I would like to contribute

@hagbard wiki tells me that my post is spam, so I am unable to save at the moment. https://wiki.vyos.net/index.php?title=Wireguard

@mrjones i whitelisted you on wiki
try again

@mrjones Thanks, it looks very good. I'm about to add a few status commands, like sh wireguard wbN status and peer status and the such, so please leave this task still open. I stopped after 2 lines of writing wiki, the annoying google captchas wasted my time, so I stopped :).

wg pubkey (generates a public key using the private key, for example: wg pubkey < "private key here")
For extra security you can also use a pre-shared key that can be generate with this command:
wg genpsk (this is optional, and the same pre-shared key should be used on both hosts)

Can you please change that, I still get catcha'ed.

You can do that within the vbash (run is only required if you are in conf mode):

<run> generate wireguard keypair = generates a new keypair, if one exists already it asks you if you want to overwrite the existing one. It is stored permanently under /config/auth/wireguard/.

<run> show show wireguard privkey - shows private key
<run> show wireguard pubkey - shows the public key

planned:
<run> show wireguard status - show status for all wg interfaces
<run> show wireguard status <wgN> - status for a specific interface
<run> show wireguard status peer [peerkey] - status for a specific peer

I also would refer to client and server, not just host.
Each can be client or server, if configured as server you have endpoint optional, but the client has to initiate the connection first, then the server gets the src IP and src port from the client and you can also send traffic from the server to the client.

Here is an example I have in my testlag:

client:
set interfaces wireguard wg01 listen-port '12345'
set interfaces wireguard wg01 peer <pubkey server> allowed-ips '10.1.0.0/24'
set interfaces wireguard wg01 peer <pubkey server> endpoint '192.168.0.115:12345'
set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01

server:
set interfaces wireguard wg01 address '10.1.0.1/24'
set interfaces wireguard wg01 listen-port '12345'
set interfaces wireguard wg01 peer <pubkey client> allowed-ips 10.0.0.0/24
set protocols static interface-route 10.0.0.0/24 next-hop-interface wg01

If you call wg directly, it will only show you the generated keys to stdout, so there is nothing stored on the system and the tunnel won't exist/work anymore after system reboot.

Can you please change that, I get google captcha'ed which wastes my time and I'm not in the mood to solve puzzles today :D.

Not completed yet, so I will not close the task.

The "Show preview" doesn't require the Captcha

I will edit it, I missed that it was already implemented,

follow up question, if there are more than one interface, how do we see the keypairs?

It does for me, I probably just need to be white listed.
Would you like to do https://phabricator.vyos.net/T759 as well?
It's syslog configuration, which I rewrote a month or so ago.

sure thing!

Thanks a lot.
The keypair is unique per host, it is used to authenticate and to decrypt the incoming traffic. So for authentication it wouldn't make much sense to deal with multiple keys.
Encryption is done via the public key, which has to come from your peer. So the traffic to a peer is always encrypted with the public key, only the one who has the private key or at least the knowledge of the content of the private key, can decrypt the message/traffic. That's at least the basic idea.
On the server side you basically receive a message encrypted with your public key, which contains the public key for authentication (see the link above and look for DH_PUBKEY(private key) in the code example). So given that, theoretically you only need to store the private key since the public key is always computed during connection initiation. But that would mean in my case, that 'show wireguard pubkey' would have to compute it as well any time you need it to send it to your peers when you create a new tunnel. (wg pubkey < your_private_key will give you the same result).
I just have a native OS api to read a file but would have to call a subprocess to call wg, that's why I store the public key in a file as well, the content is the same.

You can handle all peers on a single interface (wg01 for instance), but the interfaces are OS specific and often used for routing or if you want to have a generic iptables rule in place which matches anything on a particular interface.

yes, but if I use several interfaces, wg01, wg02, wg03, then should have the option to use a different keypair for each one of them?

in this case, the listen-port should be optional?
client:
set interfaces wireguard wg01 listen-port '12345'
set interfaces wireguard wg01 peer <pubkey server> allowed-ips '10.1.0.0/24'
set interfaces wireguard wg01 peer <pubkey server> endpoint '192.168.0.115:12345'
set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01

I also spiced things up in the wiki, but can revert, I think it might help some people to see it like this.

You want to authenticate your host, not your interfaces. Theoretically, it's possible. If you travel, you carry usually one piece of ID with your passport, to identify yourself.
The listen port is mandatory, the peer endpoint on the server side however is optional. When the client initiates (client needs peer endpoint) the connection and passes the authentication part, the server side finds the way back on the data the client has sent (basically src IP and src port, src port is the clients listen-port by the way, that's why it's mandatory).

The following has been added:

set interfaces wireguard wg01 peer 'kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg=' persistent-keepalive 15

The peer key needs to be in single or double quotes enclosed, I gotta check why the parser doesn't like that, I suppose the lexer contains the = sign as some kind of separator.

I've added the status commands, once https://github.com/vyos/vyos-1x/pull/39 is merged you should have them in the latest iso. Let me know if you need a preview.

I added the persistent-keepalive.

I tried now on my regular linux to not set the listen-port, but I see that wireguard picks one of the higher ports at random if it is not set. So it is better to keep this value mandatory, as you say.

Yes, send a preview, and I can add it to the wiki right away

show interfaces wireguard <tab completion> [<enter>]

allowed-ips show all allowed-ips for the specified interface
endpoints show all endpoints for the specified interface
peers show all peer IDs for the specified interface

The tab completion shows you the interface which are setup on the system, so if you have more than 1 it shows them as a list you can chose from. If you just hist enter you get a full statistic for the interface:

e.g.:
interface: wg01

public key: ABh3lEPhgjifR7eKHYxlV0gL58DZTNXqzWLteLBuK3E=
private key: (hidden)
listening port: 12345

peer: kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg=

allowed ips: 10.200.0.0/24

The sub commands like allowed-ips shows the peer and the configured allowed-ips for it. If you have multiple peers, they show up as a list:

show interfaces wireguard wg01 allowed-ips
kl6NCcTXmGtoxLyvaNvSkKqq/q7Nb6b15eGZN9Py0Fg= 10.200.0.0/24

There is a start, I will adjust it after I can test it out myself!
Things are happening fast.
regarding the syslog documentation, I will have more time to dive into it on thursday/friday. I didn't fiddle with it myself, and I will take it as a learning moment as well.

@mrjones No prob at all, you are a great help. Thanks for your contribution.

Please let me know what I need to add to wireguard.com/install/ in relation to VyOS's support.

Hey @zx2c4 !
Available out of the box in Rolling and in future LTS releases

@mrjones Do you finish the documentation?

I get an error message 'contains contacts', plus wasting my time with captchas. I'll write the documentation once that has been solved or just publish a link.

@hagbard thanks for the awesome implementation of wireguard to vyos.

Later today i will begin drafting wiki for using wireguard with examples on how it work and how to do site-to-site or do access vpn to replace openvpn setups to a degree.

@syncer can you assign this to me ? i will PM a draft later today.

Hang on a sec, have a look here:
https://github.com/vyos/vyos-documentation

In T774#20257, @hagbard wrote:

Hang on a sec, have a look here:
https://github.com/vyos/vyos-documentation

I will fortunate im used to document stuff on wiki but it is nice to have some pointers, thanks! :)

@hagbard status so far is that i am nearly done with 3 types of setups with minor edits on existing wiki documentation for wireguard as it was not updated to match current commands :)
There is also some clearification on what each segment of the config is to avoid confusion newcomers that want to try it out.
I will add it after work today.

@syncer can you allow my profile on wiki ( same username) to post an update ?

I tried adding the wiki updates last saturday without any luck ( was not allowed to post updates )
Will post a pastebin with wiki text for review later today

Thanks. I see if I can add it., can you please request access from @syncer?
@c-po Do you think the updates should be ported then to vyos-documentation or should the new content always be in vyos-documentation?

vyos-documentation is still a playground but feel free to add. Always makes sense to play arround with new concepts