How to Use VPN on Torizon OS
Introduction
It's possible to establish a VPN tunnel connection in Torizon OS using the WireGuard software.
Toradex has chosen WireGuard as its option for a VPN solution because, as stated on the WireGuard website:
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
The purpose of this document is to describe how to establish a WireGuard VPN tunnel in Torizon OS using NetworkManager.
Alternatively, if for any reason such as a legacy VPN server, you are compelled to use OpenVPN, you can have a look at our article OpenVPN + Weston's VNC/RDP on Torizon OS.
This article complies with the Typographic Conventions for Torizon Documentation.
Prerequisites
In order to execute this tutorial, you will need:
- A System on Module (SoM) running Torizon OS.
- A Linux machine to configure Wireguard Server.
- A network connection between the module and the Linux machine.
Preparing the WireGuard VPN Linux Server
In order to establish a VPN tunnel, you will need a VPN Linux Server that is reachable by your Torizon OS board.
You can install the necessary WireGuard software for your VPN server following the official WireGuard documentation.
Generating the Keys
First, run the following command on your host machine to generate the server's private and public keys:
$ wg genkey | sudo tee /etc/wireguard/server_private_key | wg pubkey | sudo tee /etc/wireguard/server_public_key
Now access a terminal in the device running Torizon OS and run the same command to generate the client's private and public keys:
# wg genkey | sudo tee /etc/wireguard/client_private_key | wg pubkey | sudo tee /etc/wireguard/client_public_key
The following sessions of this article will configure the VPN server with IP address 10.0.0.1/24
and the VPN client (device running Torizon OS) with IP address 10.0.0.2/24
.
Configuring the WireGuard VPN Linux Server
To make a persistent VPN configuration for your server, you should create the file /etc/wireguard/wg0.conf with the following content (don't forget to replace <server_private_key>
with the content of /etc/wireguard/server_private_key in the VPN Server and <client_public_key>
with the content of /etc/wireguard/client_public_key in Torizon OS):
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = <server_private_key>
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32
In order to activate your WireGuard VPN interface, you should execute the following command:
$ wg-quick up wg0
Confirm that the Wireguard VPN interface is up:
$ sudo wg
interface: wg0
public key: jRmW5/ajAt92tOxZA0Kh6S4GNh60bhMP19vGuwp8pBg=
private key: (hidden)
listening port: 51820
peer: vw+vcDF3xZzygjJe8Ha5mkm4BxOqxpPeftRimCBtWlw=
allowed ips: 10.0.0.2/32
Now you are ready to configure a module running Torizon OS and establish a WireGuard VPN tunnel with your server.
Torizon OS VPN Configuration
With your WireGuard VPN Linux server in place, you can do the following in Torizon OS to establish a VPN tunnel with your server.
Create the tunnel configuration file ~/wg0.conf with the following content. You will need to update the following fields in the file to match your configuration created above:
Value | Description |
---|---|
<client_private_key> | contents of /etc/wireguard/client_private_key in Torizon OS |
<server_public_key> | contents of /etc/wireguard/server_public_key in the VPN Server |
<IP_address> | As the server is using 10.0.0.1/24 , you should use 10.0.0.2/24 for your tunnel interface. |
<server_listen_port> | The port number specified in the server configuration. The default is 51820. |
<dns_address> | Whatever DNS address is appropriate for your networking setup. |
<server_ip> | Public IP address or FDQN of your Wireguard server |
[Interface]
Address = <IP_address>
PrivateKey = <client_private_key>
ListenPort = <server_listen_port>
DNS = <dns_address>
[Peer]
PublicKey = <server_public_key>
Endpoint = <server_ip>:<server_listen_port>
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
The PersistentKeepalive
parameter is necessary when Torizon OS is in a NATed network environment. For more information, please take a look at NAT and Firewall Traversal Persistence.
Import the device into NetworkManager:
# nmcli con import type wireguard file wg0.conf
This will configure NetworkManager, enable and connect the interface.
You can enable and disable the interface with the following commands:
# nmcli connection up wg0
# nmcli connection down wg0
From this moment on, you should have IP connectivity between your WireGuard VPN server and your Torizon OS board using the WireGuard VPN tunnel through the 10.0.0.0/24
IP network address.
# sudo wg show
interface: wg0
public key: To3ZPN+/JxqmeK/I/+0VuYoCGAwUaEDoBhK2giIeD1A=
private key: (hidden)
listening port: 51820
peer: jRmW5/ajAt92tOxZA0Kh6S4GNh60bhMP19vGuwp8pBg=
endpoint: 200.0.0.1:51820
allowed ips: 10.0.0.0/24
latest handshake: 1 minute, 49 seconds ago
transfer: 2.75 KiB received, 20.35 KiB sent
persistent keepalive: every 25 seconds