Add wireguard support #1317
Add wireguard support #1317
Conversation
mattiaswal
force-pushed
the
add-wireguard
branch
from
f4a7dc7 to
f78460e
Compare
mattiaswal
force-pushed
the
add-wireguard
branch
6 times, most recently
from
faa75e9 to
98d1894
Compare
Almost full support for WireGuard
admin@server:/> show interface wg0
name : wg0
type : wireguard
index : 10
mtu : 1420
operational status : up
ipv4 addresses : 10.0.0.1/24 (static)
ipv6 addresses : fd00::1/64 (static)
peers : 2
Peer 1:
public key : ROaZyvJc5DzA2XUAAeTj2YlwDsy2w0lr3t+rWj2imAk=
status : UP
endpoint : 192.168.10.2:51821
latest handshake : 2025-12-09T22:51:38+00:00
transfer tx : 1412 bytes
transfer rx : 1324 bytes
Peer 2:
public key : Om9CPLYdK3l93GauKrq5WXo/gbcD+1CeqFpobRLLkB4=
status : UP
endpoint : 2001:db8:3c4d:20::2:51822
latest handshake : 2025-12-09T22:51:38+00:00
transfer tx : 1812 bytes
transfer rx : 428 bytes
in-octets : 1752
out-octets : 3224
admin@server:/>
mattiaswal
force-pushed
the
add-wireguard
branch
from
98d1894 to
8f1243e
Compare
troglobit
left a comment
troglobit
left a comment
There was a problem hiding this comment.
Nice work on this, I have some initial review comments that I think are important to bring up before I even analyze the YANG model in more detail.
- The documentation deserves to be a stand-alone document and entry in
mkdocs.yml. We should break updoc/networking.mdas well, that's for another day, but no need to pile on to these overly long-winding documents - The documentation needs images explaining how it works. Even though I use Wireguard myself, I'm not 100% sure how it works, and considering this is the very first VPN in Infix, it needs to be good
- How can I integrate this with the firewall? We can skip this for now, but in that case we need to create an ticked for it in the issue tracker. This could also involve creating a use-case test for it, since it's a bit more involved and could require more than two-three DUTs
As I mentioned, since this is the first VPN in Infix, maybe it would be a good idea to have an introduction to VPNs as a separate document, explaining the concepts and differences between IPsec, OpenVPN, and Wireguard. I'm sure this is something Claude could assist with.
I think i documented in the roadwarrior test-case that the intention is to include firewall (and NAT) in it, but not for now. Function first. |
Agreed. I was also thinking about that test as a candidate for a full-blown use-case test. |
Yup, I think the roadwarrior case will soon grow out of wireguard test and into use-case test. |
Add support for WireGuard tunnels, very flexible yang model, you can configure WireGuard in many ways, an example output from operational:
admin@server:/> show interface wg0 name : wg0 type : wireguard index : 10 mtu : 1420 operational status : up ip forwarding : enabled ipv4 addresses : 10.0.0.1/24 (static) ipv6 addresses : in-octets : 776 out-octets : 632 peers : 2 Peer 1: public key : ROaZyvJc5DzA2XUAAeTj2YlwDsy2w0lr3t+rWj2imAk= status : UP endpoint : 192.168.50.2:51820 latest handshake : 2026-01-03T15:56:45+00:00 transfer tx : 252 bytes transfer rx : 436 bytes Peer 2: public key : Om9CPLYdK3l93GauKrq5WXo/gbcD+1CeqFpobRLLkB4= status : UP endpoint : 192.168.51.2:51820 latest handshake : 2026-01-03T15:56:45+00:00 transfer tx : 380 bytes transfer rx : 340 bytes admin@server:/>and from running:
admin@server:/config/> edit interface wg0 admin@server:/config/interface/wg0/> show type wireguard; ipv4 { forwarding true; address 10.0.0.1 { prefix-length 24; } } wireguard { listen-port 51820; private-key server-wg-key; peers roadwarriors { persistent-keepalive 3; peer client1-key { allowed-ips 10.0.0.2/32; allowed-ips 192.168.1.0/24; } peer client2-key { allowed-ips 10.0.0.3/32; allowed-ips 192.168.2.0/24; } } } admin@server:/config/interface/wg0/>Description
Checklist
Tick relevant boxes, this PR is-a or has-a: