in Networking

How to Install Wireguard on an EdgeRouter (EdgeOS)

Wireguard may be the new kid on the block when it comes to VPN protocols however it shows great promise against the competition in OpenVPN and IPsec.

With a codebase roughly 1% the size of OpenVPN and IPsec it promises to be much easier to audit and inspect.

Wireguard also seeks to reduce other issues such as slow reconnection times and complex setups, especially that which is IPsec.

It also focuses on using the most secure ciphers while also focusing on remaining high performant, which can be an issue with non-hardware accelerated VPN protocols on CPU-based routers.

How to Install Wireguard on EdgeOS

I have created a script to automate the installation of the latest Wireguard release on any EdgeRouter device.

The script will attempt to detect if Wireguard was previously installed, and upgrade to the latest release if it’s not already installed as well meaning it’s very easy to re-run any time.

By keeping the script in /config/scripts we will survive firmware upgrades and can log in and re-run at any time.

[email protected]# cd /config/scripts
[email protected]# curl -o edgeos_install_wireguard.sh https://gist.githubusercontent.com/damianhodgkiss/a25db0c554ea0af4d3082a3207e2813f/raw/ec7ec0943a4bb86399e39bba4f2386fbf0aaa1ce/edgeos_install_wireguard.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1284  100  1284    0     0  12170      0 --:--:-- --:--:-- --:--:-- 12228
[email protected]# chmod 755 edgeos_install_wireguard.sh
[email protected]# ./edgeos_install_wireguard.sh
Wireguard not installed yet
Downloading Wireguard (0.0.20181007-1)...
Installing wireguard-e100-0.0.20181007-1.deb...
(Reading database ... 34971 files and directories currently installed.)
Unpacking wireguard (from .../wireguard-e100-0.0.20181007-1.deb) ...
Adding 'diversion of /opt/vyatta/share/perl5/Vyatta/Interface.pm to /opt/vyatta/share/perl5/Vyatta/Interface.pm.vyatta by wireguard'
Adding 'diversion of /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp/interface-type/node.def to /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp/interface-type/node.def.vyatta by wireguard'
Setting up wireguard (0.0.20181007-1) ...

At this point, Wireguard is now installed and you can configure it using set interface wireguard … commands as you do any other devices.

Install Wireguard on EdgeOS Script

The following script is what is used from the GIST.  It will allow you to easily install and upgrade Wireguard support on any supported EdgeOS based device. The script will attempt to auto-detect the board by looking at /etc/version.

#!/bin/sh

function install_wireguard () {
  echo "Downloading Wireguard ($RELEASE)..."
  FILENAME="wireguard-$BOARD-$RELEASE.deb"
  DEB_URL="https://github.com/Lochnair/vyatta-wireguard/releases/download/$RELEASE/$FILENAME"
  if (/usr/bin/curl -s -L -o /tmp/$FILENAME $DEB_URL); then
    echo "Installing $FILENAME..."
    dpkg -i /tmp/$FILENAME
    rm -f /tmp/$FILENAME
  else
    echo "Error downloading Wireguard package"
    exit 1
  fi
}

BOARD=`cat /etc/version | egrep -o '(e100|e1000|e200|e300|e50|ugw3|ugw4|ugwxg)'`

if [ "$BOARD" = "" ]; then
  echo "Unsupported board"
  exit 1
fi

PKG=`dpkg-query --show --showformat='${version},${status}' wireguard`
INSTALLED_VERSION=`echo $PKG | cut -d, -f1`
INSTALLED_STATUS=`echo $PKG | cut -d, -f2 | egrep -o installed`
RELEASE=$(/usr/bin/curl -s https://api.github.com/repos/Lochnair/vyatta-wireguard/releases | /usr/bin/jq -r '.[0].tag_name')

if [ "$INSTALLED_STATUS" = "installed" ] && [ "$INSTALLED_VERSION" = "$RELEASE" ]; then
  echo "Latest Wireguard already installed"
  exit 0
elif [ "$INSTALLED_STATUS" != "installed" ]; then
  echo "Wireguard not installed yet"
  install_wireguard
elif [ "$INSTALLED_VERSION" != "$RELEASE" ]; then
  echo "Wireguard install differs from latest release, upgrading"
  install_wireguard
fi

The following devices are supported:

  • EdgeRouter X
  • EdgeRouter Lite
  • EdgeRouter POE
  • EdgeRouter 8
  • EdgeRouter Pro
  • EdgeRouter 4
  • EdgeRouter 6P
  • EdgeRouter Infinity
  • UniFi Security Gateway Pro 4
  • UniFi Security Gateway XG 8