WireGuard Configuration Settings¶
The interface wireguard <instance>
command, issued from config
mode,
changes to WireGuard mode. This is denoted by config-wireguard
in the
prompt.
tnsr(config)# interface wireguard 1
tnsr(config-wireguard)#
The <instance>
value corresponds with the number of the resulting WireGuard
wg
interface which will be present after configuring the WireGuard instance.
For example, interface wireguard 1
results in wg1
, interface wireguard
5
results in wg5
.
Note
After configuring the WireGuard instance and peers, configure the
corresponding wg
interface with an address, enable it, and also setup
routing.
See also
See WireGuard Site-to-Site Example for an example configuration.
WireGuard Instance Configuration¶
The WireGuard instance configuration in config-wireguard
mode defines
parameters using the following commands:
- description <desc>:
A text description of this WireGuard instance for reference.
- peer <peer-id>:
Enter
config-wireguard-peer
mode to create or edit a peer.Warning
The peer ID value must be globally unique between all Wireguard instances.
- port <port-value>:
The local UDP port used by WireGuard to send and receive WireGuard packets for this instance. Each WireGuard instance must use a different port and it must not conflict with other existing UDP services.
Most WireGuard implementations assume a default port of
51820
, which makes that a good starting value.- private-key:
These commands manage the private key used by WireGuard for encryption. Use only one of the following:
- private-key base64 <key>:
Defines a private key as a Base 64 string, e.g.
IPbehUo58KvYl/qmA+50bAaWeXgB+eP+8QqmDkLV9XA=
.
- source-address <ip-addr>:
The IP address used by WireGuard to send and receive traffic.
Warning
If the external-facing interface from which the WireGuard clients will
connect has an input ACL limiting inbound traffic, then it must be adjusted
to allow WireGuard clients to reach the configured source-address
and
port
. If there is an output ACL on the same interface, it may also
require similar changes.
WireGuard Instance Example¶
r1 tnsr(config)# interface wireguard 1
r1 tnsr(config-wireguard)# description WireGuard P2P - R1-R2
r1 tnsr(config-wireguard)# source-address 203.0.113.2
r1 tnsr(config-wireguard)# port 51820
r1 tnsr(config-wireguard)# private-key base64 IPbehUo58KvYl/qmA+50bAaWeXgB+eP+8QqmDkLV9XA=
WireGuard Peer Configuration¶
- allowed-prefix <prefix>:
A network on the peer side which is reachable through this peer. The specified network is allowed to communicate with WireGuard bidirectionally. This command sets up an association between this network and the public key on this peer for internal WireGuard cryptokey routing.
This command may be repeated to define multiple allowed prefixes.
The same network cannot be allowed from multiple peers on the same instance.
Tip
This can be set to
0.0.0.0/0
(IPv4) or::/0
(IPv6) to allow any network to or from this peer. This can only be used on instances with a single peer. This is useful when routing all traffic across a VPN or when using a dynamic routing protocol such as BGP or OSPF.Warning
This does not add routes to any route table in TNSR, it is internal to WireGuard. Routes for TNSR to direct traffic to WireGuard must be configured separately.
- description <desc>:
A text description of this peer for reference.
- endpoint-address <endpoint-addr>:
The remote address the peer uses to send and receive WireGuard traffic.
This may be left undefined if a peer has a dynamic address, so long as that peer has an endpoint defined pointing to this instance. One side of the peer relationship may have an undefined address, but not both.
- keep-alive <interval>:
Interval, in seconds, at which WireGuard will send keep alive packets to the peer. May be omitted or set to
0
to disable.- port:
The UDP port the peer uses to send and receive WireGuard trafic.
This may be left undefined if a peer has a dynamic address or is behind NAT, so long as that peer has a port defined pointing to this instance. One side of the peer relationship may have an undefined port, but not both.
- public-key base64 <key>:
The public key for this peer. WireGuard will encrypt traffic destined for this peer using this public key. This key, along with the allowed prefixes list, allow WireGuard to internally route traffic to specific peers.
- route-table <table-name>:
An alternate routing table to use for this peer.
WireGuard Peer Example¶
r1 tnsr(config-wireguard)# peer 1
r1 tnsr(config-wireguard-peer)# description R2
r1 tnsr(config-wireguard-peer)# endpoint-address 203.0.113.25
r1 tnsr(config-wireguard-peer)# port 51820
r1 tnsr(config-wireguard-peer)# allowed-prefix 10.2.111.2/32
r1 tnsr(config-wireguard-peer)# allowed-prefix 10.25.0.0/24
r1 tnsr(config-wireguard-peer)# public-key base64 kIGM3jon1y43ZiCh9YryxNNfda/Qh5d1aBHSfKZbYTA=
r1 tnsr(config-wireguard-peer)# exit
r1 tnsr(config-wireguard)# exit