From edca1325cf296bd0f5ff422fc12de2ce7a7bad88 Mon Sep 17 00:00:00 2001
From: Artem Glazychev <artem.glazychev@xored.com>
Date: Mon, 31 Aug 2020 17:12:30 +0700
Subject: wireguard: initial implementation of wireguard protocol

Type: feature

The main information about plugin you can see in README.md

vpp# wireguard ?
  wireguard create                         wireguard create listen-port <port> private-key <key> src <IP> [generate-key]
  wireguard delete                         wireguard delete <interface>
  wireguard peer add                       wireguard peer add <wg_int> public-key <pub_key_other>endpoint <ip4_dst> allowed-ip <prefix>dst-port [port_dst] persistent-keepalive [keepalive_interval]
  wireguard peer remove                    wireguard peer remove <index>

Change-Id: I85eb0bfc033ccfb2045696398d8a108b1c64b8d9
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Jim Thompson <jim@netgate.com>
Signed-off-by: Neale Ranns <nranns@cisco.com>
Signed-off-by: Damjan Marion <damarion@cisco.com>
---
 src/plugins/wireguard/README.md | 74 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100755 src/plugins/wireguard/README.md

(limited to 'src/plugins/wireguard/README.md')

diff --git a/src/plugins/wireguard/README.md b/src/plugins/wireguard/README.md
new file mode 100755
index 00000000000..a11356cfde2
--- /dev/null
+++ b/src/plugins/wireguard/README.md
@@ -0,0 +1,74 @@
+# Wireguard vpp-plugin
+
+## Overview
+This plugin is an implementation of [wireguard protocol](https://www.wireguard.com/) for VPP. It allows one to create secure VPN tunnels.
+This implementation is based on [wireguard-openbsd](https://git.zx2c4.com/wireguard-openbsd/), using the implementaiton of *ipip-tunnel*.
+
+## Crypto
+
+The crypto protocols:
+
+- blake2s [[Source]](https://github.com/BLAKE2/BLAKE2)
+
+OpenSSL:
+
+- curve25519
+- chachapoly1305
+
+## Plugin usage example
+Usage is very similar to other wireguard implementations.
+
+### Create connection
+Create keys:
+
+```
+> vpp# wg genkey
+> *my_private_key*
+> vpp# wg pubkey <my_private_key>
+> *my_pub_key*
+```
+
+Create tunnel:
+```
+> vpp# create ipip tunnel src <ip4_src> dst <ip4_dst>
+> *tun_name*
+> vpp# set int state <tun_name> up
+> vpp# set int ip address <tun_name> <tun_ip4>
+```
+
+After this we can create wg-device. The UDP port is opened automatically.
+```
+> vpp# wg set device private-key <my_private_key> src-port <my_port>
+```
+
+Now, we can add a peer configuration:
+```
+> vpp# wg set peer public-key <peer_pub_key> endpoint <peer_ip4> allowed-ip <peer_tun_ip4> dst-port <peer_port> tunnel <tun_name> persistent-keepalive <keepalive_interval>
+```
+If you need to add more peers, don't forget to first create another ipip-tunnel.
+Ping.
+```
+> vpp# ping <peer_tun_ip4>
+```
+### Show config
+To show device and all peer configurations:
+```
+> vpp# show wg
+```
+
+### Remove peer
+Peer can be removed by its public-key.
+```
+> vpp# wg remove peer <peer_pub_key>
+```
+This removes the associated ipip tunnel as well
+
+### Clear all connections
+```
+> vpp# wg remove device
+```
+
+## main next steps for improving this implementation
+1. Use all benefits of VPP-engine.
+2. Add IP6 support (currently only supports IPv4))
+3. Add DoS protection as in original protocol (using cookie)
-- 
cgit 1.2.3-korg