WireGuard on Turris

Now more then ever, people connect and work remotely. Everybody uses some kind of VPN, at least in the tech world. The new, trendy and cool way of doing VPNs is Wireguard. Everybody speaks about it and since March it is finally a part of Linux kernel. Its advantages are that it is setup in more straight forward way than alternatives and that it is blazingly fast.

If you want to be able to connect to your home network while travelling and you have a Turris router and public IP, the well-integrated solution is OpenVPN. We choose this one because it has been around for a while, everybody knows it, and although setting it up is quite complicated, a skilled admin can make client setup really easy. That is what we did in Foris, we took away all the burden of setting up the server and we provide a client configuration file that contains everything the client needs. All you need to do is to load this file into the client and you are good to go. Everything is taken care of by server configured via Foris.

With WireGuard, the situation is a little different. Setting up the server is much easier. On the other hand, as it is so simple and new, there is not only one easy way to set up your client. And quite a lot has to be configured on the client as well — you can’t push everything directly from the server as in the case of OpenVPN. This is one of the reasons it is not yet in Foris — it is easy to set up even without Foris, but client configuration will be harder regardless of the server setup. What are the advantages? The simplicity and speed.

Let’s start with speed. I tried it on local network and while my wired network could do almost 800 Mbits per second (home office due to global pandemic and had to use some old computers for the test), using Omnia and running benchmark over the encrypted connection I got close to 700 Mbits per second. Which is quite amazing I would say. And yes, I double-checked and it went through the VPN.

Regarding simplicity, let’s take a closer look at the setup of Wireguard. To setup a Wireguard tunnel, you need two commands: ip and wg. You use ip the same way as you would to create any other tunnel, bridge or interface.

ip link add device wg0 type wireguard

Then you set up the IP addresses, routes and such. The other command, wg, is needed to setup your keys, peers and policies. It can be done either completely from CLI, or via simple configuration file.

In the end you use ip to configure the interface as used by system — to direct traffic over it and wg to configure how to encrypt traffic and where to send it. Pretty simple and intuitive if you are used to Linux CLI. If you are not, LuCI — web interface in OpenWRT and in Turris OS — has an interface for it, but you would still need to enter all those details. You can read more in the official documentation.

Is Wireguard the right solution for you? I think Wireguard currently requires some skills even on the client‘s side, so it is not suitable for an average Joe yet. But it can provide more flexible solution with amazing speeds. Really useful for example for connecting branch offices and similar where you expect to have admin setting it up even on the client‘s side. On the other hand, OpenVPN client setup can be done by anybody and we have Foris to handle the server configuration. Great combination for home users and for a few travelling or quarantined employees.

Author:

Leave a comment

All fields are required. Email won't be shown.