3.1.9.3.6. WireGuard

From this section you can define the VPN configurations for WireGuard.

This view displays three different tabs:

../../../../_images/farm_wireguard_tabs.png


3.1.9.3.6.1. Farm configuration

The Farm configuration tab allows you to configure tunnel settings and Dynamic VPN zones.

../../../../_images/farm_wireguard_farmconfig.png


Tunnel Settings

  • IPv4 Local Networks: Local networks in CIDR IPv4 format that can be accessed through the VPN. When the connection is established, the client receives the connection routes, enabling it to know which networks are accessible. It refers to the IP range that will be configured in the WireGuard configuration file (AllowedIps). This range determines the set of IP addresses that clients connecting to the VPN can access.

  • Client keepalive time: How often a keepalive packet is sent to keep the connection active (in seconds). We recommend to use 25 seconds.

  • Redirect Gateway: Flag to enable Gateway redirection. Enabling it changes the the IPv4 Local Networks to 0.0.0.0/0.

  • Monitor Network Behavior: If enabled, the traffic that is passing through the VPN connection will be monitored. Enabling it displays the following fields:

    • Sensor IP: : IP address for the ON Sensor BackEnd (the sensor external IP).

    • Peer VXLAN Tunnel IP: Remote IP address for the ON Sensor BackEnd inside the VXLAN tunnel for traffic monitoring. It is recommended to use the 192.168.70.1, but other IP addresses could also be used.

Dynamic VPN zones

  • Dynamic zone: Zones that will be dynamically associated to the VPN access groups. They will be used in the access policies.

Warning

Remember to to click on the Save button to apply the configuration.

3.1.9.3.6.2. Node configuration

The Node configuration tab allows you to configure WireGuard nodes.

../../../../_images/farm_wireguard_nodeconfig.png


By clicking on the Add new button, it will display the following configuration window:

../../../../_images/add_new_nodeconfig.png


Client

  • Node: Select in which node you are going to apply the configuration.

  • Start On Boot: Enable this flag if you want the VPN Gateway to start when the machine reboots. If it is disabled, you have to manually start the VPN after rebooting.

  • Server Port: Port that is listening inside the Firewall to receive new connections.

  • Server IP: The IP to use on the WireGuard network interface on the VPN Gateway server. It is recommended to use the 192.168.71.1/24, but other IP addresses could also be used.

  • Connection IP: VPNGW node public IP (ON VPNGW node external IP).

  • DNS Server: DNS server IP.

Tunnel

  • IPv4 Tunnel Network by default: Network in IPv4 CIDR format for remote users. Pool of IP addresses to be offered from the VPN Gateway. This network must be unique in your organization.

  • Dynamic zones: This subsection allows you to assigning an IPv4 Tunnel Network by default to a dynamic zone.

3.1.9.3.6.3. Manage users

The Manage users tab allows you to monitor VPN users filtering by Node:

../../../../_images/farm_wireguard_manageusers.png


This view provides an organized display of information for all users connected through WireGuard:

  • Username: User identification.

  • Dynamic Zone: Network segment to which the user is connected.

  • IP: User IP address.

  • TTL: Time To Live.

  • Status: icons that indicate the current connection status of the user.

  • Date: Date when the user’s connection was established.

If you click the i icon located at the end of a connection row, it will display detailed information about this specific user.

The Search box allows you to search for any user data. For example, you can filter by the username user_test and as a result, a single row will appear with the user user_test.

Note

Users can establish multiple WireGuard sessions simultaneously across different devices using the same identity. If it happens, you will see the same user name displayed with different IPs in this view.