e9a02f6e5d4b3d89f5d6f6ec1e95f885e626ae5d
howto/vyos1.4.x.md
| ... | ... | @@ -110,81 +110,107 @@ generate pki wireguard key-pair |
| 110 | 110 | Private key: SOoPQdMdmXE3ssp0/vwwoIMhQqvcQls+DhDjmaLw03U= |
| 111 | 111 | Public key: ArkXeK1c0pCWCouePcRRBCQpXfi4ZIvRFFwTxO60dxs= |
| 112 | 112 | ``` |
| 113 | -To retrieve keys later |
|
| 113 | + |
|
| 114 | +If you choose to generate unique keypairs for peerings, you can generate and install the keypair in a single command. Note that you have to be in `configure` mode, at the top level, as shown below: |
|
| 115 | +```shellsession |
|
| 116 | +vyos@vyos$ configure |
|
| 117 | + |
|
| 118 | +[edit] |
|
| 119 | +vyos@vyos# run generate pki wireguard key-pair install interface wg4242424242 |
|
| 120 | +1 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. |
|
| 121 | +Corresponding public-key to use on peer system is: 'UcqcZsJvq1MlYgo3gObjaJ8FH+N7wkfV+EH3YDAMyRE=' |
|
| 122 | +[edit] |
|
| 123 | +vyos@vyos-home# show interfaces wireguard wg4242424242 |
|
| 124 | ++private-key kHCqfe/GZ8phoNnWfkL3+joXi/qK3ZfdfAnlNuX/9FU= |
|
| 114 | 125 | ``` |
| 115 | -show wireguard keypairs pubkey [key name] |
|
| 126 | + |
|
| 127 | +To retrieve keys later, use the op-mode command `show interfaces wireguard wg4242424242 public-key`. |
|
| 116 | 128 | |
| 117 | 129 | Example: |
| 118 | -show wireguard keypairs pubkey default |
|
| 119 | -ArkXeK1c0pCWCouePcRRBCQpXfi4ZIvRFFwTxO60dxs= |
|
| 130 | +```shellsession |
|
| 131 | +vyos@vyos$ show interfaces wireguard wg4242424242 public-key |
|
| 132 | +UcqcZsJvq1MlYgo3gObjaJ8FH+N7wkfV+EH3YDAMyRE= |
|
| 120 | 133 | ``` |
| 121 | 134 | |
| 122 | -### Configure First Peer |
|
| 135 | +### Configure First Peer's tunnel |
|
| 136 | +This example assumes that your ASN is 4242421234 and your peer's ASN is 4242424242 |
|
| 123 | 137 | ``` |
| 124 | -set interfaces wireguard wg1234 description 'ASnnnnnnn - My First Peer' |
|
| 125 | -set interfaces wireguard wg1234 port '41234' |
|
| 126 | -set interfaces wireguard wg1234 private-key 'SOoPQdMdmXE3ssp0/vwwoIMhQqvcQls+DhDjmaLw03U=' |
|
| 138 | +set interfaces wireguard wg4242424242 description 'AS4242424242 - My First Peer' |
|
| 127 | 139 | |
| 128 | -# One of your DN42 IPv4 addresses (not really needed if you'll enable extended next-hop) |
|
| 129 | -set interfaces wireguard wg1234 address '172.20.20.1/32' |
|
| 140 | +# Common practice on DN42 is for peers to use 2+the last four digits of your peer's ASN as the port. |
|
| 141 | +# You will have to let your peer know what you choose for your port, as well as your clearnet IP address. |
|
| 142 | +set interfaces wireguard wg4242424242 port '24242' |
|
| 143 | +set interfaces wireguard wg4242424242 private-key 'SOoPQdMdmXE3ssp0/vwwoIMhQqvcQls+DhDjmaLw03U=' |
|
| 130 | 144 | |
| 131 | 145 | # An arbitrary link-local IPv6 address (that you'll have to tell to your peer) |
| 132 | -set interfaces wireguard wg1234 address 'fe80::1234/128' |
|
| 146 | +set interfaces wireguard wg4242424242 address 'fe80::1234/64' |
|
| 147 | + |
|
| 148 | +# One of your DN42 IPv4 addresses (not really needed if you'll enable extended next-hop) |
|
| 149 | +set interfaces wireguard wg4242424242 address '172.20.20.1/32' |
|
| 133 | 150 | |
| 134 | -set interfaces wireguard wg1234 peer location1 address '<clearnet ipv6 or ipv4 address of your peer wireguard endpoint>' |
|
| 135 | -set interfaces wireguard wg1234 peer location1 port '<wireguard endpoint port of your peer>' |
|
| 151 | +# Set your peer's clearnet endpoint information. You need to use an IPv4 or IPv6 address |
|
| 152 | +# (as opposed to a DNS name). |
|
| 153 | +# If you have a static IP address but your peer does not, |
|
| 154 | +# you can leave out this part of the configuration. |
|
| 155 | +set interfaces wireguard wg4242424242 peer location1 address '192.0.2.1' |
|
| 156 | +set interfaces wireguard wg4242424242 peer location1 port '21234' |
|
| 136 | 157 | |
| 137 | 158 | # You can allow everything here and relay on your firewall |
| 138 | -set interfaces wireguard wg1234 peer location1 allowed-ips '0.0.0.0/0' |
|
| 139 | -set interfaces wireguard wg1234 peer location1 allowed-ips '::/0' |
|
| 140 | -set interfaces wireguard wg1234 peer location1 public-key '<wireguard public key of your peer>' |
|
| 159 | +set interfaces wireguard wg4242424242 peer location1 allowed-ips '0.0.0.0/0' |
|
| 160 | +set interfaces wireguard wg4242424242 peer location1 allowed-ips '::/0' |
|
| 161 | +set interfaces wireguard wg4242424242 peer location1 public-key '<wireguard public key of your peer>' |
|
| 141 | 162 | |
| 142 | 163 | # (persistent-keepalive option could be optional, but in my case I noticed that helps starting BGP session) |
| 143 | -set interfaces wireguard wg1234 peer location1 persistent-keepalive '60' |
|
| 164 | +set interfaces wireguard wg4242424242 peer location1 persistent-keepalive '60' |
|
| 144 | 165 | |
| 145 | 166 | # Configure firewall |
| 146 | -set firewall interface wg1234 in ipv6-name 'Tunnels_In_v6' |
|
| 147 | -set firewall interface wg1234 in name 'Tunnels_In_v4' |
|
| 148 | -set firewall interface wg1234 local ipv6-name 'Tunnels_Local_v6' |
|
| 149 | -set firewall interface wg1234 local name 'Tunnels_Local_v4' |
|
| 167 | +set firewall interface wg4242424242 interface-group ipv6-name 'Tunnels_In_v6' |
|
| 168 | +set firewall interface wg4242424242 interface-group name 'Tunnels_In_v4' |
|
| 169 | +set firewall interface wg4242424242 local ipv6-name 'Tunnels_Local_v6' |
|
| 170 | +set firewall interface wg4242424242 local name 'Tunnels_Local_v4' |
|
| 150 | 171 | |
| 151 | 172 | ``` |
| 152 | 173 | |
| 153 | 174 | ## BGP |
| 154 | 175 | Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP. |
| 155 | 176 | ### Initial Router Setup |
| 156 | -`set protocols bgp system-as '424242XXXX'` |
|
| 157 | - |
|
| 158 | -_Insert your ASN_ |
|
| 177 | +``` |
|
| 178 | +# Set your ASN and IP blocks |
|
| 179 | +set protocols bgp system-as '4242424242' |
|
| 159 | 180 | |
| 160 | -`set protocols bgp address-family ipv4-unicast network 172.20.20.0/24` |
|
| 161 | -`set protocols bgp address-family ipv6-unicast network fd88:9deb:a69e::/48` |
|
| 181 | +set protocols bgp address-family ipv4-unicast network 172.20.20.0/24` |
|
| 182 | +set protocols bgp address-family ipv6-unicast network fd88:9deb:a69e::/48` |
|
| 162 | 183 | |
| 163 | -_Insert your assigned network blocks. Note that they should match your exact prefix as listed in the registry; if you try to advertise a subnet of your assigned block it could get filtered by some peers._ |
|
| 184 | +# Note that your address blocks should match your exact prefix as listed in the registry. |
|
| 185 | +# if you try to advertise a subnet of your assigned block, it could get filtered by some peers. |
|
| 164 | 186 | |
| 165 | -`set protocols bgp parameters router-id '172.20.20.1'` |
|
| 187 | +# To keep it simple, just make your router ID match your lower IP within the DN42 registered space. |
|
| 188 | +set protocols bgp parameters router-id '172.20.20.1' |
|
| 189 | +``` |
|
| 166 | 190 | |
| 167 | -_To keep it simple just make your router ID match your lower IP within the DN42 registered space._ |
|
| 168 | 191 | |
| 169 | 192 | ### Neighbor Up With Peers |
| 170 | 193 | #### Option 1: MP-BGP (with Multi Protocol) - with Extended Next-Hop |
| 171 | 194 | ``` |
| 172 | -set protocols bgp neighbor fe80::1234 interface remote-as '<your peer ASN>' |
|
| 173 | -set protocols bgp neighbor fe80::1234 interface source-interface 'wg1234' |
|
| 174 | -set protocols bgp neighbor fe80::1234 remote-as '<your peer ASN>' |
|
| 195 | +# For these examples, your peer's link-local address is fe80::4242 |
|
| 196 | + |
|
| 197 | +set protocols bgp neighbor fe80::4242 interface v6only remote-as '4242424242' |
|
| 198 | +set protocols bgp neighbor fe80::4242 remote-as '4242424242' |
|
| 199 | +set protocols bgp neighbor fe80::4242 interface source-interface 'wg4242424242' |
|
| 200 | +set protocols bgp neighbor fe80::4242 update-source 'wg4242424242' |
|
| 175 | 201 | |
| 176 | -set protocols bgp neighbor fe80::1234 capability extended-nexthop |
|
| 202 | +set protocols bgp neighbor fe80::4242 capability extended-nexthop |
|
| 177 | 203 | |
| 178 | -set protocols bgp neighbor fe80::1234 address-family ipv4-unicast |
|
| 179 | -set protocols bgp neighbor fe80::1234 address-family ipv6-unicast |
|
| 204 | +set protocols bgp neighbor fe80::4242 address-family ipv4-unicast |
|
| 205 | +set protocols bgp neighbor fe80::4242 address-family ipv6-unicast |
|
| 180 | 206 | ``` |
| 181 | 207 | #### Option 2: BGP (no Multi Protocol) - no Extended Next-Hop |
| 182 | 208 | ``` |
| 183 | 209 | # First, we set the ipv6 part. |
| 184 | -set protocols bgp neighbor fe80::1234 interface remote-as '<your peer ASN>' |
|
| 185 | -set protocols bgp neighbor fe80::1234 interface source-interface 'wg1234' |
|
| 186 | -set protocols bgp neighbor fe80::1234 remote-as '<your peer ASN>' |
|
| 187 | -set protocols bgp neighbor fe80::1234 address-family ipv6-unicast |
|
| 210 | +set protocols bgp neighbor fe80::4242 interface remote-as '4242424242' |
|
| 211 | +set protocols bgp neighbor fe80::4242 interface source-interface 'wg4242424242' |
|
| 212 | +set protocols bgp neighbor fe80::4242 remote-as '4242424242' |
|
| 213 | +set protocols bgp neighbor fe80::4242 address-family ipv6-unicast |
|
| 188 | 214 | |
| 189 | 215 | # For the ipv4 part we need to add first a static ipv4 route to our peer tunneled ipv4 address |
| 190 | 216 | set protocols static route 172.20.x.y interface wg1234 |