vr_wg - OpenNebula/one-apps GitHub Wiki
WireGuard is a simple and lightweight VPN. WireGuard allows you to can connect to an OpenNebula virtual networks through an untrusted network. WireGuards relies on cryptographic keys to create secure tunnels between peers. When the WireGuard module is enabled, the Virtual Router will manage these keys and configuration all peers involved.
In this guide we'll refer to the following concepts:
- Peer. Devices linked via point-to-point VPN tunnels. Peers includes both the virtual router and the clients aiming to join the OpenNebula private network.
- Public network. Represents the external, untrusted network interconnecting the peers.
- Private network. This is the OpenNebula virtual network you want to connect to.
- Peer network. In addition to public network IP addresses, peers uses special IP addresses to communicate through the VPN tunnels. The peer network refers to this address space.
Important
The Peer network operates internally within WireGuard and does not require the creation of an associated OpenNebula virtual network or NIC.
The following figure depicts the basic LAN topology assumed by the module:
ββββββ ββββββ ββ ββ ββ ββ βββ ββ
βPeerβ βPeerβ β Peer subnet β
βββ¬βββ ββββ¬ββ
β β β 169.254.33.0/24β
ββ ββΌβ ββ ββ ββΌβ ββ βββ΄ββ ββ ββ ββ ββ ββ
β β β
ββββ΄βββββββββββ΄ββββ¬βββββββββββββββ
β β βpublic networkβ
βββ΄ββ΄β ββββββββββββββββ
βββββββ€eth0βββββββ
β ββββββ β
β β
β Virtual Router β
β β
β ββββββ β
βββββββ€eth1βββββββ
ββββ¬ββ
β
βββ¬ββββββββββ¬βββββββ¬βββββββββββββββββ
β β βprivate network β
β β β β
βββ΄βββ βββ΄βββ β192.168.1.0/24 β
β VM β β VM β ββββββββββββββββββ
ββββββ ββββββ
The simplest way to enable the WireGuard module is to include the following attributes in the CONTEXT section of the associated VM template:
CONTEXT = [
...
ONEAPP_VNF_WG_ENABLED = "YES",
ONEAPP_VNF_WG_INTERFACE_OUT = "eth0",
ONEAPP_VNF_WG_INTERFACE_IN = "eth1",
...
]
Simply specify the interfaces connected to the public network (ONEAPP_VNF_WG_INTERFACE_OUT) and the private network (ONEAPP_VNF_WG_INTERFACE_IN).
Once the virtual router is running you can retrieve each peer configuration from the associated VM template. The configuration is stored as ONEAPP_VNF_WG_PEER<number>, such as ONEAPP_VNF_WG_PEER0 for the first peer.
Note
By default the virtual router will configure 5 peers, ranging from ONEAPP_VNF_WG_PEER0 to ONEAPP_VNF_WG_PEER4
For example, suppose we have the following router:
$ onevm list
ID USER GROUP NAME STAT CPU MEM HOST TIME
...
27 oneadmin oneadmin vrouter_base_service runn 0.1 1024M alma9-kvm-3 0d 00h41You can get the configuration with:
$ onevm show -j 27 | jq -r '.VM.USER_TEMPLATE.ONEGATE_VNF_WG_PEER1|@base64d' > wg0.conf
$ cat wg0.conf
[Interface]
Address = 169.254.33.3/24
PrivateKey = SGRNU+K6IojzpAVK/PoVTgtR88EskRnLyyTbkBnPbFg=
[Peer]
Endpoint = 192.168.150.100:51820
PublicKey = JhxZynn2cJSfqOO92f3aQvqBR6ksDN1Td9CA6jVd/G4=
PresharedKey = bE+zJ2AYzdjMv085O82eOB1Gn82wBxtlcUDy7JY5T0Q=
AllowedIPs = 192.168.101.0/24Important
The configuration is published through the onegate service. It needs to be up and running in order to get the configuration files.
This file can be shared with the peer so that they can establish the VPN tunnel by executing wg-quick up wg0.conf
Note
The AllowedIPs parameter corresponds to the network address of the OpenNebula virtual network. It is recommend to set the NETWORK_MASK attribute for all networks.
All the WireGuard configuration files are stored (base64 encoded) in the VM template. When you are running a virtual router with multiple instances these information is stored on all instances. In particular you'll find:
-
ONEGATE_VNF_WG_SERVERthe configuration file for the WireGuard server running in the virtual router. -
ONEGATE_VNF_WG_PEER0,ONEGATE_VNF_WG_PEER1,... Configuration file for each peer.
Important
The configuration files include the server and client private keys. This values are protected with the standard access control mechanisms of OpenNebula. You may consider to include them as part of the encrypted attributes to further protect them.
All module configuration attributes are set from the virtual router definition, you can override default settings by defining them in the context section of the associated VM template.
Sure, here's the list presented in table form:
| Parameter Name | Default Value | Description |
|---|---|---|
| ONEAPP_VNF_WG_ENABLED | "NO" | Enables the service. |
| ONEAPP_VNF_WG_INTERFACE_OUT | - | The NIC to connect peers, its IP will be the service endpoint (MANDATORY). |
| ONEAPP_VNF_WG_INTERFACE_IN | - | The NIC to connect to the private network (MANDATORY). |
| ONEAPP_VNF_WG_LISTEN_PORT | 51820 | Listen port number, defaults to 51820. |
| ONEAPP_VNF_WG_DEVICE | wg0 | WG device name, defaults to wg0. |
| ONEAPP_VNF_WG_PEERS | 5 | Number of peers, for each one it will generate peer configuration and associated keys. |
| ONEAPP_VNF_WG_SUBNET | 169.254.33.0/24 | Subnet used to interconnect WG peers; these addresses should not be part of an OpenNebula virtual network. |