summaryrefslogtreecommitdiffstats
path: root/src/plugins/wireguard/README.md
blob: 0b624b8104c06d6ed11c2de73a7db235f52189c3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# Wireguard vpp-plugin  {#wireguard_plugin_doc}

## Overview
This plugin is an implementation of [wireguard protocol](https://www.wireguard.com/) for VPP. It allows one to create secure VPN tunnels.
This implementation is based on [wireguard-openbsd](https://git.zx2c4.com/wireguard-openbsd/).

## Crypto

The crypto protocols:

- blake2s [[Source]](https://github.com/BLAKE2/BLAKE2)

OpenSSL:

- curve25519
- chachapoly1305

## Plugin usage example

### Create wireguard interface

```
> vpp# wireguard create listen-port <port> private-key <priv_key> src <src_ip4> [generate-key]
> *wg_interface*
> vpp# set int state <wg_interface> up
> vpp# set int ip address <wg_interface> <wg_ip4>
```

### Add a peer configuration:
```
> vpp# wireguard peer add <wg_interface> public-key <pub_key_other> endpoint <ip4_dst> allowed-ip <prefix> port <port_dst> persistent-keepalive [keepalive_interval]
> vpp# *peer_idx*
```

### Add routes for allowed-ip:
```
> ip route add <prefix> via <wg_ip4> <wg_interface>
```

### Show config
```
> vpp# show wireguard interface
> vpp# show wireguard peer
```

### Remove peer
```
> vpp# wireguard peer remove <peer_idx>
```


### Delete interface 
```
> vpp# wireguard delete <wg_interface>
```

## Main next steps for improving this implementation
1. Use all benefits of VPP-engine.
2. Add IPv6 support (currently only supports IPv4)
3. Add DoS protection as in original protocol (using cookie)