Select the version of your OS from the tabs below. If you don't know the version you are using, run the command
cat /etc/os-release or
cat /etc/issue on the board.
Remember that you can always refer to the Torizon Documentation, there you can find a lot of relevant articles that might help you in the application development.
Toradex has chosen WireGuard as its option for a VPN solution because, as stated on the WireGuard website:
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
The purpose of this document is to describe how to establish a WireGuard VPN tunnel in TorizonCore using NetworkManager.
Tip: alternatively, if for any reason such as a legacy VPN server you are compelled to use OpenVPN, you can have a look at our article OpenVPN + Weston's VNC/RDP on TorizonCore.
This article complies to the Typographic Conventions for Torizon Documentation.
In order to execute this tutorial, you will need:
In order to establish a VPN tunnel, you will need a VPN Linux Server that is reachable by your TorizonCore board.
You can install the necessary WireGuard software for your VPN server following the official WireGuard documentation.
First, run the following command on your host machine to generate the server's private and public keys:
$ wg genkey | sudo tee /etc/wireguard/server_private_key | wg pubkey | sudo tee /etc/wireguard/server_public_key
Now access a terminal in the device running TorizonCore and run the same command to generate the client's private and public keys:
# wg genkey | sudo tee /etc/wireguard/client_private_key | wg pubkey | sudo tee /etc/wireguard/client_public_key
The following sessions of this article will configure the VPN server with IP address
10.0.0.1/24 and the VPN client (device running TorizonCore) with IP address
To make a persistent VPN configuration for your server, you should create the file /etc/wireguard/wg0.conf with the following content (don't forget to replace
<server_private_key> with the content of /etc/wireguard/server_private_key in the VPN Server and
<client_public_key> with the content of /etc/wireguard/client_public_key in TorizonCore):
[Interface] Address = 10.0.0.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = <server_private_key> [Peer] PublicKey = <client_public_key> AllowedIPs = 10.0.0.2/32
In order to activate your WireGuard VPN interface, you should execute the following command:
$ wg-quick up wg0
Confirm that the Wireguard VPN interface is up:
$ sudo wg interface: wg0 public key: jRmW5/ajAt92tOxZA0Kh6S4GNh60bhMP19vGuwp8pBg= private key: (hidden) listening port: 51820 peer: vw+vcDF3xZzygjJe8Ha5mkm4BxOqxpPeftRimCBtWlw= allowed ips: 10.0.0.2/32
Now you are ready to configure a module running TorizonCore and establish a WireGuard VPN tunnel with your server.
With your WireGuard VPN Linux server in place, you can do the following in TorizonCore to establish a VPN tunnel with your server.
Create the tunnel interface:
# sudo nmcli connection add type wireguard ifname wg0 con-name wg0
Apply the key to the TorizonCore tunnel interface:
# sudo sh -c "nmcli --ask connection up wg0 < /etc/wireguard/client_private_key"
Now you need to configure the IP address for the tunnel. As the server is using
10.0.0.1/24, you should use
10.0.0.2/24 for your tunnel interface.
# nmcli connection modify wg0 autoconnect yes ipv4.method manual ipv4.addresses 10.0.0.2/24 wireguard.listen-port 51820 # nmcli connection up wg0
At this moment, the NetworkManager doesn’t support peer configuration for WireGuard, so you have to do it manually. After all the WireGuard configuration you've done, NetworkManager should have created the file: /etc/NetworkManager/system-connections/wg0.nmconnection (Note, this file has its name because you named your WireGuard connection as "wg0"). So, you have to append the following content to this file (don't forget to replace
<server_public_key> with the content of /etc/wireguard/server_public_key in the VPN Server, and replace
<server_ip_address> with the public IP address of your WireGuard VPN Linux Server):
[wireguard-peer.<server_public_key>] endpoint=<server_ip_address>:51820 allowed-ips=10.0.0.1/24; persistent-keepalive=25
persistent-keepalive parameter is necessary when TorizonCore is in a NATed network environment. For more information, please take a look at NAT and Firewall Traversal Persistence.
Now you need to load your new configuration using the following commands:
# sudo nmcli connection load /etc/NetworkManager/system-connections/wg0.nmconnection # nmcli connection up wg0
From this moment on, you should have IP connectivity between your WireGuard VPN server and your TorizonCore board using the WireGuard VPN tunnel through the
10.0.0.0/24 IP network address.
# sudo wg show interface: wg0 public key: To3ZPN+/JxqmeK/I/+0VuYoCGAwUaEDoBhK2giIeD1A= private key: (hidden) listening port: 51820 peer: jRmW5/ajAt92tOxZA0Kh6S4GNh60bhMP19vGuwp8pBg= endpoint: 18.104.22.168:51820 allowed ips: 10.0.0.0/24 latest handshake: 1 minute, 49 seconds ago transfer: 2.75 KiB received, 20.35 KiB sent persistent keepalive: every 25 seconds