VyOS - WireGuard Based Road Warrior VPN Configuration
In our modern, hyper-connected world, where remote work and global access are increasingly vital, the need for secure connectivity to your home or office network has evolved from a luxury to an essential requirement.
Whether you’re a professional in need of remote access to an office network or a passionate home lab enthusiast managing various services, a road-warrior style VPN is your key to top-tier, secure and hassle-free remote server access from anywhere in the world.
Regardless of if you are managing a personal web server, delving into home automation experiments, or overseeing your own cloud services, this guide serves as your trusty roadmap, expanding on the principles covered in our previous post about establishing a site-to-site VPN with WireGuard and VyOS. We now shift our focus to the individual user’s perspective, bridging the geographical gap between your current location and the heart of your network from anywhere in the world. Together, we’ll navigate the process of configuring VyOS to function as a WireGuard VPN server, enabling you to access your digital realm with unwavering security and unrivaled ease.
Let’s dive in and get started!
Configure the WireGuard Server on VyOS
VyOS’ command line interface simplifies the configuration of a Wireguard server and makes client configuration a breeze as well.
All of the configuration for WireGuard on VyOS is done in the WireGuard interface configuration commands, which are prefixed with interface wireguard $INTERFACE_NAME
.
Setup Variables
I refer to these variables throughout this guide:
SERVER_PUBLIC_IP
- This is the server’s public IP addressSERVER_PRIVATE_KEY
- This is the server’s private key - This is generated by thegenerate pki wireguard key-pair
commandSERVER_PUBLIC_KEY
- This is the server’s public key - This is generated by thegenerate pki wireguard key-pair
commandCLIENT_PRIVATE_KEY
- This is the client’s private key - This is generated by thegenerate wireguard client-config
commandCLIENT_PUBLIC_KEY
- This is the client’s private key - This is generated by thegenerate wireguard client-config
command
Generate Server Keypair
Generate a keypair for the WireGuard server. Make note of these, as you will need these again.
mhamzahkhan@gw:~$ generate pki wireguard key-pair
Private key: <- OMITTED - USE YOUR OWN ONE - I will refer to this as ${SERVER_PRIVATE_KEY} ->
Public key: <- OMITTED - USE YOUR OWN ONE - I will refer to this as ${SERVER_PUBLIC_KEY} ->
Configure WireGuard Interfaces
Next we can configure the WireGuard interface.
For I am using the subnet 10.254.254.0/24 for my VPN, but you can use whatever you like.
mhamzahkhan@gw# set interfaces wireguard wg1 address '10.254.254.1/24'
mhamzahkhan@gw# set interfaces wireguard wg1 description 'VPN'
mhamzahkhan@gw# set interfaces wireguard wg1 ip adjust-mss '1380'
mhamzahkhan@gw# set interfaces wireguard wg1 mtu '1420'
mhamzahkhan@gw# set interfaces wireguard wg1 port '51920'
mhamzahkhan@gw# set interfaces wireguard wg1 private-key '${SERVER_PRIVATE_KEY}'
Next, for each device that will connect to the VPN, we need to add a peer definition. VyOS makes this extremely easy, and even generates a QR code which can be scanned to easily configure the WireGuard client on a phone, for example:
mhamzahkhan@gw:~$ generate wireguard client-config hamzah-phone interface wg1 server ${VYOS_SERVER_PUBLIC_ADDRESS} address 10.254.254.2/24
WireGuard client configuration for interface: wg1
To enable this configuration on a VyOS router you can use the following commands:
=== VyOS (server) configurtation ===
set interfaces wireguard wg1 peer hamzah-phone allowed-ips '10.254.254.2/32'
set interfaces wireguard wg1 peer hamzah-phone public-key '${CLIENT_PUBLIC_KEY}'
=== RoadWarrior (client) configuration ===
[Interface]
PrivateKey = ${CLIENT_PRIVATE_KEY}
Address = 10.254.254.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = ${SERVER_PUBLIC_KEY}
Endpoint = ${SERVER_PUBLIC_ADDRESS}:51821
AllowedIPs = 0.0.0.0/0, ::/0
█████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █ ██▀▄█ ▄██▀▀ ▀██▀▀▄▀▄ ▀ ▄█▄▄▀▄█▀▀ ▀██ ▄▄▄▄▄ ████
████ █ █ █ ███▄█▀ ▄█▀▀ ███▀▀ ▀▄▄▄▄ ▀▀▀▀▀▄▀█ █ █ ████
████ █▄▄▄█ █▀█ ▄▀▄▄█▄█▀▄ ██▄ ▄▄▄ ▀▄█▀▀█ ▀▄▄ ▄ ███ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄▀▄▀▄█ ▀▄▀▄▀▄▀▄▀ █▄█ █▄▀ █▄█ █ █▄▀ █ █▄▄▄▄▄▄▄████
████▄ █▀ ▄▄▀▀▄▀▀ ▀▄ ▄ ▄ ▄ ▄ ▀▄ ▀▄█▄█▀▄█▄ █▀▀█▄█ ▄▄ ████
████▀▀██▄▄▄█▄▄▄█▀ █▄ █▀█ █ ▀█▀█▀▄▀▀ ▀ ██▀█▀▀▄▄▄ █▀ ▄▄█ █ ████
████▄ ▄▀▀▄▄▄▀ ██ ▄▄██▄ ▄█▀▄▄██▄█ ███▀█▀█▀█▄█▀▀██████▀ ████
████▀ ▄▀▀ ▄▀██▄▀▄███▀▀▄ ▀ ▀ ▀▀ ▀▄█▄▀▀▄██▀ ▀▀ ▀██ ▀▀▀▄▀▄ ████
████████▄▄▄▄██▄▄▄▄ ▄▄▄█▀ ▄█ ▄ █ ▀▀█▄ █ ▄ ▄██ ▄▀▀█▀ ▀▀█▄████
████ ▀▄ ▄▄█▄ ▀ ▄ ▄▄██▄ ▀▄▀█▄▄▄█▄ █▀█▄▄ ▄██▄▄ ▀▀█▄▄██▄████
████ ▀█▄▄█▄▀▄▄ █ █▄▀▀▀ ▀ ▀█▄█▀█▄▄█▄ ▄▀█▀ █▀▀▄█ ▀▄▀█ █▀█ ████
████▀▄█ ▀ ▄▄▀▀ █▄█ ▄ ██ ▀ ▄ ▀▄ █▄▄█ ▀ ▀▄▄▀█ ▄█ ▀▄█▀█▄ ████
████▀▄ ▄▄▄ ▀▀ █ ▀█ ▄ ▄▄ ▄▄▄ █▀▀▄▀▄ █▀ █▄ ▄▄▄ ▄▀ █████
█████▀██ █▄█ █ ▀ █▄ ▄ █▀▄▀▀█ █▄█ █▄██▀▀▄▀▀█▄▀ ▄ █▄█ █▄▀▄████
█████ █▀ ▄▄ ▄▄ ▄▄▄▄█▀ ▄ ▄▀▀▄▄ █▄ ██▄▀▀ ▄█ ▄ ▀▄▄ █▀█▄████
████▀▄ ▀█▄▄▀▄█▄▀ ▄ █▀▀▄▀█▀█▄▄█▀▀▀█▄ ▄ ██▀▀ ▄▀ ▄▀█▀▄██ █ █████
████▄█▄ ▄▄▄▀ ▀▄▀▀▀ █▄▄▄█▄ ▀▀▄██ ▀▀▄▀█ ▄ █▀ █▀ ▀▄▄█▀▄▄████
████▄▀▄▀ ▄█▀█ ▄▄█▀ ▀ ████ ██▄▀▀██▀█▀▀▀▀▄█ █ ▀ ▀▄▀▄▀█▀ ▄████
████▄▀ ▄█▄▀█▄▀▀▀▄█▄▀▀▀▄ ███ ▄█▄ ▄▀ ██ █ ▄█▄█▀ ▄▀▄▀▀▀▀█ ████
███████▄ ▄█ ▄█▄ ▀█ ▄ █▄█▀█ █▀▄▀ █▄▀█▀▄ ██▀ ▀██▄▀▄▀▄▄ ████
████▄█▀▀█ ▄ ▀▀▀ ▄ ▀▄ █▄▄▀ █▄▀ █ █▄ █▀▄█ █▀ █▄▄▄█ ▀█▄████
████▄ ▀▄▄▄▄▀████▄▀▀▄█ ██▄█ ▄▄▄ ▄▀▀ ▄▀ █▄▀██▀▄▄█▀ ▄█ ▄▄▀▄ ████
███████▄██▄▄▀ ▄▄ █▄█▀ ▀ ▀ ▄▄▄ █▀▄▀█▀▀ ▀▄▀▀█ ▄ ▄▄▄ ▄▀▀▀████
████ ▄▄▄▄▄ █▀▄ █ █▀▀▄▀▀ █▀ █▄█ ▀█▀▀▀▄▀▀ ▄ ▀█ █ █▄█ ▀▄ █████
████ █ █ █▄▀█▄▄▄▄ █▄▄▀▄▄▄█ ▄▀▀ ▄ █▄▄ ▀ █ ▄ ▄▄▄▄▀▀█████
████ █▄▄▄█ █▀ ▀▀▀ ▄█▀▄ ▄ ███ ██ ▄▄▀▄▄▄█▀ █▀▄▀██▄▀▀ ████
████▄▄▄▄▄▄▄█▄██▄▄██▄██████▄▄▄█████▄▄▄▄██▄▄██▄▄▄█▄█▄█▄██▄█████
█████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████
If you are configuring the client on a phone, using the QR code makes it increcibly easy to configure the client, alternatively, configuring the Mac OS X client allows you to just copy and paste in the client conifuration above the QR code.
Conclusion
As we conclude our journey through configuring VyOS as a WireGuard VPN server, you now possess a fully functional WireGuard VPN setup, empowering you to securely access your self-hosted digital resources from anywhere on the planet.
In our ever-evolving, interconnected world, the demand for secure, remote network access remains as vital as ever. By utilising WireGuard and VyOS, you have armed yourself with the ability to stay seamlessly connected to your internal services and servers, whether you’re managing a personal web server, experimenting with home automation, or trying to access secure files on your office network.
In my next post, I will be discussing how I use WireGuard to allow me to host services in my home lab, despite being behind CGNAT.
Posts in this series
- VyOS as a Reverse Proxy Load Balancer
- VyOS - WireGuard Based Road Warrior VPN Configuration
- VyOS - Site-to-Site VPN Using Wireguard and OSPF