Changes in 7fb93d6: Updated wireguard (markdown)

				howto/wireguard.md
			
          @@ -5,4 +5,61 @@ To quote the [homepage](https://www.wireguard.io/):

           # Example configuration for dn42

           Wireguard is a Layer3 VPN. In theory it allows multiple peers to be served with one interface/port, but it does internal routing based on the public key of the peers. This means you will need one interface per peering on dn42

          -to allow your BGP deamon instead to do routing. This approach is comparable to [openvpn p2p](/howto/openvpn)

          \ No newline at end of file

          +to allow your BGP deamon instead to do routing. This approach is comparable to [openvpn p2p tunnels](/howto/openvpn).

          +

          +First generate on each peer public and private keys.

          +

          +```

          +$ wg genkey | tee privatekey | wg pubkey > publickey

          +```

          +

          +## Configuration

          +

          +```

          +# tunnel.conf

          +[Interface]

          +PrivateKey = <private_key>

          +ListenPort = <YOUR_LOCAL_UDP_PORT>

          +

          +[Peer]

          +PublicKey = <public_key_of_your_peer>

          +# at least one peer needs to provide this one

          +Endpoint = <end_post_hostname_or_ip:port>

          +# in theory this could be restricted to dn42 networks,

          +# however it is easier to do this with iptables/bgp filters/routing table 

          +# instead just like for openvpn-based peerings

          +AllowedIPs = 0.0.0.0/0,::/0

          +```

          +

          +## Configure tunnel:

          +

          +Wireguard comes with its own interface type. 

          +It supports link-local addresses ipv6 and single /32 addresses for ipv4, which can be used for peering.

          +

          +```

          +$ ip link add dev <interface_name> type wireguard

          +$ wg setconf <interface_name> tunnel.conf

          +# both side pick a different link-local ipv6 address

          +$ ip addr add fe80::<some_random_suffix>/64 dev <interface_name>

          +# choose the first ip from your subnet and the second one from the peer

          +$ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev <interface_name>

          +$ ip link set <interface_name> up

          +```

          +

          +Mic92 uses this [script](https://github.com/Mic92/bird-dn42/tree/master/wireguard) to automate this

          +

          +## Testing

          +

          +```

          +ping6 fe80::<you_peers_suffix> -I <interface_name>

          +```

          +

          +or with new iputils without ping6

          +

          +```

          +ping fe80::<you_peers_suffix>%<interface_name>

          +```

          +

          +Afterwards configure you [BGP](/howto/Bird) as usual

          +

          +

...	...	@@ -5,4 +5,61 @@ To quote the [homepage](https://www.wireguard.io/):
5	5	# Example configuration for dn42
6	6
7	7	Wireguard is a Layer3 VPN. In theory it allows multiple peers to be served with one interface/port, but it does internal routing based on the public key of the peers. This means you will need one interface per peering on dn42
8		-to allow your BGP deamon instead to do routing. This approach is comparable to [openvpn p2p](/howto/openvpn)
...	...	\ No newline at end of file
	0	+to allow your BGP deamon instead to do routing. This approach is comparable to [openvpn p2p tunnels](/howto/openvpn).
	1	+
	2	+First generate on each peer public and private keys.
	3	+
	4	+```
	5	+$ wg genkey \| tee privatekey \| wg pubkey > publickey
	6	+```
	7	+
	8	+## Configuration
	9	+
	10	+```
	11	+# tunnel.conf
	12	+[Interface]
	13	+PrivateKey = <private_key>
	14	+ListenPort = <YOUR_LOCAL_UDP_PORT>
	15	+
	16	+[Peer]
	17	+PublicKey = <public_key_of_your_peer>
	18	+# at least one peer needs to provide this one
	19	+Endpoint = <end_post_hostname_or_ip:port>
	20	+# in theory this could be restricted to dn42 networks,
	21	+# however it is easier to do this with iptables/bgp filters/routing table
	22	+# instead just like for openvpn-based peerings
	23	+AllowedIPs = 0.0.0.0/0,::/0
	24	+```
	25	+
	26	+## Configure tunnel:
	27	+
	28	+Wireguard comes with its own interface type.
	29	+It supports link-local addresses ipv6 and single /32 addresses for ipv4, which can be used for peering.
	30	+
	31	+```
	32	+$ ip link add dev <interface_name> type wireguard
	33	+$ wg setconf <interface_name> tunnel.conf
	34	+# both side pick a different link-local ipv6 address
	35	+$ ip addr add fe80::<some_random_suffix>/64 dev <interface_name>
	36	+# choose the first ip from your subnet and the second one from the peer
	37	+$ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev <interface_name>
	38	+$ ip link set <interface_name> up
	39	+```
	40	+
	41	+Mic92 uses this [script](https://github.com/Mic92/bird-dn42/tree/master/wireguard) to automate this
	42	+
	43	+## Testing
	44	+
	45	+```
	46	+ping6 fe80::<you_peers_suffix> -I <interface_name>
	47	+```
	48	+
	49	+or with new iputils without ping6
	50	+
	51	+```
	52	+ping fe80::<you_peers_suffix>%<interface_name>
	53	+```
	54	+
	55	+Afterwards configure you [BGP](/howto/Bird) as usual
	56	+
	57	+