diff options
| author |   Artem Glazychev <artem.glazychev@xored.com> | 2020-08-31 17:12:30 +0700 |
|---|---|---|
| committer |   Damjan Marion <dmarion@me.com> | 2020-09-09 11:57:48 +0000 |
| commit | edca1325cf296bd0f5ff422fc12de2ce7a7bad88 (patch) | |
| tree | fb12d12bd4193c5b2c7559d98aba9dc5d2f14e85 /src/plugins/wireguard/README.md | |
| parent | ef80ad6bff03e3cc35950de0e15e4821ef3f7c04 (diff) | |
wireguard: initial implementation of wireguard protocol
Type: feature
The main information about plugin you can see in README.md
vpp# wireguard ?
wireguard create wireguard create listen-port <port> private-key <key> src <IP> [generate-key]
wireguard delete wireguard delete <interface>
wireguard peer add wireguard peer add <wg_int> public-key <pub_key_other>endpoint <ip4_dst> allowed-ip <prefix>dst-port [port_dst] persistent-keepalive [keepalive_interval]
wireguard peer remove wireguard peer remove <index>
Change-Id: I85eb0bfc033ccfb2045696398d8a108b1c64b8d9
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Jim Thompson <jim@netgate.com>
Signed-off-by: Neale Ranns <nranns@cisco.com>
Signed-off-by: Damjan Marion <damarion@cisco.com>
Diffstat (limited to 'src/plugins/wireguard/README.md')
| -rwxr-xr-x | src/plugins/wireguard/README.md | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/src/plugins/wireguard/README.md b/src/plugins/wireguard/README.md new file mode 100755 index 00000000000..a11356cfde2 --- /dev/null +++ b/src/plugins/wireguard/README.md @@ -0,0 +1,74 @@ +# Wireguard vpp-plugin + +## Overview +This plugin is an implementation of [wireguard protocol](https://www.wireguard.com/) for VPP. It allows one to create secure VPN tunnels. +This implementation is based on [wireguard-openbsd](https://git.zx2c4.com/wireguard-openbsd/), using the implementaiton of *ipip-tunnel*. + +## Crypto + +The crypto protocols: + +- blake2s [[Source]](https://github.com/BLAKE2/BLAKE2) + +OpenSSL: + +- curve25519 +- chachapoly1305 + +## Plugin usage example +Usage is very similar to other wireguard implementations. + +### Create connection +Create keys: + +``` +> vpp# wg genkey +> *my_private_key* +> vpp# wg pubkey <my_private_key> +> *my_pub_key* +``` + +Create tunnel: +``` +> vpp# create ipip tunnel src <ip4_src> dst <ip4_dst> +> *tun_name* +> vpp# set int state <tun_name> up +> vpp# set int ip address <tun_name> <tun_ip4> +``` + +After this we can create wg-device. The UDP port is opened automatically. +``` +> vpp# wg set device private-key <my_private_key> src-port <my_port> +``` + +Now, we can add a peer configuration: +``` +> vpp# wg set peer public-key <peer_pub_key> endpoint <peer_ip4> allowed-ip <peer_tun_ip4> dst-port <peer_port> tunnel <tun_name> persistent-keepalive <keepalive_interval> +``` +If you need to add more peers, don't forget to first create another ipip-tunnel. +Ping. +``` +> vpp# ping <peer_tun_ip4> +``` +### Show config +To show device and all peer configurations: +``` +> vpp# show wg +``` + +### Remove peer +Peer can be removed by its public-key. +``` +> vpp# wg remove peer <peer_pub_key> +``` +This removes the associated ipip tunnel as well + +### Clear all connections +``` +> vpp# wg remove device +``` + +## main next steps for improving this implementation +1. Use all benefits of VPP-engine. +2. Add IP6 support (currently only supports IPv4)) +3. Add DoS protection as in original protocol (using cookie) |