clipboard On PEM	Copies the key in .pem format to the clipboard
Import key
Import key	Opens the key import dialog
Datei	Import key from .pem file
Clipboard	Imports a key from the clipboard. A name for the key must be assigned here.

Create WireGuard connection

A WireGuard connection provides access for multiple peers if necessary
Each connection is secured with its own key pair
All peers of a connection use its public key
Each peer needs its own key pair for authentication
In addition, each peer should be secured with a strong PSK.

Given may the following configuration:

	Location A	location B	Transfer net
FQDN	a.vpn.anyideas.de	b.vpn.anyideas.de	–
Local network IPv4	10.1.0.0/16	10.2.0.0/16	10.0.1.0/24
Local tunnel IPv4	10.0.1.1/24	10.0.1.2/24	–
Local network IPv6	fd00:a:0:0::0/64	fd00:b:0:0::0/64	fd00:0:0:0::0/64
Local tunnel IPv6	fd00:0:0:0::1/64	fd00:0:0:0::2/64	–

	UTM	Roadwarrior	Transfer net
FQDN	a.vpn.anyideas.de	–	–
Local network IPv4	10.1.0.0/16	–	10.0.1.0/24
Local tunnel IPv4	10.0.1.1/24	10.0.1.201/24	–
Local network IPv6	fd00:a:0:0::0/64	–	fd00:0:0:0::0/64
Local tunnel IPv6	fd00:0:0:0::1/64	fd00:0:0:0::C9/64	–

Configuration at location A

Caption	Value	Description	WireGuard assistant - Step 1
Start assistant with the button Add WireGuard Connection Step 1 - Interface Location A Step 1 - Interface
Interface:	wg0	Name of the interface that will be created for the connection (automatic default, cannot be changed)
Name:	wg_server	Unique name for the connection
IPv4 address:	10.0.1.1/24	IPv4 address for the network interface of the transfer network at location A This determines the network IP of the transfer net (here: 10.0.1.1/24)
IPv6 address:	fd00:0:0:0::1/64	IPv6 address for the network interface of the transfer network at location A (optional) This determines the network IP of the transfer net (here: fd00:0:0:0::1/64)
Listening Port:	51820	Default-Port for WireGuard connections
Private key:	x25519_a.vpn	Private key in x25519 format. Only those keys that also have a private key part can be selected.
Private key:		If there is no local key in x25519 format yet, this button can be used to generate one.

Step 2 - Peer Location A Step 2 - Peer
Name:	peer-b	Description of remote terminal	WireGuard assistant - Step 2
Allowed IPs:	» ✕10.2.0.0/16» ✕ffd00:b:0:0::/64	Local network IP of the remote terminal
Endpoint:	b.vpn.anyideas.de:51820	Public IP or within the public DNS resolvable FQDN with listening-port of the remote terminal Is not required, if only the remote terminal initiates the connection
Public key:	x25519_b_vpn	Public key of the roadwarrior in x25519 format. Only keys that have 'no private key can be selected. Public key present but not selectable? Only keys for which there is not yet a connection on this interface can be selected. The PublicKey must be unique within a connection, as the routing of incoming packets is carried out via it. If the same PublicKey is to be used for a peer, e.g. for a fallback, another WireGuard connection must be created for this.
Public key:		If the public key of the remote terminal is not yet known, this button can be used to open the import of the key management. new as of v12.2.3: Export and import of the keys is also possible via the clipboard
Pre-Shared Key:	…8DmBioPyPNqZ7Rk=	Pre-shared key for further securing the connection (optional)
		Generates a very strong pre-shared key The pre-shared key must be identical at both ends of the VPN connection!
	v12.2.5	Copies the PSK to the clipboard
Keepalive:	Off	Regularly sends a signal. This keeps connections open on NAT routers. On Activation is recommended.
Keepalive:	25	Interval in seconds at which a signal is sent

Step 3 - General Location A Step 3 - General
Create routes to the peer's networks:	No	Activation On is recommended. Routes are created to the networks / hosts that were entered in step 2 under Allowed IPs with the interface as gateway that was displayed in step 1.	WireGuard assistant - Step 3
Generate zones:	No	Generates a new zone for the WireGuard port
Generate network objects for peer:	No » ✕net-wg-peer-b	Creates Yes button when enabled for network objects (IPv4 and if necessary IPv6) of the remote terminal. Automatic suggestion can also be changed.
Generate rules between peer and internal-networks:	No	Generates autogenerated rules that facilitate implementation. It is essential to replace these rules with your own rules that allow only necessary services with necessary network objects.

Configuration at location B Configuration at location B Start assistant with the button Add WireGuard Connection Step 1 - Interface location B Step 1 - Interface
Interface:	wg0	Name of the interface that will be created for the connection (automatic default, cannot be changed)	WireGuard assistant - Step 1
Name:	wg_server	Unique name for the connection
IPv4 address:	10.0.1.2/24 Correction 06,2022	IPv4 address for the network interface of the transfer network at location B Here you have to select an IP from the network that was set at location A (here: 10.0.1.2/24)
IPv6 address:	fd00:0:0:0::2/64 Correction 06,2022	IPv6 address for the network interface of the transfer network at location A (optional) Here you have to choose an IP from the network that has been defined at location A(here: fd00:0:0::2/64)
Listening Port:	51820	Default-Port for WireGuard connections
Private key:	x25519_a.vpn	Private key in x25519 format. Only those keys that also have a private key part can be selected.
Private key:		The public key was already needed in location A, hence there should already be a private key. If necessary, it can also be imported via the clipboard neu .

Step 2 - Peer location B Step 2 - Peer
Name:	peer-a	Description of remote terminal (here: Location A)	WireGuard assistant - Step 2
Allowed IPs:	» ✕10.1.0.0/16» ✕fd00:a:0:0::/64 Correction 06,2022	Site to Site - S2S Local network IP of remote terminal (here: Location A)
Endpoint:	a.vpn.anyideas.de:51820	Public IP or within the public DNS resolvable FQDN with listening-port of the remote terminal (here: Location A) Is not required, if only the remote terminal (here: Location A) initiates the connection
Public key:	x25519_a_vpn	Public key of the remote terminal (here: Location A) in x25519 format. Only keys that have noprivate key are selectable.
Public key:		If the public key of the remote terminal is not yet known, this button can be used to open the import of the key management.
Pre-Shared Key:	…R0Z0DWUs+iCDFYzpP4=	Pre-shared key for further securing the connection (optional)
		Generates a very strong pre-shared key The pre-shared key must be identical at both ends of the VPN connection!
	v12.2.5	Copies the PSK to the clipboard
Keepalive:	Off	Regularly sends a signal. This keeps connections open on NAT routers. On Activation is recommended.
Keepalive:	25	Interval in seconds at which a signal is sent

Step 3 - General location B Step 3 - General
Create routes to the peer's networks:	No	Activation On is recommended. Routes are created to the networks / hosts that were entered in step 2 under Allowed IPs with the interface as gateway that was displayed in step 1.	WireGuard assistant - Step 3
Generate zones:	No	Generates a new zone for the WireGuard port
Generate network objects for peer:	No » ✕net-wg-peer-a	Creates Yes button when enabled for network objects (IPv4 and if necessary IPv6) of the remote terminal. Automatic suggestion can also be changed.
Generate rules between peer and internal-networks:	No	Generates autogenerated rules that facilitate implementation. It is essential to replace these rules with your own rules that allow only necessary services with necessary network objects.

Fritzbox as remote terminal
If a third-party hardware is used as remote station, the following approach is recommended: Create key pair for the Fritzbox (→ Authentication →Key) Export public and private part of the key in .raw format Delete the key pair for the Fritzbox and reimport only the public part Add WireGuard connection as described above Export public key of UTM in .raw-format Complete the template below and add it to the Fritzbox under Internet / Shares / Tab VPN / Button Add VPN connection / Import a WireGuard connection option [Interface] PrivateKey = $PRIVATE_KEY_FRITZBOX ListenPort = $LISTENPORT_WIREGUARD_FRITZBOX Address = $LOCAL_IP_FRITZBOX/$NETMASK [Peer] PublicKey = $PUBLIC_KEY_UTM PresharedKey = $PRESHAREDKEY AllowedIPs = $NETWORK_UTM/$NETMASK Endpoint = $HOSTNAME_UTM:$LISTENPORT_WIREGUARD_UTM PersistentKeepalive = 1			Load video Vimeo Vimeo might collect personal data. Privacy Policy