WireGuard

This is a WIP project and has not been released. If you want to support development of WireGuard in IPFire, please donate.

WireGuard is a modern, open-source VPN protocol designed for simplicity. Unlike other VPN solutions, such as OpenVPN or IPsec, WireGuard is very lightweight. It is easy to configure and compatible with many operating systems.

Initial Setup

There are only few configuration parameters needed to get started with WireGuard. The setup automatically creates a pair of private and public keys. They are required to establish connections with other peers and once set up cannot be changed. It is possible to configure a custom endpoint, which should be the FQDN that peers connect to and defaults to IPFire's hostname. The port can also be customized and defaults to 51820.

Host-To-Net Client Settings

For Host-To-Net clients (or Roadwarrior clients) a client pool is required. This is a subnet that is allocated to all peers and IPFire will statically allocate an IP address. Therefore it cannot be changed once at least one peer has been set up. When exporting a new configuration file for a peer, optionally the IP address of a DNS resolver can be passed.

Connection Types

WireGuard, like other VPN solutions, knows two types of connections. One for connecting endpoints like laptops, desktops and mobile devices, and a second one to connect two networks with each other.

Host-To-Net (Roadwarrior) Connections

Click "Add" to create a new connection and select "Host-to-Net Virtual Private Network (RoadWarrior)". You will see a new page that asks for a name of the new connection and optionally takes a remark.

You can also decide what networks the peer is able to reach. By default, this is filled with the GREEN network, but you could change it to 0.0.0.0/0 to have the client route everything through the tunnel.

Finally, after hitting Save, you will see a QR code and a download option to export the newly created configuration to a client. See below on how to import this to various supported clients.

Please note: This QR code and configuration can only be downloaded here and will never be shown again as it contains a private key which must be kept secret and is not permanently stored on IPFire.

Clients

• Desktop Clients
  • WireGuard with Windows
  • WireGuard with MacOS
  • WireGuard with Linux
• Mobile Clients
  • WireGuard with Android
  • ios

Net-To-Net Connections

For a new Net-To-Net connection, a few more details are needed. Apart from a name, a FQDN or IP address of the remote peer as well as its port and public key is needed. An optional PSK can be used to harden the tunnel further against decryption attacks. The keep alive interval defines how often the peers reach out to each other to keep any NAT routings on the way between them alive.

The networks that are routed between the two peers are defined as local and remote subnets and multiple networks can be defined by using comma.

FAQ

TODO