VyOS and Torguard

vyos torguard feature image

I have been struggling trying to get the Torguard’s OpenVPN to work with my VyOS. Fortunately, Torguard supports WireGuard. WireGuard is probably the easiest VPN to setup. If you are using Torguard as your VPN provider, you are in luck. WireGuard is probably the best option. This post is how to connect VyOS to Torguard’s WireGuard server(s).

I just want to say that WireGuard has its benefits versus the default OpenVPN.

Pros of WireGuard

  • Has better throughput than OpenVPN
  • Easier to configure
  • Easier to audit due to less than 4000 lines of code
  • Very secure

Cons of Wireguard

  • Does not support LDAP

torguard’s Wireguard is not enabled by default, to enable Wireguard, login to your Torguard account and navigate to Servers > WireGuard Network as shown in Figure 1.

Figure 1

Once you get to the Torguard’s WireGuard Network page, you will have to choose which server you will be using. Select one by clicking on the blue button Enable WireGuard. Once it is enabled, you will be presented by the information you will need which are private.key and WireGuard’s IP address as shown in Figure 2. Make sure you jot down the following:

  • Your Private Key
  • Server Public key
  • Your Address
  • VPN Server (2nd column)
Figure 2

Now that we have the WireGuard information we need. It is time to SSH-in to our VyOS router/firewall.

Create the Torguard’s WireGuard private.key and place these files in /config/auth/wireguard/.

# Make a directory for Torguard
mkdir /config/auth/wireguard/torguard

# Create a file called private.key
touch /config/auth/wireguard/torguard/private.key

# Enter the WireGuard private key provided by Torguard to private.key file
echo "<paste-private-key>" >> /config/auth/wireguard/torguard/private.key

# Set the private.key permission 
chmod 775  /config/auth/wireguard/torguard/*.key

Once the private key has been created, configure the VyOS’ WireGuard interface for Torguard. The snippet below is the working Torguard’s WireGuard config.

# Structured format 
show interfaces wireguard wg1000
 address 10.29.0.107/24
 description "torguard wireguard gateway"
 peer torguard {
     address 178.62.238.70
     allowed-ips 0.0.0.0/0
     persistent-keepalive 25
     port 443
     pubkey <torguard-server-public-key>
 }
 port 51820
 private-key torguard

# set format
set wireguard wg1000 address '10.29.0.107/24'
set wireguard wg1000 description 'torguard wireguard gateway'
set wireguard wg1000 peer torguard address '178.62.238.70'
set wireguard wg1000 peer torguard allowed-ips '0.0.0.0/0'
set wireguard wg1000 peer torguard persistent-keepalive '25'
set wireguard wg1000 peer torguard port '443'
set wireguard wg1000 peer torguard pubkey <torguard-server-public-key>
set wireguard wg1000 private-key 'torguard'

If you get an error below and would not let you commit. You might have other instances of WireGuard with the same port. Unfortunately, we cannot change the Torguard assigned port for us. Just delete the interface port 51820 from the Torguard’s WireGuard configuration.

RTNETLINK answers: Address already in use

Remove the line below from the Torguard’s WireGuard settings then commit again.

delete interface wireguard wg1000 port 51820

At this point, the WireGuard interface should already connected to Torguard. The WireGuard tunnel can be verified using the show interface command. You will know that the tunnel is up by looking at under the peer section. It should show status: active; otherwise, this line will not be shown if the tunnel is down.

show interface wireguard <wireguard-interface>

# Sample output of the show interface wireguard
karlo@fwvyos:~$ show interfaces wireguard wg1000
interface: wg1000
  description: torguard wireguard gateway
  address: 10.29.0.107/24
  public key: <my-public-key>
  private key: (hidden)
  listening port: 40684

  peer: torguard
    public key: ZBvdkjaT6t2h3k/MQjLDgqM/F1JfOB5Vgm3mLkySUhY=
    latest handshake: 0:00:41
    status: active
    endpoint: 178.62.238.70:443
    allowed ips: 0.0.0.0/0
    transfer: 4 KB received, 16 KB sent
    persistent keepalive: every 25 seconds

    RX:  bytes  packets  errors  dropped  overrun       mcast
          4600       50       0        0        0           0
    TX:  bytes  packets  errors  dropped  carrier  collisions
         16872      346       0        0        0           0
karlo@fwvyos:~$ 

If you are running your VyOS as a firewall, then you would need to allow the traffic to pass-through. That’s going to be for next-week post.

Cheers!

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
WordPress Appliance - Powered by TurnKey Linux