-
Notifications
You must be signed in to change notification settings - Fork 17
vr_wg
WireGuard is a simple and lightweight VPN. WireGuard allows you to can connect to an OpenNebula virtual networks through an untrusted network. WireGuards relies on cryptographic keys to create secure tunnels between peers. When the WireGuard module is enabled, the Virtual Router will manage these keys and configuration all peers involved.
In this guide we'll refer to the following concepts:
- Peer. Devices linked via point-to-point VPN tunnels. Peers includes both the virtual router and the clients aiming to join the OpenNebula private network.
- Public network. Represents the external, untrusted network interconnecting the peers.
- Private network. This is the OpenNebula virtual network you want to connect to.
- Peer network. In addition to public network IP addresses, peers uses special IP addresses to communicate through the VPN tunnels. The peer network refers to this address space.
Important
The Peer network operates internally within WireGuard and does not require the creation of an associated OpenNebula virtual network or NIC.
The following figure depicts the basic LAN topology assumed by the module:
┌────┐ ┌────┐ ┌─ ── ── ── ─── ─┐
│Peer│ │Peer│ │ Peer subnet │
└─┬──┘ └──┬─┘
│ │ │ 169.254.33.0/24│
┌─ ─┼─ ── ── ─┼─ ── ──┴── ── ── ── ── ─┘
│ │ │
┌──┴──────────┴───┬──────────────┐
│ │ │public network│
┌─┴─┴┐ └──────────────┘
┌─────┤eth0├─────┐
│ └────┘ │
│ │
│ Virtual Router │
│ │
│ ┌────┐ │
└─────┤eth1├─────┘
└──┬─┘
│
└─┬─────────┬──────┬────────────────┐
│ │ │private network │
│ │ │ │
┌─┴──┐ ┌─┴──┐ │192.168.1.0/24 │
│ VM │ │ VM │ └────────────────┘
└────┘ └────┘
The simplest way to enable the WireGuard module is to include the following attributes in the CONTEXT section of the associated VM template:
CONTEXT = [
...
ONEAPP_VNF_WG_ENABLED = "YES",
ONEAPP_VNF_WG_INTERFACE_OUT = "eth0",
ONEAPP_VNF_WG_INTERFACE_IN = "eth1",
...
]
Simply specify the interfaces connected to the public network (ONEAPP_VNF_WG_INTERFACE_OUT) and the private network (ONEAPP_VNF_WG_INTERFACE_IN).
Once the virtual router is running you can retrieve each peer configuration from the associated VM template. The configuration is stored as ONEAPP_VNF_WG_PEER<number>, such as ONEAPP_VNF_WG_PEER0 for the first peer.
Note
By default the virtual router will configure 5 peers, ranging from ONEAPP_VNF_WG_PEER0 to ONEAPP_VNF_WG_PEER4
For example, suppose we have the following router:
$ onevm list
ID USER GROUP NAME STAT CPU MEM HOST TIME
...
27 oneadmin oneadmin vrouter_base_service runn 0.1 1024M alma9-kvm-3 0d 00h41You can get the configuration with:
$ onevm show -j 27 | jq -r '.VM.USER_TEMPLATE.ONEGATE_VNF_WG_PEER1|@base64d' > wg0.conf
$ cat wg0.conf
[Interface]
Address = 169.254.33.3/24
PrivateKey = SGRNU+K6IojzpAVK/PoVTgtR88EskRnLyyTbkBnPbFg=
[Peer]
Endpoint = 192.168.150.100:51820
PublicKey = JhxZynn2cJSfqOO92f3aQvqBR6ksDN1Td9CA6jVd/G4=
PresharedKey = bE+zJ2AYzdjMv085O82eOB1Gn82wBxtlcUDy7JY5T0Q=
AllowedIPs = 192.168.101.0/24Important
The configuration is published through the onegate service. It needs to be up and running in order to get the configuration files.
This file can be shared with the peer so that they can establish the VPN tunnel by executing wg-quick up wg0.conf
Note
The AllowedIPs parameter corresponds to the network address of the OpenNebula virtual network. It is recommend to set the NETWORK_MASK attribute for all networks.
All the WireGuard configuration files are stored (base64 encoded) in the VM template. When you are running a virtual router with multiple instances these information is stored on all instances. In particular you'll find:
-
ONEGATE_VNF_WG_SERVERthe configuration file for the WireGuard server running in the virtual router. -
ONEGATE_VNF_WG_PEER0,ONEGATE_VNF_WG_PEER1,... Configuration file for each peer.
Important
The configuration files include the server and client private keys. This values are protected with the standard access control mechanisms of OpenNebula. You may consider to include them as part of the encrypted attributes to further protect them.
All module configuration attributes are set from the virtual router definition, you can override default settings by defining them in the context section of the associated VM template.
Sure, here's the list presented in table form:
| Parameter Name | Default Value | Description |
|---|---|---|
| ONEAPP_VNF_WG_ENABLED | "NO" | Enables the service. |
| ONEAPP_VNF_WG_INTERFACE_OUT | - | The NIC to connect peers, its IP will be the service endpoint (MANDATORY). |
| ONEAPP_VNF_WG_INTERFACE_IN | - | The NIC to connect to the private network (MANDATORY). |
| ONEAPP_VNF_WG_LISTEN_PORT | 51820 | Listen port number, defaults to 51820. |
| ONEAPP_VNF_WG_DEVICE | wg0 | WG device name, defaults to wg0. |
| ONEAPP_VNF_WG_PEERS | 5 | Number of peers, for each one it will generate peer configuration and associated keys. |
| ONEAPP_VNF_WG_SUBNET | 169.254.33.0/24 | Subnet used to interconnect WG peers; these addresses should not be part of an OpenNebula virtual network. |
- OpenNebula Apps Overview
- OS Appliances Update Policy
- OneApps Quick Intro
- Build Instructions
- Linux Contextualization Packages
- Windows Contextualization Packages
- OneKE (OpenNebula Kubernetes Edition)
- Virtual Router
- Overview & Release Notes
- Quick Start
- OpenRC Services
- Virtual Router Modules
- Glossary
- WordPress
- Harbor Container Registry
- MinIO
- Ray AI
- Development