.. _wireguard_plugin_doc: Wireguard vpp-plugin ==================== Overview -------- This plugin is an implementation of `wireguard protocol <https://www.wireguard.com/>`__ for VPP. It allows one to create secure VPN tunnels. This implementation is based on `wireguard-openbsd <https://git.zx2c4.com/wireguard-openbsd/>`__. Crypto ------ The crypto protocols: - blake2s `[Source] <https://github.com/BLAKE2/BLAKE2>`__ OpenSSL: - curve25519 - chachapoly1305 Plugin usage example -------------------- Create wireguard interface ~~~~~~~~~~~~~~~~~~~~~~~~~~ :: > vpp# wireguard create listen-port <port> private-key <priv_key> src <src_ip4> [generate-key] > *wg_interface* > vpp# set int state <wg_interface> up > vpp# set int ip address <wg_interface> <wg_ip4> Add a peer configuration: ~~~~~~~~~~~~~~~~~~~~~~~~~ :: > vpp# wireguard peer add <wg_interface> public-key <pub_key_other> endpoint <ip4_dst> allowed-ip <prefix> port <port_dst> persistent-keepalive [keepalive_interval] > vpp# *peer_idx* Add routes for allowed-ip: ~~~~~~~~~~~~~~~~~~~~~~~~~~ :: > ip route add <prefix> via <wg_ip4> <wg_interface> Show config ~~~~~~~~~~~ :: > vpp# show wireguard interface > vpp# show wireguard peer Remove peer ~~~~~~~~~~~ :: > vpp# wireguard peer remove <peer_idx> Delete interface ~~~~~~~~~~~~~~~~ :: > vpp# wireguard delete <wg_interface> Main next steps for improving this implementation ------------------------------------------------- 1. Use all benefits of VPP-engine. 2. Add IPv6 support (currently only supports IPv4) 3. Add DoS protection as in original protocol (using cookie)