Setup wireguard between two 13.2+ FreeBSD hosts

dns.company

dns.company

Hi,

I've searched Google, searched here, read the manual, but cannot find examples how to setup wireguard between 13.2+ FreeBSD hosts.
That is; in particular making config permanent.

Today I tried and was able to -without installing ports or packages / using the systems native /usr/bin/wg command- setup communications between a server and client, both with parameters or using a config file.
All nice, all fine.

But there is no 'service wireguard enable' possible.
Nor there are additional ifconfig parameters available, unlike this post predicted (at the bottom):
forums.freebsd.org

Simple and Secure VPN in FreeBSD – Introducing WireGuard

Simple and Secure VPN in FreeBSD – Introducing WireGuard Wireguard is a Virtual Private Network (VPN) technology that aims to enable the easy deployment and configuration of servers and clients. Wireguard is intended to replace the use of IPSec or OpenVPN for many VPN applications. Wireguard...
forums.freebsd.org forums.freebsd.org

And so the question arise; what is the appropriate or best method to make it permanent?
In rc.conf put: cloned_interfaces="wg0" and write the wg commands I've used into an /usr/local/etc/rc.d/wg0.sh ...?

Or is everybody still using the "legacy wireguard ports" ..?
Thanks in advance for your thoughts.

Leo.
 
kjeacle said:
net/wireguard-tools provides /usr/local/bin/wg-quick and /usr/local/etc/rc.d/wireguard so you can put wireguard_enable="YES" and wireguard_interfaces="wg0" in /etc/rc.conf.
Click to expand...
As we use to say in Dutch "because of the trees I couldn't see the forest".
So yes, that's almost exactly what I was looking for.

dns.company said:
what is the appropriate or best method to make it permanent?
In rc.conf put: cloned_interfaces="wg0" and write the wg commands I've used into an /usr/local/etc/rc.d/wg0.sh ...?
Click to expand...

Just rambling up loud:

net/wireguard-tools installs such rc script.
However, also installs /usr/local/bin/wg while the OS already has /usr/bin/wg,
plus it makes Bash mandatory while I highly doubt that's now still truly needed.

So IMHO, the wg kernelmodule should come with an /etc/rc.d/wireguard - obsoleting any additional port.

Seen the subcommands it will be impossible to please everyone, however close to everyone would like to have permanent config.

Attached a "sketch" of such. Any comments are welcome.
 

Attachments

  • wireguard.txt
    1.7 KB · Views: 185
I am also trying to bring up a wireguard on my testing VMs.
I have 2 VMs, both are using 13.2-RELEASE, can ping each other via em0
Since the wireguard is already in the system, hence I did not install anything via pkg.
With ifconfig, and wg command, I have wg0 link already in my VM, but really stuck here now.
need help.

VM1:
em0 with 192.168.137.13/24
em1 with 10.128.1.1/24
wg0 with 192.0.0.1/32

VM2:
em0 with 192.168.137.14
em1 with 10.128.2.1/24
wg0 with 192.0.0.2/32/32

here is current status:

---- wg0 on the VM1
root@FB13A:~/test # wg show wg0
interface: wg0
public key: tCsTgl+vLKRN5jLxJ66riCysFsCEKTGmxuO/Fx43y1M=
private key: (hidden)
listening port: 54321

peer: uUqNrVTTAunZ68FUhaLQjDABONC2ONySUedsL6x8Uz0=
endpoint: 192.168.137.14:54321
allowed ips: 192.0.0.2/32

---- wg0 on the VM2
root@FB13B:~/test # wg show wg0
interface: wg0
public key: uUqNrVTTAunZ68FUhaLQjDABONC2ONySUedsL6x8Uz0=
private key: (hidden)
listening port: 54321

peer: tCsTgl+vLKRN5jLxJ66riCysFsCEKTGmxuO/Fx43y1M=
endpoint: 192.168.137.13:54321
allowed ips: 192.0.0.1/32

---- already have route on the VM1
root@FB13A:~/test # netstat -rn4 | grep wg0
10.128.2.0/24 link#4 US wg0

---- also the route on the VM2
root@FB13B:~/test # netstat -rn4 | grep wg0
10.128.1.0/24 link#4 US wg0


Can someone please help!
I tried to turn on the debug with "ifconfig wg0 debug", but where to check the debug message?
 
Can you ping 192.0.0.2 from VM1 and ping 192.0.0.1 from VM2? If so, then the Wireguard link is working. If not, tcpdump -i wg0 might help. If you want to route traffic with source addresses in 10.128.1.0/25, you'll have to add those subnets to AllowedIPs.
 
Unfortunately Wireguard in base lacks a rc.d script which makes setup a bit more painful, I still use the port because of this very reason...
 
diizzy said:
Unfortunately Wireguard in base lacks a rc.d script which makes setup a bit more painful, I still use the port because of this very reason...
Click to expand...
That became the topic of this thread.
Still, with the non-corresponding port it's indeed not fantastic - yet, yes.

Below is my take on how /etc/rc.d/wireguard (or /etc/rc.d/wg ..?) ideally should look like - IMHO.
But I'm not experienced in writing such code, so I'd expect the community might have a better ideas.
Code: 
#!/bin/sh

# PROVIDE: wireguard
# REQUIRE: NETWORKING
# KEYWORD: shutdown
#
# wireguard_enable (bool):    Set to "YES" to enable wireguard.
#                             (default: "NO")

. /etc/rc.subr

name=wireguard
rcvar=wireguard_enable
extra_commands="reload status"

start_cmd="${name}_start"
stop_cmd="${name}_stop"
reload_cmd="${name}_reload"
status_cmd="${name}_status"


wireguard_start()
{
    d="/etc/wireguard"
    if [ ! -d "${d}" ]; then mkdir ${d}; fi
    for if in `/sbin/ifconfig -g wg`; do

        f="${d}/${if}.key"
        if [ ! -f "${f}" ]; then
            echo "Generating secret key for ${if} in ${f}"
            (umask 0077; /usr/bin/wg genkey > ${f})
        fi

        f="${d}/${if}.pub"
        if [ ! -f "${f}" ]; then
            echo "Generating public key for ${if} in ${f}"
            /usr/bin/wg pubkey < ${d}/${if}.key > ${f}
        fi

        f="${d}/${if}.conf"
        if [ ! -f "${f}" ]; then
            echo "Generating minimal config for ${if} in ${f}"
            umask 0077
            echo "[Interface]"                                  >  ${f}
            /usr/bin/printf 'PrivateKey\t\t= '                  >> ${f}
            /bin/cat ${d}/${if}.key                             >> ${f}
            echo -e "#ListenPort\t\t= 51820\n"                  >> ${f}
            echo "#[Peer]"                                      >> ${f}
            echo -e "#PublicKey\t\t= BlAbLABlA/EtCeTcEtc="      >> ${f}
            echo -e "#AllowedIPs\t\t= 10.X.X.1/32, 10.X.X.2/32" >> ${f}
            echo -e "#PersistentKeepalive\t= 30"                >> ${f}
        fi

        /sbin/ifconfig ${if} destroy
        /sbin/ifconfig ${if} create    # will take ifconfig_wgX="inet values" from /etc/rc.conf
        /usr/bin/wg setconf  ${if} ${f}
#       /usr/bin/wg syncconf ${if} ${f}
    done
}

wireguard_stop()
{
    for if in `/sbin/ifconfig -g wg`; do
        /sbin/ifconfig ${if} down
    done
}

wireguard_reload()
{
    wireguard_start
}

wireguard_status()
{
    for if in `/sbin/ifconfig -g wg`; do
        /usr/bin/wg show ${if}
    done
}

load_rc_config $name

: ${wireguard_enable="NO"}

run_rc_command "$1"
So this is using ifconfig to obtain the wg interfaces, and for each looks in /etc/wireguard for a $if.conf file, and if absent generates a minimalistic one (and seperate .key / .pub files).
So wireguard_interfaces is not used here, the wg interfaces can be defined in cloned_interfaces.

What also matters is that wg and wg-quick are supposed to work different.
But when I try to define "Address" or "DNS" I couldn't get that to work.

Jose said:
Probably better as a Phabricator, no?
Click to expand...
Totally agree, but what would be a good place to put it?

bycn82 said:
I tried to turn on the debug with "ifconfig wg0 debug", but where to check the debug message?
Click to expand...
In /usr/local/etc/rc.d/wireguard there is a pointer to use this in /etc/rc.conf:
Code: 
# wireguard_env (str):        Environment variables for the userspace
#                             implementation. (eg: "LOG_LEVEL=debug")
 
You must log in or register to reply here.
Back
Top