Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 7. Setting up a WireGuard VPN

WireGuard is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than many other VPN solutions. Additionally, WireGuard’s small codebase reduces the surface for attacks and, therefore, improves security. For authentication and encryption, WireGuard uses keys similar to SSH.

Important

WireGuard is provided as a Technology Preview only. Technology Preview features are not supported with Red Hat production Service Level Agreements (SLAs), might not be functionally complete, and Red Hat does not recommend using them for production. These previews provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

See Technology Preview Features Support Scope on the Red Hat Customer Portal for information about the support scope for Technology Preview features.

Note that all hosts that participate in a WireGuard VPN are peers. This documentation uses the terms client to describe hosts that establish a connection and server to describe the host with the fixed hostname or IP address that the clients connect to and optionally route all traffic through this server.

To set up a WireGuard VPN, you must complete the following steps:

  1. Configure the server.
  2. Open the WireGuard port in the local firewall.
  3. Configure the clients.

WireGuard operates on the network layer (layer 3). Therefore, you cannot use DHCP and must assign static IP addresses or IPv6 global addresses to the tunnel devices on both the server and clients.

Important

You can use WireGuard only if the Federal Information Processing Standard (FIPS) mode in RHEL is disabled.

7.1. Protocols and primitives used by WireGuard
Link kopieren

WireGuard uses the following protocols and primitives:

  • ChaCha20 for symmetric encryption, authenticated with Poly1305, using Authenticated Encryption with Associated Data (AEAD) construction as described in RFC7539
  • Curve25519 for Elliptic-curve Diffie-Hellman (ECDH) key exchange
  • BLAKE2s for hashing and keyed hashing, as described in RFC7693
  • SipHash24 for hash table keys
  • HKDF for key derivation, as described in RFC5869

When WireGuard sends a network packet to a peer:

  1. WireGuard reads the destination IP from the packet and compares it to the list of allowed IP addresses in the local configuration. If the peer is not found, WireGuard drops the packet.
  2. If the peer is valid, WireGuard encrypts the packet using the peer’s public key.
  3. The sending host looks up the most recent Internet IP address of the host and sends the encrypted packet to it.

When WireGuard receives a packet:

  1. WireGuard decrypts the packet using the private key of the remote host.
  2. WireGuard reads the internal source address from the packet and looks up whether the IP is configured in the list of allowed IP addresses in the settings for the peer on the local host. If the source IP is on the allowlist, WireGuard accepts the packet. If the IP address is not on the list, WireGuard drops the packet.

The association of public keys and allowed IP addresses is called Cryptokey Routing Table. This means that the list of IP addresses behaves similar to a routing table when sending packets, and as a kind of access control list when receiving packets.

7.3. Using a WireGuard client behind NAT and firewalls
Link kopieren

WireGuard uses the UDP protocol and transmits data only when a peer sends packets. Stateful firewalls and network address translation (NAT) on routers track connections to enable a peer behind NAT or a firewall to receive packets.

To keep the connection active, WireGuard supports persistent keepalives. This means you can set an interval at which WireGuard sends keepalive packets. By default, the persistent keep-alive feature is disabled to reduce network traffic. Enable this feature on the client if you use the client in a network with NAT or if a firewall closes the connection after some time of inactivity.

Note

Note that you cannot configure keepalive packets in WireGuard connections by using the RHEL web console. To configure this feature, edit the connection profile by using the nmcli utility.

WireGuard uses base64-encoded private and public keys to authenticate hosts to each other. Therefore, you must create the keys on each host that participates in the WireGuard VPN.

Important

For secure connections, create different keys for each host, and ensure that you only share the public key with the remote WireGuard host. Do not use the example keys used in this documentation.

If you plan to use the RHEL web console to create a WireGuard VPN connection, you can, alternatively, generate the public and private key pairs in the web console.

Procedure

  1. Install the wireguard-tools package: 

    # dnf install wireguard-tools
    Copy to Clipboard Toggle word wrap

  2. Create a private key and a corresponding public key for the host: 

    # wg genkey | tee /etc/wireguard/$HOSTNAME.private.key | wg pubkey > /etc/wireguard/$HOSTNAME.public.key
    Copy to Clipboard Toggle word wrap

    You will need the content of the key files, but not the files themselves. However, Red Hat recommends keeping the files in case that you need to remember the keys in future.

  3. Set secure permissions on the key files: 

    # chmod 600 /etc/wireguard/$HOSTNAME.private.key /etc/wireguard/$HOSTNAME.public.key
    Copy to Clipboard Toggle word wrap

  4. Display the private key: 

    # cat /etc/wireguard/$HOSTNAME.private.key
YFAnE0psgIdiAF7XR4abxiwVRnlMfeltxu10s/c4JXg=
    Copy to Clipboard Toggle word wrap

    You will need the private key to configure the WireGuard connection on the local host. Do not share the private key.

  5. Display the public key: 

    # cat /etc/wireguard/$HOSTNAME.public.key
UtjqCJ57DeAscYKRfp7cFGiQqdONRn69u249Fa4O6BE=
    Copy to Clipboard Toggle word wrap

    You will need the public key to configure the WireGuard connection on the remote host.

7.5. Configuring a WireGuard server by using nmcli
Link kopieren

You can configure the WireGuard server by creating a connection profile in NetworkManager. Use this method to let NetworkManager manage the WireGuard connection.

This procedure assumes the following settings:

  • Server:

    • Private key: YFAnE0psgIdiAF7XR4abxiwVRnlMfeltxu10s/c4JXg=
    • Tunnel IPv4 address: 192.0.2.1/24
    • Tunnel IPv6 address: 2001:db8:1::1/32

  • Client:

    • Public key: bnwfQcC8/g2i4vvEqcRUM2e6Hi3Nskk6G9t4r26nFVM=
    • Tunnel IPv4 address: 192.0.2.2/24
    • Tunnel IPv6 address: 2001:db8:1::2/32

Prerequisites

  • You have generated the public and private key for both the server and client.

  • You know the following information:

    • The private key of the server
    • The static tunnel IP addresses and subnet masks of the client
    • The public key of the client
    • The static tunnel IP addresses and subnet masks of the server

Procedure

  1. Add a NetworkManager WireGuard connection profile: 

    # nmcli connection add type wireguard con-name server-wg0 ifname wg0 autoconnect no
    Copy to Clipboard Toggle word wrap

    This command creates a profile named server-wg0 and assigns the virtual interface wg0 to it. To prevent the connection from starting automatically after you add it without finalizing the configuration, disable the autoconnect parameter.

  2. Set the tunnel IPv4 address and subnet mask of the server: 

    # nmcli connection modify server-wg0 ipv4.method manual ipv4.addresses 192.0.2.1/24
    Copy to Clipboard Toggle word wrap

  3. Set the tunnel IPv6 address and subnet mask of the server: 

    # nmcli connection modify server-wg0 ipv6.method manual ipv6.addresses 2001:db8:1::1/32
    Copy to Clipboard Toggle word wrap

  4. Add the server’s private key to the connection profile: 

    # nmcli connection modify server-wg0 wireguard.private-key "YFAnE0psgIdiAF7XR4abxiwVRnlMfeltxu10s/c4JXg="
    Copy to Clipboard Toggle word wrap

  5. Set the port for incoming WireGuard connections: 

    # nmcli connection modify server-wg0 wireguard.listen-port 51820
    Copy to Clipboard Toggle word wrap

    Always set a fixed port number on hosts that receive incoming WireGuard connections. If you do not set a port, WireGuard uses a random free port each time you activate the wg0 interface.

  6. Add peer configurations for each client that you want to allow to communicate with this server. You must add these settings manually, because the nmcli utility does not support setting the corresponding connection properties.

    1. Edit the /etc/NetworkManager/system-connections/server-wg0.nmconnection file, and append: 

      [wireguard-peer.bnwfQcC8/g2i4vvEqcRUM2e6Hi3Nskk6G9t4r26nFVM=]
allowed-ips=192.0.2.2;2001:db8:1::2;
      Copy to Clipboard Toggle word wrap
      • The [wireguard-peer.<public_key_of_the_client>] entry defines the peer section of the client, and the section name contains the public key of the client.

      • The allowed-ips parameter sets the tunnel IP addresses of the client that are allowed to send data to this server.

        Add a section for each client.

    2. Reload the server-wg0 connection profile: 

      # nmcli connection load /etc/NetworkManager/system-connections/server-wg0.nmconnection
      Copy to Clipboard Toggle word wrap

  7. Optional: Configure the connection to start automatically, enter: 

    # nmcli connection modify server-wg0 autoconnect yes
    Copy to Clipboard Toggle word wrap

  8. Reactivate the server-wg0 connection: 

    # nmcli connection up server-wg0
    Copy to Clipboard Toggle word wrap
  9. If you use this host in a network with DHCP or Stateless Address Autoconfiguration (SLAAC), the connection can be vulnerable to being redirected. For details and mitigation steps, see Assigning a VPN connection to a dedicated routing table to prevent the connection from bypassing the tunnel.

Next steps

Verification

  1. Display the interface configuration of the wg0 device: 

    # wg show wg0
interface: wg0
  public key: UtjqCJ57DeAscYKRfp7cFGiQqdONRn69u249Fa4O6BE=
  private key: (hidden)
  listening port: 51820

peer: bnwfQcC8/g2i4vvEqcRUM2e6Hi3Nskk6G9t4r26nFVM=
  allowed ips: 192.0.2.2/32, 2001:db8:1::2/128
    Copy to Clipboard Toggle word wrap

    To display the private key in the output, use the WG_HIDE_KEYS=never wg show wg0 command.

  2. Display the IP configuration of the wg0 device: 

    # ip address show wg0
20: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.0.2.1/24 brd 192.0.2.255 scope global noprefixroute wg0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::1/32 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::3ef:8863:1ce2:844/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
    Copy to Clipboard Toggle word wrap

7.6. Configuring a WireGuard server by using nmtui
Link kopieren

You can configure the WireGuard server by creating a connection profile in NetworkManager. Use this method to let NetworkManager manage the WireGuard connection.

This procedure assumes the following settings:

  • Server:

    • Private key: YFAnE0psgIdiAF7XR4abxiwVRnlMfeltxu10s/c4JXg=
    • Tunnel IPv4 address: 192.0.2.1/24
    • Tunnel IPv6 address: 2001:db8:1::1/32

  • Client:

    • Public key: bnwfQcC8/g2i4vvEqcRUM2e6Hi3Nskk6G9t4r26nFVM=
    • Tunnel IPv4 address: 192.0.2.2/24
    • Tunnel IPv6 address: 2001:db8:1::2/32

Prerequisites

  • You have generated the public and private key for both the server and client.

  • You know the following information:

    • The private key of the server
    • The static tunnel IP addresses and subnet masks of the client
    • The public key of the client
    • The static tunnel IP addresses and subnet masks of the server
  • You installed the NetworkManager-tui package.

Procedure

  1. Start the nmtui application: 

    # nmtui
    Copy to Clipboard Toggle word wrap
  2. Select Edit a connection, and press Enter.
  3. Select Add, and press Enter.
  4. Select the WireGuard connection type in the list, and press Enter.

  5. In the Edit connection window:

    1. Enter the name of the connection and the virtual interface, such as wg0, that NetworkManager should assign to the connection.
    2. Enter the private key of the server.

    3. Set the listen port number, such as 51820, for incoming WireGuard connections.

      Always set a fixed port number on hosts that receive incoming WireGuard connections. If you do not set a port, WireGuard uses a random free port each time you activate the interface.

      nmtui WireGuard server general
      View larger image
      nmtui WireGuard server general

    4. Click Add next to the Peers pane:

      1. Enter the public key of the client.
      2. Set the Allowed IPs field to the tunnel IP addresses of the client that are allowed to send data to this server.

      3. Select OK, and press Enter.

        nmtui WireGuard server peer config
        View larger image
        nmtui WireGuard server peer config

    5. Select Show next to *IPv4 Configuration, and press Enter.

      1. Select the IPv4 configuration method Manual.
      2. Enter the tunnel IPv4 address and the subnet mask. Leave the Gateway field empty.

    6. Select Show next to IPv6 Configuration, and press Enter.

      1. Select the IPv6 configuration method Manual.
      2. Enter the tunnel IPv6 address and the subnet mask. Leave the Gateway field empty.

    7. Select OK, and press Enter

      nmtui WireGuard server ip config
      View larger image
      nmtui WireGuard server ip config
  6. In the window with the list of connections, select Back, and press Enter.
  7. In the NetworkManager TUI main window, select Quit, and press Enter.
  8. If you use this host in a network with DHCP or Stateless Address Autoconfiguration (SLAAC), the connection can be vulnerable to being redirected. For details and mitigation steps, see Assigning a VPN connection to a dedicated routing table to prevent the connection from bypassing the tunnel.

Next steps

Verification

  1. Display the interface configuration of the wg0 device: 

    # wg show wg0
interface: wg0
  public key: UtjqCJ57DeAscYKRfp7cFGiQqdONRn69u249Fa4O6BE=
  private key: (hidden)
  listening port: 51820

peer: bnwfQcC8/g2i4vvEqcRUM2e6Hi3Nskk6G9t4r26nFVM=
  allowed ips: 192.0.2.2/32, 2001:db8:1::2/128
    Copy to Clipboard Toggle word wrap

    To display the private key in the output, use the WG_HIDE_KEYS=never wg show wg0 command.

  2. Display the IP configuration of the wg0 device: 

    # ip address show wg0
20: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.0.2.1/24 brd 192.0.2.255 scope global noprefixroute wg0
       valid_lft forever preferred_lft forever
    inet6 _2001:db8:1::1/32 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::3ef:8863:1ce2:844/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
    Copy to Clipboard Toggle word wrap

7.7. Configuring a WireGuard server by using the RHEL web console
Link kopieren

You can configure a WireGuard server by using the browser-based RHEL web console. Use this method to let NetworkManager manage the WireGuard connection.

Prerequisites

  • You are logged in to the RHEL web console.

  • You know the following information:

    • The static tunnel IP addresses and subnet masks of both the server and client
    • The public key of the client

Procedure

  1. Select the Networking tab in the navigation on the left side of the screen.
  2. Click Add VPN in the Interfaces section.
  3. If the wireguard-tools and systemd-resolved packages are not already installed, the web console displays a corresponding notification. Click Install to install these packages.
  4. Enter the name of the WireGuard device that you want to create.

  5. Configure the key pair of this host:

    • If you want use the keys that the web console has created:

      1. Keep the pre-selected Generated option in the Private key area.
      2. Note the Public key value. You require this information when you configure the client.

    • If you want to use an existing private key:

      1. Select Paste existing key in the Private key area.
      2. Paste the private key into the text field. The web console automatically calculates the corresponding public key.

  6. Set a listen port number, such as 51820, for incoming WireGuard connections.

    Always set a fixed port number on hosts that receive incoming WireGuard connections. If you do not set a port, WireGuard uses a random free port each time you activate the interface.

  7. Set the tunnel IPv4 address and subnet mask of the server.

    To also set an IPv6 address, you must edit the connection after you have created it.

  8. Add peer configurations for each client that you want to allow to communicate with this server:

    1. Click Add peer.
    2. Enter the public key of the client.
    3. Leave the Endpoint field empty.
    4. Set the Allowed IPs field to the tunnel IP addresses of the clients that are allowed to send data to this server.
    WireGuard server settings
    View larger image
    WireGuard server settings
  9. Click Add to create the WireGuard connection.

  10. If you want to also set a tunnel IPv6 address:

    1. Click on the WireGuard connection’s name in the Interfaces section.
    2. Click edit next to IPv6.
    3. Set the Addresses field to Manual, and enter the tunnel IPv6 address and prefix of the server.
    4. Click Save.
  11. If you use this host in a network with DHCP or Stateless Address Autoconfiguration (SLAAC), the connection can be vulnerable to being redirected. For details and mitigation steps, see Assigning a VPN connection to a dedicated routing table to prevent the connection from bypassing the tunnel.

Verification

  1. Display the interface configuration of the wg0 device: 

    # wg show wg0
interface: wg0
  public key: UtjqCJ57DeAscYKRfp7cFGiQqdONRn69u249Fa4O6BE=
  private key: (hidden)
  listening port: 51820

peer: bnwfQcC8/g2i4vvEqcRUM2e6Hi3Nskk6G9t4r26nFVM=
  allowed ips: 192.0.2.2/32, 2001:db8:1::2/128
    Copy to Clipboard Toggle word wrap

    To display the private key in the output, use the WG_HIDE_KEYS=never wg show wg0 command.

  2. Display the IP configuration of the wg0 device: 

    # ip address show wg0
20: wg0: <POINTOPOINT,NOARP,UP,LOWERUP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.0.2.1/24 brd 192.0.2.255 scope global noprefixroute wg0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::1/32 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::3ef:8863:1ce2:844/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
    Copy to Clipboard Toggle word wrap

You must configure the firewalld service on the WireGuard server to allow incoming connections from clients. Additionally, if clients should be able to use the WireGuard server as the default gateway and route all traffic through the tunnel, you must enable masquerading.

Procedure

  1. Open the WireGuard port for incoming connections in the firewalld service: 

    # firewall-cmd --permanent --add-port=51820/udp --zone=public
    Copy to Clipboard Toggle word wrap

  2. If clients should route all traffic through the tunnel and use the WireGuard server as the default gateway, enable masquerading for the public zone: 

    # firewall-cmd --permanent --zone=public --add-masquerade
    Copy to Clipboard Toggle word wrap

  3. Reload the firewalld rules. 

    # firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

Verification

  • Display the configuration of the public zone: 

    # firewall-cmd --list-all
public (active)
  ...
  ports: 51820/udp
  masquerade: yes
  ...
    Copy to Clipboard Toggle word wrap

You must configure the firewalld service on the WireGuard server to allow incoming connections from clients. Additionally, if clients should be able to use the WireGuard server as the default gateway and route all traffic through the tunnel, you must enable masquerading.

Prerequisites

  • You are logged in to the RHEL web console.

Procedure

  1. Select the Networking tab in the navigation on the left side of the screen.
  2. Click Edit rules and zones in the Firewall section.
  3. Click Add services.
  4. Enter wireguard into the Filter services field.

  5. Select the wireguard entry from the list.

    firewalld settings for a WireGuard server
    View larger image
    firewalld settings for a WireGuard server
  6. Click Add services.

  7. If clients should route all traffic through the tunnel and use the WireGuard server as the default gateway, enable masquerading for the public zone: 

    # firewall-cmd --permanent --zone=public --add-masquerade
# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

    Note that you cannot enable masquerading in firewalld zones in the web console.

Verification

  1. Select the Networking tab in the navigation on the left side of the screen.
  2. Click Edit rules and zones in the Firewall section.
  3. The list contains an entry for the wireguard service and displays the UDP port that you configured in the WireGuard connection profile.

  4. To verify that masquerading is enabled in the public zone of firewalld, enter: 

    # firewall-cmd --list-all --zone=public
public (active)
  ...
  services: ... wireguard
  ports:
  forward: yes
  masquerade: yes
  ...
    Copy to Clipboard Toggle word wrap

7.10. Configuring a WireGuard client by using nmcli
Link kopieren

You can configure a WireGuard client by creating a connection profile in NetworkManager. Use this method to let NetworkManager manage the WireGuard connection.

This procedure assumes the following settings:

  • Client:

    • Private key: aPUcp5vHz8yMLrzk8SsDyYnV33IhE/k20e52iKJFV0A=
    • Tunnel IPv4 address: 192.0.2.2/24
    • Tunnel IPv6 address: 2001:db8:1::2/32

  • Server:

    • Public key: UtjqCJ57DeAscYKRfp7cFGiQqdONRn69u249Fa4O6BE=
    • Tunnel IPv4 address: 192.0.2.1/24
    • Tunnel IPv6 address: 2001:db8:1::1/32

Prerequisites

  • You have generated the public and private key for both the server and client.

  • You know the following information:

    • The private key of the client
    • The static tunnel IP addresses and subnet masks of the client
    • The public key of the server
    • The static tunnel IP addresses and subnet masks of the server

Procedure

  1. Add a NetworkManager WireGuard connection profile: 

    # nmcli connection add type wireguard con-name client-wg0 ifname wg0
    Copy to Clipboard Toggle word wrap

    This command creates a profile named client-wg0 and assigns the virtual interface wg0 to it.

  2. Optional: Configure NetworkManager so that it does not automatically start the client-wg connection: 

    # nmcli connection modify client-wg0 autoconnect no
    Copy to Clipboard Toggle word wrap

  3. Set the tunnel IPv4 address and subnet mask of the client: 

    # nmcli connection modify client-wg0 ipv4.method manual ipv4.addresses 192.0.2.2/24
    Copy to Clipboard Toggle word wrap

  4. Set the tunnel IPv6 address and subnet mask of the client: 

    # nmcli connection modify client-wg0 ipv6.method manual ipv6.addresses 2001:db8:1::2/32
    Copy to Clipboard Toggle word wrap

  5. If you want to route all traffic through the tunnel, set the tunnel IP addresses of the server as the default gateway: 

    # nmcli connection modify client-wg0 ipv4.gateway 192.0.2.1 ipv6.gateway 2001:db8:1::1
    Copy to Clipboard Toggle word wrap

    Routing all traffic through the tunnel requires that you set, in a later step, the allowed-ips on this client to 0.0.0.0/0;::/0.

    Note that routing all traffic through the tunnel can impact the connectivity to other hosts based on the server routing and firewall configuration.

  6. Add the client’s private key to the connection profile: 

    # nmcli connection modify client-wg0 wireguard.private-key "aPUcp5vHz8yMLrzk8SsDyYnV33IhE/k20e52iKJFV0A="
    Copy to Clipboard Toggle word wrap

  7. Add peer configurations for each server that you want to allow to communicate with this client. You must add these settings manually, because the nmcli utility does not support setting the corresponding connection properties.

    1. Edit the /etc/NetworkManager/system-connections/client-wg0.nmconnection file, and append: 

      [wireguard-peer.UtjqCJ57DeAscYKRfp7cFGiQqdONRn69u249Fa4O6BE=]
endpoint=server.example.com:51820
allowed-ips=192.0.2.1;2001:db8:1::1;
persistent-keepalive=20
      Copy to Clipboard Toggle word wrap
      • The [wireguard-peer.<public_key_of_the_server>] entry defines the peer section of the server, and the section name has the public key of the server.
      • The endpoint parameter sets the hostname or IP address and the port of the server. The client uses this information to establish the connection.

      • The allowed-ips parameter sets a list of IP addresses that can send data to this client. For example, set the parameter to:

        • The tunnel IP addresses of the server to allow only the server to communicate with this client. The value in the example above configures this scenario.
        • 0.0.0.0/0;::/0; to allow any remote IPv4 and IPv6 address to communicate with this client. Use this setting to route all traffic through the tunnel and use the WireGuard server as default gateway.
      • The optional persistent-keepalive parameter defines an interval in seconds in which WireGuard sends a keepalive packet to the server. Set this parameter if you use the client in a network with network address translation (NAT) or if a firewall closes the UDP connection after some time of inactivity.

    2. Reload the client-wg0 connection profile: 

      # nmcli connection load /etc/NetworkManager/system-connections/client-wg0.nmconnection
      Copy to Clipboard Toggle word wrap

  8. Reactivate the client-wg0 connection: 

    # nmcli connection up client-wg0
    Copy to Clipboard Toggle word wrap
  9. If you use this host in a network with DHCP or Stateless Address Autoconfiguration (SLAAC), the connection can be vulnerable to being redirected. For details and mitigation steps, see Assigning a VPN connection to a dedicated routing table to prevent the connection from bypassing the tunnel.

Verification

  1. Ping the IP addresses of the server: 

    # ping 192.0.2.1
# ping6 2001:db8:1::1
    Copy to Clipboard Toggle word wrap

  2. Display the interface configuration of the wg0 device: 

    # wg show wg0
interface: wg0
  public key: bnwfQcC8/g2i4vvEqcRUM2e6Hi3Nskk6G9t4r26nFVM=
  private key: (hidden)
  listening port: 51820

peer: UtjqCJ57DeAscYKRfp7cFGiQqdONRn69u249Fa4O6BE=
  endpoint: server.example.com:51820
  allowed ips: 192.0.2.1/32, 2001:db8:1::1/128
  latest handshake: 1 minute, 41 seconds ago
  transfer: 824 B received, 1.01 KiB sent
  persistent keepalive: every 20 seconds
    Copy to Clipboard Toggle word wrap

    To display the private key in the output, use the WG_HIDE_KEYS=never wg show wg0 command.

    Note that the output has only the latest handshake and transfer entries if you have already sent traffic through the VPN tunnel.

  3. Display the IP configuration of the wg0 device: 

    # ip address show wg0
10: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.0.2.2/24 brd 192.0.2.255 scope global noprefixroute wg0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::2/32 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::73d9:6f51:ea6f:863e/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
    Copy to Clipboard Toggle word wrap

7.11. Configuring a WireGuard client by using nmtui
Link kopieren

You can configure a WireGuard client by creating a connection profile in NetworkManager. Use this method to let NetworkManager manage the WireGuard connection.

This procedure assumes the following settings:

  • Client:

    • Private key: aPUcp5vHz8yMLrzk8SsDyYnV33IhE/k20e52iKJFV0A=
    • Tunnel IPv4 address: 192.0.2.2/24
    • Tunnel IPv6 address: 2001:db8:1::2/32

  • Server:

    • Public key: UtjqCJ57DeAscYKRfp7cFGiQqdONRn69u249Fa4O6BE=
    • Tunnel IPv4 address: 192.0.2.1/24
    • Tunnel IPv6 address: 2001:db8:1::1/32

Prerequisites

  • You have generated the public and private key for both the server and client.

  • You know the following information:

    • The private key of the client
    • The static tunnel IP addresses and subnet masks of the client
    • The public key of the server
    • The static tunnel IP addresses and subnet masks of the server
  • You installed the NetworkManager-tui package

Procedure

  1. Start the nmtui application: 

    # nmtui
    Copy to Clipboard Toggle word wrap
  2. Select Edit a connection, and press Enter.
  3. Select Add, and press Enter.
  4. Select the WireGuard connection type in the list, and press Enter.

  5. In the Edit connection window:

    1. Enter the name of the connection and the virtual interface, such as wg0, that NetworkManager should assign to the connection.

    2. Enter the private key of the client.

      nmtui WireGuard client general
      View larger image
      nmtui WireGuard client general

    3. Click Add next to the Peers pane:

      1. Enter the public key of the server.

      2. Set the Allowed IPs field. For example, set it to:

        • The tunnel IP addresses of the server to allow only the server to communicate with this client.
        • 0.0.0.0/0,::/0 to allow any remote IPv4 and IPv6 address to communicate with this client. Use this setting to route all traffic through the tunnel and use the WireGuard server as default gateway.
      3. Enter the host name or IP address and port of the WireGuard server into the Endpoint field. Use the following format: <hostname_or_IP>:<port_number>
      4. Optional: If you use the client in a network with network address translation (NAT) or if a firewall closes the UDP connection after some time of inactivity, set a persistent keepalive interval in seconds. In this interval, the client sends a keepalive packet to the server.

      5. Select OK, and press Enter.

        nmtui WireGuard client peer config
        View larger image
        nmtui WireGuard client peer config

    4. Select Show next to IPv4 Configuration, and press Enter.

      1. Select the IPv4 configuration method Manual.
      2. Enter the tunnel IPv4 address and the subnet mask. Leave the Gateway field empty.

    5. Select Show next to IPv6 Configuration, and press Enter.

      1. Select the IPv6 configuration method Manual.
      2. Enter the tunnel IPv6 address and the subnet mask. Leave the Gateway field empty.
    6. Optional: Select Automatically connect.

    7. Select OK, and press Enter

      nmtui WireGuard client ip config
      View larger image
      nmtui WireGuard client ip config
  6. In the window with the list of connections, select Back, and press Enter.
  7. In the NetworkManager TUI main window, select Quit, and press Enter.
  8. If you use this host in a network with DHCP or Stateless Address Autoconfiguration (SLAAC), the connection can be vulnerable to being redirected. For details and mitigation steps, see Assigning a VPN connection to a dedicated routing table to prevent the connection from bypassing the tunnel.

Verification

  1. Ping the IP addresses of the server: 

    # ping 192.0.2.1
# ping6 2001:db8:1::1
    Copy to Clipboard Toggle word wrap

  2. Display the interface configuration of the wg0 device: 

    # wg show wg0
interface: wg0
  public key: bnwfQcC8/g2i4vvEqcRUM2e6Hi3Nskk6G9t4r26nFVM=
  private key: (hidden)
  listening port: 51820

peer: UtjqCJ57DeAscYKRfp7cFGiQqdONRn69u249Fa4O6BE=
  endpoint: server.example.com:51820_
  allowed ips: 192.0.2.1/32, 2001:db8:1::1/128
  latest handshake: 1 minute, 41 seconds ago
  transfer: 824 B received, 1.01 KiB sent
  persistent keepalive: every 20 seconds
    Copy to Clipboard Toggle word wrap

    To display the private key in the output, use the WG_HIDE_KEYS=never wg show wg0 command.

    Note that the output contains only the latest handshake and transfer entries if you have already sent traffic through the VPN tunnel.

  3. Display the IP configuration of the wg0 device: 

    # ip address show wg0
10: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.0.2.2/24 brd 192.0.2.255 scope global noprefixroute wg0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::2/32 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::73d9:6f51:ea6f:863e/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
    Copy to Clipboard Toggle word wrap

7.12. Configuring a WireGuard client by using the RHEL web console
Link kopieren

You can configure a WireGuard client by using the browser-based RHEL web console. Use this method to let NetworkManager manage the WireGuard connection.

Prerequisites

  • You are logged in to the RHEL web console.

  • You know the following information:

    • The static tunnel IP addresses and subnet masks of both the server and client
    • The public key of the server

Procedure

  1. Select the Networking tab in the navigation on the left side of the screen.
  2. Click Add VPN in the Interfaces section.
  3. If the wireguard-tools and systemd-resolved packages are not already installed, the web console displays a corresponding notification. Click Install to install these packages.
  4. Enter the name of the WireGuard device that you want to create.

  5. Configure the key pair of this host:

    • If you want use the keys that the web console has created:

      1. Keep the pre-selected Generated option in the Private key area.
      2. Note the Public key value. You require this information when you configure the client.

    • If you want to use an existing private key:

      1. Select Paste existing key in the Private key area.
      2. Paste the private key into the text field. The web console automatically calculates the corresponding public key.
  6. Preserve the 0 value in the Listen port field.

  7. Set the tunnel IPv4 address and subnet mask of the client.

    To also set an IPv6 address, you must edit the connection after you have created it.

  8. Add a peer configuration for the server that you want to allow to communicate with this client:

    1. Click Add peer.
    2. Enter the public key of the server.
    3. Set the Endpoint field to the hostname or IP address and the port of the server, for example server.example.com:51820. The client uses this information to establish the connection.

    4. Set the Allowed IPs field to the tunnel IP addresses of the clients that are allowed to send data to this server. For example, set the field to one of the following:

      • The tunnel IP addresses of the server to allow only the server to communicate with this client. The value in the screen capture below configures this scenario.
      • 0.0.0.0/0 to allow any remote IPv4 address to communicate with this client. Use this setting to route all traffic through the tunnel and use the WireGuard server as default gateway.
    WireGuard client settings
    View larger image
    WireGuard client settings
  9. Click Add to create the WireGuard connection.

  10. If you want to also set a tunnel IPv6 address:

    1. Click on the WireGuard connection’s name in the Interfaces section.
    2. Click Edit next to IPv6.
    3. Set the Addresses field to Manual, and enter the tunnel IPv6 address and prefix of the client.
    4. Click Save.
  11. If you use this host in a network with DHCP or Stateless Address Autoconfiguration (SLAAC), the connection can be vulnerable to being redirected. For details and mitigation steps, see Assigning a VPN connection to a dedicated routing table to prevent the connection from bypassing the tunnel.

Verification

  1. Ping the IP addresses of the server: 

    # ping 192.0.2.1
    Copy to Clipboard Toggle word wrap

    WireGuard establishes the connection when you try to send traffic through the tunnel.

  2. Display the interface configuration of the wg0 device: 

    # wg show wg0
interface: wg0
  public key: bnwfQcC8/g2i4vvEqcRUM2e6Hi3Nskk6G9t4r26nFVM=
  private key: (hidden)
  listening port: 45513

peer: UtjqCJ57DeAscYKRfp7cFGiQqdONRn69u249Fa4O6BE=
  endpoint: server.example.com:51820
  allowed ips: 192.0.2.1/32, 2001:db8:1::1/128
  latest handshake: 1 minute, 41 seconds ago
  transfer: 824 B received, 1.01 KiB sent
  persistent keepalive: every 20 seconds
    Copy to Clipboard Toggle word wrap

    To display the private key in the output, use the WG_HIDE_KEYS=never wg show wg0 command.

    Note that the output has only the latest handshake and transfer entries if you have already sent traffic through the VPN tunnel.

  3. Display the IP configuration of the wg0 device: 

    # ip address show wg0
10: wg0: <POINTOPOINT,NOARP,UP,LOWERUP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.0.2.2/24 brd 192.0.2.255 scope global noprefixroute wg0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::2/32 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::73d9:6f51:ea6f:863e/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
    Copy to Clipboard Toggle word wrap

Both a DHCP server and Stateless Address Autoconfiguration (SLAAC) can add routes to a client’s routing table. For example, a malicious DHCP server can use this feature to force a host with VPN connection to redirect traffic through a physical interface instead of the VPN tunnel. This vulnerability is also known as TunnelVision and described in the CVE-2024-3661 vulnerability article.

To mitigate this vulnerability, you can assign the VPN connection to a dedicated routing table. This prevents the DHCP configuration or SLAAC from manipulating routing decisions for network packets intended for the VPN tunnel.

Follow the steps if at least one of the conditions applies to your environment:

  • At least one network interface uses DHCP or SLAAC.
  • Your network does not use mechanisms, such as DHCP snooping, that prevent a rogue DHCP server.
Important

Routing the entire traffic through the VPN prevents the host from accessing local network resources.

Procedure

  1. Decide which routing table you want to use. The following steps use table 75. By default, RHEL does not use the tables 1-254, and you can use any of them.

  2. Configure the VPN connection profile to place the VPN routes in a dedicated routing table: 

    # nmcli connection modify <vpn_connection_profile> ipv4.route-table 75 ipv6.route-table 75
    Copy to Clipboard Toggle word wrap

  3. Set a low priority value for the table you used in the previous command: 

    # nmcli connection modify <vpn_connection_profile> ipv4.routing-rules "priority 32345 from all table 75" ipv6.routing-rules "priority 32345 from all table 75"
    Copy to Clipboard Toggle word wrap

    The priority value can be any value between 1 and 32766. The lower the value, the higher the priority.

  4. Reconnect the VPN connection: 

    # nmcli connection down <vpn_connection_profile>
# nmcli connection up <vpn_connection_profile>
    Copy to Clipboard Toggle word wrap

Verification

  1. Display the IPv4 routes in table 75: 

    # ip route show table 75
...
192.0.2.0/24 via 192.0.2.254 dev vpn_device proto static metric 50
default dev vpn_device proto static scope link metric 50
    Copy to Clipboard Toggle word wrap

    The output confirms that both the route to the remote network and the default gateway are assigned to routing table 75 and, therefore, all traffic is routed through the tunnel. If you set ipv4.never-default true in the VPN connection profile, a default route is not created and, therefore, not visible in this output.

  2. Display the IPv6 routes in table 75: 

    # ip -6 route show table 75
...
2001:db8:1::/64 dev vpn_device proto kernel metric 50 pref medium
default dev vpn_device proto static metric 50 pref medium
    Copy to Clipboard Toggle word wrap

    The output confirms that both the route to the remote network and the default gateway are assigned to routing table 75 and, therefore, all traffic is routed through the tunnel. If you set ipv6.never-default true in the VPN connection profile, a default route is not created and, therefore, not visible in this output.

Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat