aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/wireguard/README.md
blob: a11356cfde2d58af39e39c3390963ddff9f305a2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# Wireguard vpp-plugin

## Overview
This plugin is an implementation of [wireguard protocol](https://www.wireguard.com/) for VPP. It allows one to create secure VPN tunnels.
This implementation is based on [wireguard-openbsd](https://git.zx2c4.com/wireguard-openbsd/), using the implementaiton of *ipip-tunnel*.

## Crypto

The crypto protocols:

- blake2s [[Source]](https://github.com/BLAKE2/BLAKE2)

OpenSSL:

- curve25519
- chachapoly1305

## Plugin usage example
Usage is very similar to other wireguard implementations.

### Create connection
Create keys:

```
> vpp# wg genkey
> *my_private_key*
> vpp# wg pubkey <my_private_key>
> *my_pub_key*
```

Create tunnel:
```
> vpp# create ipip tunnel src <ip4_src> dst <ip4_dst>
> *tun_name*
> vpp# set int state <tun_name> up
> vpp# set int ip address <tun_name> <tun_ip4>
```

After this we can create wg-device. The UDP port is opened automatically.
```
> vpp# wg set device private-key <my_private_key> src-port <my_port>
```

Now, we can add a peer configuration:
```
> vpp# wg set peer public-key <peer_pub_key> endpoint <peer_ip4> allowed-ip <peer_tun_ip4> dst-port <peer_port> tunnel <tun_name> persistent-keepalive <keepalive_interval>
```
If you need to add more peers, don't forget to first create another ipip-tunnel.
Ping.
```
> vpp# ping <peer_tun_ip4>
```
### Show config
To show device and all peer configurations:
```
> vpp# show wg
```

### Remove peer
Peer can be removed by its public-key.
```
> vpp# wg remove peer <peer_pub_key>
```
This removes the associated ipip tunnel as well

### Clear all connections
```
> vpp# wg remove device
```

## main next steps for improving this implementation
1. Use all benefits of VPP-engine.
2. Add IP6 support (currently only supports IPv4))
3. Add DoS protection as in original protocol (using cookie)