WireGuard Manual

1. Introduction

Please note that the WireGuard feature, being in beta, requires explicit activation by AXS Guard personnel before it can be configured using the following instructions.

WireGuard is a modern, fast, and secure VPN protocol designed to be simple and efficient. Its state-of-the-art cryptography and Linux kernel integration make it an ideal choice for high-performance, site-to-site connections. This document is intended for system administrators and focuses exclusively on site-to-site VPN setups, enabling secure communications between multiple networks.

The instructions provided in this document are based on the diagram shown below, representing a basic site-to-site VPN setup. It serves as a foundational example to help you get up and running quickly. If your environment has stricter security needs or more complex requirements, be sure to review the security recommendations and adjust your configuration as needed.

2. Feature Activation

1. Log in to your AXS Guard appliance.

2. Go to System > Feature Activation > VPN.

3. Enable the WireGuard feature.

   

3. Configuration

3.1 Create Tunnel Interface

1. Log in to the AXS Guard appliance (HQ).
2. Navigate to VPN > WireGuard > Interfaces and click the + button.
3. Enter the required information (refer to the context-sensitive help for details). Use the interface address as shown in our example: 10.0.0.0/32.
4. Save the configuration.

5. Repeat steps 1-4 on the remote appliance (Satellite Office), using the interface address 10.0.0.1/32 as shown in our example.

   

3.2 Peer Configuration

1. Navigate to VPN > WireGuard > Peers on the HQ side.
2. Click the + button to configure a new peer.
3. Enter the required information (refer to the context-sensitive help and our example for details).
4. Copy and paste the public key from the remote tunnel interface.
5. Save your configuration.

6. Repeat steps 1-5 on the remote appliance (Satellite Office).

   

4. Firewall & Network Setup

4.1 Policies

You'll need to configure each endpoint to allow WireGuard traffic between the peers (see example). We'll start with HQ. Repeat the following steps on each endpoint:

1. Navigate to Firewall > Rules > Towards.

2. Add a new rule to allow WireGuard traffic over the Internet, as shown in the example below:

   

3. Navigate to Firewall > Policies > Static.

4. Edit the stat-int policy and add the rule created in step 2.

5. Save your configuration.

   

6. Repeat steps 1-5 on the remote appliance (Satellite Office).

Next, you must allow traffic through the WireGuard tunnel for the configured networks (see example). We'll start with HQ. Repeat the following steps on each endpoint:

1. Navigate to Firewall > Rules > Through.

2. Add a new rule as shown in the example below:

   

3. Navigate to Firewall > Policies > Static.

4. Create a new static firewall policy for WireGuard, e.g. stat-wg.

5. Assign the rule created in step 2 and save your configuration.

   

6. Repeat steps 1-5 on the remote appliance for networks 10.0.0.0/31 and 192.168.250.0/24 (Satellite Office).

4.2 Routing

To facilitate communication between allowed networks (IP ranges) across a WireGuard tunnel, static routing entries are essential. Each WireGuard endpoint must be configured with static routes that direct traffic intended for the peer's allowed IPs through the WireGuard tunnel interface. We'll start with HQ.

1. Navigate to Network > Routing.

2. Add a new route for the WireGuard tunnel devices:

   

3. Add a new route for the peer's allowed IPs (see example).

   

4. Repeat steps 1-3 on the remote appliance for networks 10.0.0.0/31 and 192.168.250.0/24 (Satellite Office).

5. Status & Controls

5.1 Peer Status

1. Log in to your AXS Guard appliance.

2. Navigate to VPN > WireGuard > Status to verify the status:

   

5.2 Restart WireGuard

1. Navigate to VPN > WireGuard > Peers.

2. To disable and re-enable the tunnel, toggle the Enabled flag.

   

5.3 Logging

WireGuard logs provide valuable insights into the operational status and behavior of the WireGuard tunnel interface. These logs reveals key information regarding peer connectivity, handshake processes, and keepalive mechanisms.

1. Navigate to VPN > WireGuard > Logs.

2. Click on the appropriate date to view the log entries.

   

Key log entries can be categorized into several areas:

Keepalive Packets: These entries, such as Receiving keepalive packet from peer [peer_ID] ([IP_address:port]), confirm the ongoing communication between peers. These packets are essential for connection maintenance and peer liveness detection. The repeated [n] times notation indicates potential network anomalies like jitter or packet loss.

Handshake Events: Log entries indicating Sending handshake initiation to peer [peer_ID] and Receiving handshake response from peer [peer_ID] detail the periodic cryptographic key renegotiation. Keypair [keypair_ID] destroyed for peer [peer_ID] and Keypair [keypair_ID] created for peer [peer_ID] logs confirm the successful key rotation, which is vital for tunnel security.

Peer State Changes: Log messages like Peer [peer_ID] destroyed and Peer [peer_ID] created reflect changes in the configured peers. These entries document the removal and addition of peers, respectively.

6. Security Recommendations

6.1 Pre-Shared Keys

Adding a Pre-Shared Key (PSK) provides an extra layer of cryptographic security by combining symmetric-key encryption with the existing public-key-based key exchange. The PSK should be 256 bits (32 bytes) in length and Base64-encoded. You can generate a 256-bit PSK using standard Linux tools like openssl, e.g.

$ openssl rand -base64 32

6.2 Firewall Rules

Implement strict firewall rules to control traffic passing through the WireGuard interface. Specify source and destination addresses, allowed protocols, and ports. As WireGuard permits bidirectional communication by default, it's essential to define rules that explicitly manage network traffic direction to prevent unintended access.

6.3 Allowed IPs

Carefully configure the Allowed IPs setting in your WireGuard configuration. Only allow the necessary IP ranges to pass through the tunnel. This principle of least privilege is very important.

6.4 Updates

Maintain up-to-date WireGuard software and operating systems to patch any known security vulnerabilities.