English Italian
Configuring FCOS to use WireGuard
Introduction
https://www.wireguard.com/[WireGuard] is a novel VPN that runs inside the Linux Kernel and uses state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. It runs over UDP.
https://www.wireguard.com/[Conceptual Overview]
https://www.wireguard.com/quickstart/[Quickstart]
https://www.wireguard.com/papers/wireguard.pdf[Whitepaper]
FCOS has full support for WireGuard out of the box. This guide is going to demonstrate how to setup a single connection between a FCOS server and one client computer. It goes over the basic client configuration, but it does not cover installing WireGuard on your clients.
Generate Keys
You will need to generate some keys to configure WireGuard. For this guide, the keys should be pre-generated on your workstation. First, let's create the FCOS WireGuard keys:
Generate FCOS WireGuard keys
$ umask 077
$ wg genkey | tee privatekey | wg pubkey > publickey
These keys will be referenced as `fcos_public_key` and `fcos_private_key` from here on out in this guide.
Now let's generate the client keys:
Generate Client One WireGuard keys
These keys will be referenced as `client_one_public_key` and `client_one_private_key` from here on out in this guide.
Now create a PresharedKey:
Generate a Preshared key per peer pair
$ wg genpsk > fcos_client_one_psk
The PresharedKey will be referenced as `fcos_client_one_psk` from here on out in this guide.
The `wg genpsk` command generates a PresharedKey that can only be used once per peer pair. Every peer you add to the FCOS server will need to generate a unique PresharedKey.