Search by Tags

How to Use VPN on TorizonCore

 

Article updated at 06 Apr 2021
Subscribe for this article updates

Select the version of your OS from the tabs below. If you don't know the version you are using, run the command cat /etc/os-release or cat /etc/issue on the board.



Remember that you can always refer to the Torizon Documentation, there you can find a lot of relevant articles that might help you in the application development.

Torizon 5.3.0

Introduction

It's possible to establish a VPN tunnel connection in TorizonCore using the WireGuard software.

Toradex has chosen WireGuard as its option for a VPN solution because, as stated on the WireGuard website:

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.

The purpose of this document is to describe how to establish a WireGuard VPN tunnel in TorizonCore using NetworkManager.

Tip: alternatively, if for any reason such as a legacy VPN server you are compelled to use OpenVPN, you can have a look at our article OpenVPN + Weston's VNC/RDP on TorizonCore.

This article complies to the Typographic Conventions for Torizon Documentation.

Prerequisites

In order to execute this tutorial, you will need:

  • A module running TorizonCore version 5.3.0 or later.
  • A Linux machine to configure Wireguard Server.
  • A network connection between the module and the Linux machine.

Preparing the WireGuard VPN Linux Server

In order to establish a VPN tunnel, you will need a VPN Linux Server that is reachable by your TorizonCore board.

You can install the necessary WireGuard software for your VPN server following the official WireGuard documentation.

Generating the Keys

First, run the following command on your host machine to generate the server's private and public keys:

$ wg genkey | sudo tee /etc/wireguard/server_private_key | wg pubkey | sudo tee /etc/wireguard/server_public_key

Now access a terminal in the device running TorizonCore and run the same command to generate the client's private and public keys:

# wg genkey | sudo tee /etc/wireguard/client_private_key | wg pubkey | sudo tee /etc/wireguard/client_public_key

The following sessions of this article will configure the VPN server with IP address 10.0.0.1/24 and the VPN client (device running TorizonCore) with IP address 10.0.0.2/24.

Configuring the WireGuard VPN Linux Server

To make a persistent VPN configuration for your server, you should create the file /etc/wireguard/wg0.conf with the following content (don't forget to replace <server_private_key> with the content of /etc/wireguard/server_private_key in the VPN Server and <client_public_key> with the content of /etc/wireguard/client_public_key in TorizonCore):

/etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = <server_private_key>
 
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

In order to activate your WireGuard VPN interface, you should execute the following command:

$ wg-quick up wg0

Confirm that the Wireguard VPN interface is up:

$ sudo wg
interface: wg0
  public key: jRmW5/ajAt92tOxZA0Kh6S4GNh60bhMP19vGuwp8pBg=
  private key: (hidden)
  listening port: 51820

peer: vw+vcDF3xZzygjJe8Ha5mkm4BxOqxpPeftRimCBtWlw=
  allowed ips: 10.0.0.2/32

Now you are ready to configure a module running TorizonCore and establish a WireGuard VPN tunnel with your server.

TorizonCore VPN Configuration

With your WireGuard VPN Linux server in place, you can do the following in TorizonCore to establish a VPN tunnel with your server.

Create the tunnel interface:

# sudo nmcli connection add type wireguard ifname wg0 con-name wg0

Apply the key to the TorizonCore tunnel interface:

# sudo sh -c "nmcli --ask connection up wg0 < /etc/wireguard/client_private_key"

Now you need to configure the IP address for the tunnel. As the server is using 10.0.0.1/24, you should use 10.0.0.2/24 for your tunnel interface.

# nmcli connection modify wg0 autoconnect yes ipv4.method manual ipv4.addresses 10.0.0.2/24 wireguard.listen-port 51820
# nmcli connection up wg0

At this moment, the NetworkManager doesn’t support peer configuration for WireGuard, so you have to do it manually. After all the WireGuard configuration you've done, NetworkManager should have created the file: /etc/NetworkManager/system-connections/wg0.nmconnection (Note, this file has its name because you named your WireGuard connection as "wg0"). So, you have to append the following content to this file (don't forget to replace <server_public_key> with the content of /etc/wireguard/server_public_key in the VPN Server, and replace <server_ip_address> with the public IP address of your WireGuard VPN Linux Server):

/etc/NetworkManager/system-connections/wg0.nmconnection
[wireguard-peer.<server_public_key>]
endpoint=<server_ip_address>:51820
allowed-ips=10.0.0.1/24;
persistent-keepalive=25

Attention: The persistent-keepalive parameter is necessary when TorizonCore is in a NATed network environment. For more information, please take a look at NAT and Firewall Traversal Persistence.

Now you need to load your new configuration using the following commands:

# sudo nmcli connection load /etc/NetworkManager/system-connections/wg0.nmconnection
# nmcli connection up wg0

From this moment on, you should have IP connectivity between your WireGuard VPN server and your TorizonCore board using the WireGuard VPN tunnel through the 10.0.0.0/24 IP network address.

# sudo wg show
interface: wg0
  public key: To3ZPN+/JxqmeK/I/+0VuYoCGAwUaEDoBhK2giIeD1A=
  private key: (hidden)
  listening port: 51820

peer: jRmW5/ajAt92tOxZA0Kh6S4GNh60bhMP19vGuwp8pBg=
  endpoint: 200.0.0.1:51820
  allowed ips: 10.0.0.0/24
  latest handshake: 1 minute, 49 seconds ago
  transfer: 2.75 KiB received, 20.35 KiB sent
  persistent keepalive: every 25 seconds