I have been struggling trying to get the Torguard’s OpenVPN to work with my VyOS. Fortunately, Torguard supports WireGuard. WireGuard is probably the easiest VPN to setup. If you are using Torguard as your VPN provider, you are in luck. WireGuard is probably the best option. This post is how to connect VyOS to Torguard’s WireGuard server(s).
I just want to say that WireGuard has its benefits versus the default OpenVPN.
Pros of WireGuard
- Has better throughput than OpenVPN
- Easier to configure
- Easier to audit due to less than 4000 lines of code
- Very secure
Cons of Wireguard
- Does not support LDAP
torguard’s Wireguard is not enabled by default, to enable Wireguard, login to your Torguard account and navigate to Servers > WireGuard Network as shown in Figure 1.
Once you get to the Torguard’s WireGuard Network page, you will have to choose which server you will be using. Select one by clicking on the blue button Enable WireGuard. Once it is enabled, you will be presented by the information you will need which are private.key and WireGuard’s IP address as shown in Figure 2. Make sure you jot down the following:
- Your Private Key
- Server Public key
- Your Address
- VPN Server (2nd column)
Now that we have the WireGuard information we need. It is time to SSH-in to our VyOS router/firewall.
Create the Torguard’s WireGuard private.key and place these files in /config/auth/wireguard/
.
# Make a directory for Torguard mkdir /config/auth/wireguard/torguard # Create a file called private.key touch /config/auth/wireguard/torguard/private.key # Enter the WireGuard private key provided by Torguard to private.key file echo "<paste-private-key>" >> /config/auth/wireguard/torguard/private.key # Set the private.key permission chmod 775 /config/auth/wireguard/torguard/*.key
Once the private key has been created, configure the VyOS’ WireGuard interface for Torguard. The snippet below is the working Torguard’s WireGuard config.
# Structured format show interfaces wireguard wg1000 address 10.29.0.107/24 description "torguard wireguard gateway" peer torguard { address 178.62.238.70 allowed-ips 0.0.0.0/0 persistent-keepalive 25 port 443 pubkey <torguard-server-public-key> } port 51820 private-key torguard # set format set wireguard wg1000 address '10.29.0.107/24' set wireguard wg1000 description 'torguard wireguard gateway' set wireguard wg1000 peer torguard address '178.62.238.70' set wireguard wg1000 peer torguard allowed-ips '0.0.0.0/0' set wireguard wg1000 peer torguard persistent-keepalive '25' set wireguard wg1000 peer torguard port '443' set wireguard wg1000 peer torguard pubkey <torguard-server-public-key> set wireguard wg1000 private-key 'torguard'
If you get an error below and would not let you commit. You might have other instances of WireGuard with the same port. Unfortunately, we cannot change the Torguard assigned port for us. Just delete the interface port 51820 from the Torguard’s WireGuard configuration.
RTNETLINK answers: Address already in use
Remove the line below from the Torguard’s WireGuard settings then commit
again.
delete interface wireguard wg1000 port 51820
At this point, the WireGuard interface should already connected to Torguard. The WireGuard tunnel can be verified using the show interface
command. You will know that the tunnel is up by looking at under the peer section. It should show status: active; otherwise, this line will not be shown if the tunnel is down.
show interface wireguard <wireguard-interface> # Sample output of the show interface wireguard karlo@fwvyos:~$ show interfaces wireguard wg1000 interface: wg1000 description: torguard wireguard gateway address: 10.29.0.107/24 public key: <my-public-key> private key: (hidden) listening port: 40684 peer: torguard public key: ZBvdkjaT6t2h3k/MQjLDgqM/F1JfOB5Vgm3mLkySUhY= latest handshake: 0:00:41 status: active endpoint: 178.62.238.70:443 allowed ips: 0.0.0.0/0 transfer: 4 KB received, 16 KB sent persistent keepalive: every 25 seconds RX: bytes packets errors dropped overrun mcast 4600 50 0 0 0 0 TX: bytes packets errors dropped carrier collisions 16872 346 0 0 0 0 karlo@fwvyos:~$
If you are running your VyOS as a firewall, then you would need to allow the traffic to pass-through. That’s going to be for next-week post.
Cheers!