wireguard ^#6

By pirate-charmers
stable

Supports: bionic xenial

Add to new model

Description

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

Series:
bionic ›
xenial ›

Tags:
misc ›

Overview

This charm provides WireGuard. WireGuard describes itself as an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Usage

This charm is in initial development and is not feature complete.

To deploy:

juju deploy cs:~pirate-charmers/wireguard

By default the charm sets up as a server, enabling routing of traffic. The device for the routing traffic defaults to eth0 and can be set with the configuration option 'forward-dev'.

The private address is set with the configuration option 'address' and must be unique. If two servers are deployed as peers one must have the address changed.

Peers are configured with the configuration option 'peers' and expects a base64 encoded string of a yaml configuration. To supply this in a bundle use the include-base64:// parameter to include the yaml file. To supply this via command line for a peers.yaml in the current directory: juju config wireguard peers="$(base64 ./peers.yaml)"

Known Limitations and Issues

This charm is under development, several other use cases/features are still under consideration. Merge requests are appreciated, some examples of current limitations include.

No wireguard relation for automatic configuration of two peers
Routing is either on or off, no option to limit or blacklist routes on the server
Functional testing is minimal

Contact Information

Upstream Project Information

Code: https://github.com/chris-sanders/layer-wireguard
Bug tracking: https://github.com/chris-sanders/layer-wireguard/issues
Contact information: sanders.chris@gmail.com

Configuration

address: (string) Interface address; 10.10.10.1/24
forward-dev: (string) Device to forward packets on; eth0
forward-ip: (boolean) Forward packets for clients; True
listen-port: (int) UDP port to listen for peers on; 15820
peers: (string) base64 yaml file with peer options See include-base64:// Availabel options * allowedips - the allowed ip ranges for this peer * publickey - the public key * endpoint - peer ip and port X.X.X.X:PORT * persistentkeepalive - optional keep alive in seconds
private-key: (string) Specify rather than generating a private key, base64 encoded
proxy-via-hostname: (boolean) If true use fqdn with the reverse proxy, else use ip address