WireGuard Configuration Settings

The interface wireguard <instance> command, issued from config mode, changes to WireGuard mode. This is denoted by config-wireguard in the prompt.

tnsr(config)# interface wireguard 1
tnsr(config-wireguard)#

The <instance> value corresponds with the number of the resulting WireGuard wg interface which will be present after configuring the WireGuard instance. For example, interface wireguard 1 results in wg1, interface wireguard 5 results in wg5.

Note

After configuring the WireGuard instance and peers, configure the corresponding wg interface with an address, enable it, and also setup routing.

See also

See WireGuard Site-to-Site Example for an example configuration.

WireGuard Instance Configuration

The WireGuard instance configuration in config-wireguard mode defines parameters using the following commands:

description <desc>

A text description of this WireGuard instance for reference.

peer <peer-id>

Enter config-wireguard-peer mode to create or edit a peer.

Warning

The peer ID value must be globally unique between all Wireguard instances.

port <port-value>

The local UDP port used by WireGuard to send and receive WireGuard packets for this instance. Each WireGuard instance must use a different port and it must not conflict with other existing UDP services.

Most WireGuard implementations assume a default port of 51820, which makes that a good starting value.

private-key

These commands manage the private key used by WireGuard for encryption. Use only one of the following:

private-key base64 <key>

Defines a private key as a Base 64 string, e.g. IPbehUo58KvYl/qmA+50bAaWeXgB+eP+8QqmDkLV9XA=.

source-address <ip-addr>

The IP address used by WireGuard to send and receive traffic.

Warning

If the external-facing interface from which the WireGuard clients will connect has an input ACL limiting inbound traffic, then it must be adjusted to allow WireGuard clients to reach the configured source-address and port. If there is an output ACL on the same interface, it may also require similar changes.

WireGuard Instance Example

r1 tnsr(config)# interface wireguard 1
r1 tnsr(config-wireguard)# description WireGuard P2P - R1-R2
r1 tnsr(config-wireguard)# source-address 203.0.113.2
r1 tnsr(config-wireguard)# port 51820
r1 tnsr(config-wireguard)# private-key base64 IPbehUo58KvYl/qmA+50bAaWeXgB+eP+8QqmDkLV9XA=

WireGuard Peer Configuration

allowed-prefix <prefix>

A network on the peer side which is reachable through this peer. The specified network is allowed to communicate with WireGuard bidirectionally. This command sets up an association between this network and the public key on this peer for internal WireGuard cryptokey routing.

This command may be repeated to define multiple allowed prefixes.

The same network cannot be allowed from multiple peers on the same instance.

Tip

This can be set to 0.0.0.0/0 (IPv4) or ::/0 (IPv6) to allow any network to or from this peer. This can only be used on instances with a single peer. This is useful when routing all traffic across a VPN or when using a dynamic routing protocol such as BGP or OSPF.

Warning

This does not add routes to any route table in TNSR, it is internal to WireGuard. Routes for TNSR to direct traffic to WireGuard must be configured separately.

description <desc>

A text description of this peer for reference.

endpoint-address <endpoint-addr>

The remote address the peer uses to send and receive WireGuard traffic.

This may be left undefined if a peer has a dynamic address, so long as that peer has an endpoint defined pointing to this instance. One side of the peer relationship may have an undefined address, but not both.

keep-alive <interval>

Interval, in seconds, at which WireGuard will send keep alive packets to the peer. May be omitted or set to 0 to disable.

port

The UDP port the peer uses to send and receive WireGuard trafic.

This may be left undefined if a peer has a dynamic address or is behind NAT, so long as that peer has a port defined pointing to this instance. One side of the peer relationship may have an undefined port, but not both.

public-key base64 <key>

The public key for this peer. WireGuard will encrypt traffic destined for this peer using this public key. This key, along with the allowed prefixes list, allow WireGuard to internally route traffic to specific peers.

route-table <table-name>

An alternate routing table to use for this peer.

WireGuard Peer Example

r1 tnsr(config-wireguard)# peer 1
r1 tnsr(config-wireguard-peer)# description R2
r1 tnsr(config-wireguard-peer)# endpoint-address 203.0.113.25
r1 tnsr(config-wireguard-peer)# port 51820
r1 tnsr(config-wireguard-peer)# allowed-prefix 10.2.111.2/32
r1 tnsr(config-wireguard-peer)# allowed-prefix 10.25.0.0/24
r1 tnsr(config-wireguard-peer)# public-key base64 kIGM3jon1y43ZiCh9YryxNNfda/Qh5d1aBHSfKZbYTA=
r1 tnsr(config-wireguard-peer)# exit
r1 tnsr(config-wireguard)# exit