How to Use VPN on TorizonCore
It's possible to establish a VPN tunnel connection in TorizonCore using the WireGuard software.
Toradex has chosen WireGuard as its option for a VPN solution because, as stated on the WireGuard website:
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
The purpose of this document is to describe how to establish a WireGuard VPN tunnel in TorizonCore using NetworkManager.
alternatively, if for any reason such as a legacy VPN server you are compelled to use OpenVPN, you can have a look at our article OpenVPN + Weston's VNC/RDP on TorizonCore.
This article complies with the Typographic Conventions for Torizon Documentation.
In order to execute this tutorial, you will need:
- A module running TorizonCore version 5.3.0 or later.
- A Linux machine to configure Wireguard Server.
- A network connection between the module and the Linux machine.
Preparing the WireGuard VPN Linux Server
In order to establish a VPN tunnel, you will need a VPN Linux Server that is reachable by your TorizonCore board.
You can install the necessary WireGuard software for your VPN server following the official WireGuard documentation.
Generating the Keys
First, run the following command on your host machine to generate the server's private and public keys:
$ wg genkey | sudo tee /etc/wireguard/server_private_key | wg pubkey | sudo tee /etc/wireguard/server_public_key
Now access a terminal in the device running TorizonCore and run the same command to generate the client's private and public keys:
# wg genkey | sudo tee /etc/wireguard/client_private_key | wg pubkey | sudo tee /etc/wireguard/client_public_key
The following sessions of this article will configure the VPN server with IP address
10.0.0.1/24 and the VPN client (device running TorizonCore) with IP address
Configuring the WireGuard VPN Linux Server
To make a persistent VPN configuration for your server, you should create the file /etc/wireguard/wg0.conf with the following content (don't forget to replace
<server_private_key> with the content of /etc/wireguard/server_private_key in the VPN Server and
<client_public_key> with the content of /etc/wireguard/client_public_key in TorizonCore):
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = <server_private_key>
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32
In order to activate your WireGuard VPN interface, you should execute the following command:
$ wg-quick up wg0
Confirm that the Wireguard VPN interface is up:
$ sudo wg
public key: jRmW5/ajAt92tOxZA0Kh6S4GNh60bhMP19vGuwp8pBg=
private key: (hidden)
listening port: 51820
allowed ips: 10.0.0.2/32
Now you are ready to configure a module running TorizonCore and establish a WireGuard VPN tunnel with your server.
TorizonCore VPN Configuration
With your WireGuard VPN Linux server in place, you can do the following in TorizonCore to establish a VPN tunnel with your server.
Create the tunnel configuration file ~/wg0.conf with the following content. You will need to update the following fields in the file to match your configuration created above:
|<client_private_key>||contents of /etc/wireguard/client_private_key in TorizonCore|
|<server_public_key>||contents of /etc/wireguard/server_public_key in the VPN Server|
|<IP_address>||As the server is using |
|<server_listen_port>||The port number specified in the server configuration. The default is 51820.|
|<dns_address>||Whatever DNS address is appropriate for your networking setup.|
|<server_ip>||Public IP address or FDQN of your Wireguard server|
Address = <IP_address>
PrivateKey = <client_private_key>
ListenPort = <server_listen_port>
DNS = <dns_address>
PublicKey = <server_public_key>
Endpoint = <server_ip>:<server_listen_port>
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
PersistentKeepalive parameter is necessary when TorizonCore is in a NATed network environment. For more information, please take a look at NAT and Firewall Traversal Persistence.
Import the device into NetworkManager:
# nmcli con import type wireguard file wg0.conf
This will configure NetworkManager, enable and connect the interface.
You can enable and disable the interface with the following commands:
# nmcli connection up wg0
# nmcli connection down wg0
From this moment on, you should have IP connectivity between your WireGuard VPN server and your TorizonCore board using the WireGuard VPN tunnel through the
10.0.0.0/24 IP network address.
# sudo wg show
public key: To3ZPN+/JxqmeK/I/+0VuYoCGAwUaEDoBhK2giIeD1A=
private key: (hidden)
listening port: 51820
allowed ips: 10.0.0.0/24
latest handshake: 1 minute, 49 seconds ago
transfer: 2.75 KiB received, 20.35 KiB sent
persistent keepalive: every 25 seconds