Select the version of your OS from the tabs below. If you don't know the version you are using, run the command cat /etc/os-release or cat /etc/issue on the board.
Remember that you can always refer to the Torizon Documentation, there you can find a lot of relevant articles that might help you in the application development.
It's possible to establish a VPN tunnel connection in TorizonCore using the WireGuard software.
Toradex has chosen WireGuard as its option for a VPN solution because, as stated on the WireGuard website:
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
The purpose of this document is to describe how to establish a WireGuard VPN tunnel in TorizonCore using NetworkManager.
Tip: alternatively, if for any reason such as a legacy VPN server you are compelled to use OpenVPN, you can have a look at our article OpenVPN + Weston's VNC/RDP on TorizonCore.
This article complies to the Typographic Conventions for Torizon Documentation.
In order to execute this tutorial, you will need:
In order to establish a VPN tunnel, you will need a VPN Linux Server that is reachable by your TorizonCore board.
You can install the necessary WireGuard software for your VPN server following the official WireGuard documentation.
First, run the following command on your host machine to generate the server's private and public keys:
$ wg genkey | sudo tee /etc/wireguard/server_private_key | wg pubkey | sudo tee /etc/wireguard/server_public_key
Now access a terminal in the device running TorizonCore and run the same command to generate the client's private and public keys:
# wg genkey | sudo tee /etc/wireguard/client_private_key | wg pubkey | sudo tee /etc/wireguard/client_public_key
The following sessions of this article will configure the VPN server with IP address 10.0.0.1/24 and the VPN client (device running TorizonCore) with IP address 10.0.0.2/24.
To make a persistent VPN configuration for your server, you should create the file /etc/wireguard/wg0.conf with the following content (don't forget to replace <server_private_key> with the content of /etc/wireguard/server_private_key in the VPN Server and <client_public_key> with the content of /etc/wireguard/client_public_key in TorizonCore):
/etc/wireguard/wg0.conf[Interface] Address = 10.0.0.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = <server_private_key> [Peer] PublicKey = <client_public_key> AllowedIPs = 10.0.0.2/32
In order to activate your WireGuard VPN interface, you should execute the following command:
$ wg-quick up wg0
Confirm that the Wireguard VPN interface is up:
$ sudo wg
interface: wg0
public key: jRmW5/ajAt92tOxZA0Kh6S4GNh60bhMP19vGuwp8pBg=
private key: (hidden)
listening port: 51820
peer: vw+vcDF3xZzygjJe8Ha5mkm4BxOqxpPeftRimCBtWlw=
allowed ips: 10.0.0.2/32
Now you are ready to configure a module running TorizonCore and establish a WireGuard VPN tunnel with your server.
With your WireGuard VPN Linux server in place, you can do the following in TorizonCore to establish a VPN tunnel with your server.
Create the tunnel configuration file ~/wg0.conf with the following content. You will need to update the following fields in the file to match your configuration created above:
| Value | Description |
|---|---|
| <client_private_key> | contents of /etc/wireguard/client_private_key in TorizonCore |
| <server_public_key> | contents of /etc/wireguard/server_public_key in the VPN Server |
| <IP_address> | As the server is using 10.0.0.1/24, you should use 10.0.0.2/24 for your tunnel interface. |
| <server_listen_port> | The port number specified in the server configuration. The default is 51820. |
| <dns_address> | Whatever DNS address is appropriate for your networking setup. |
| <server_ip> | Public IP address or FDQN of your Wireguard server |
[Interface]
Address = <IP_address>
PrivateKey = <client_private_key>
ListenPort = <server_listen_port>
DNS = <dns_address>
[Peer]
PublicKey = <server_public_key>
Endpoint = <server_ip>:<server_listen_port>
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Attention: The PersistentKeepalive parameter is necessary when TorizonCore is in a NATed network environment. For more information, please take a look at NAT and Firewall Traversal Persistence.
Import the device into NetworkManager:
# nmcli con import type wireguard file wg0.conf
This will configure NetworkManager, enable and connect the interface.
You can enable and disable the interface with the following commands:
# nmcli connection up wg0
# nmcli connection down wg0
From this moment on, you should have IP connectivity between your WireGuard VPN server and your TorizonCore board using the WireGuard VPN tunnel through the 10.0.0.0/24 IP network address.
# sudo wg show
interface: wg0
public key: To3ZPN+/JxqmeK/I/+0VuYoCGAwUaEDoBhK2giIeD1A=
private key: (hidden)
listening port: 51820
peer: jRmW5/ajAt92tOxZA0Kh6S4GNh60bhMP19vGuwp8pBg=
endpoint: 200.0.0.1:51820
allowed ips: 10.0.0.0/24
latest handshake: 1 minute, 49 seconds ago
transfer: 2.75 KiB received, 20.35 KiB sent
persistent keepalive: every 25 seconds
