• Cloud Edge Secure Access
• Welcome to SonicWall Cloud Edge!
• Prerequisites
• Installation
  • Accessing the Client Management Console
  • Installation Methods
• Networks
  • Understanding Networks
  • SDP Networks
  • Regions and Gateways
    • Adding a region
    • Adding a gateway
  • Connecting Infrastructure
    • Prerequisites
    • Site-to-Site Connections
    • IPsec Tunnel
    • WireGuard Connector
    • Connect On-Prem Resources
      • Firewalls
        • SonicWall
    • Connect Cloud Resources
      • Amazon AWS
        • AWS Virtual Gateway
        • AWS Transit Gateway
      • Alibaba Cloud
      • Microsoft Azure
      • Google Cloud Platform
      • Heroku Enterprise
      • IBM Cloud
      • Docker
• Groups and Members
  • Members
    • Inviting Members
    • Password Requirements
    • Managing Roles
  • Groups
    • Managing Groups
    • Identity Provider Groups
  • Identity Providers (IdP)
    • Integrate Identity Providers
    • Azure AD
      • Azure Active Directory (SAML 2.0)
      • Azure Active Directory
    • Google Suite
      • Google Services
      • Google Apps (SAML 2.0)
    • On-Premises Active Directory
    • SAML 2.0
      • Generic SAML
      • Active Directory Federation Services (ADFS)
      • Auth0
      • Okta
      • OneLogin
      • PingIdentity
      • JumpCloud
• Securing the Platform
  • Securing Networks
    • Segmenting Networks
    • Device Posture Check
    • Network Traffic Control
    • Firewall-as-a-Service
  • Securing User Access
    • Multi-Factor Authentication
      • MFA Authentication
      • DUO Security
    • Agent-less Access
      • Zero Trust Application
        • HTTP/HTTPS
        • RDP (Remote Desktop Protocol)
        • SSH (Secure Shell)
        • VNC (Virtual Network Computing)
      • Zero Trust Policies and Rules
    • Agent-based Access
      • SonicWall Agents
        • Downloading and Installation
      • Agents Configuration
        • User-Groups Policies
        • Managing Configurations
        • General Configurations
        • Network Configuration
        • OS-Specific Configurations
• Monitoring
  • Activity Tracking
    • Activities and Logs
    • Member Devices
  • Monitoring Dashboard
  • Integrations
    • Amazon S3
    • Azure Sentinel
    • Splunk Cloud
• Compliance
  • HIPAA
  • GDPR
  • SOC 2 Type 2
• SonicWall Support
  • About This Document

WireGuard Connector

This article describes how to install a WireGuard based connector on a Linux server in your organization instead of creating a tunnel between your server and your Firewall/Router.

• Configuring the connector at the Management Platform
• Configuring the connector on your local Linux machine
• Verifying the connector is up

Cloud Edge Web Console Admin needs to add permissions for network controller in order to access SonicWall Cloud Edge agents using WireGuard protocol.

Please follow the steps below:

Configuring the connector at the Management Platform

1. Under Networks in the Management Platform on the left side, select the name of the network in which you'd like to set the tunnel. Locate the desired gateway, select the three-dotted menu (...) and select Add Tunnel.

   

   The following window displays:

   

2. Select WireGuard Connector, then select Continue.

3. Make sure you have a Windows server 2016, Ubuntu 16.04/18.04/20.04 LTS, CentOS/REHL7 or equivalent instance set within your local network or VPC, then select Next.

   

4. Enter a Name of your choice, and the Endpoint, meaning the IP address from which the Linux server is connecting to the internet, accompanied by the correlating Subnet range (the values in the attached image are for demonstration only).

5. Select Next.

   You can query the Endpoint by executing the following command in your Linux terminal:
   dig +short myip.opendns.com @resolver1.opendns.com

   

6. Select Confirm and Apply, then wait until the deployment is finished (this may take several minutes).

Configuring the connector on your local Linux machine

Make sure the machine that we'll be hosting the connector meets the following requirements:

On Ubuntu:

• Please see attached the Prerequisites for the machine.

• Your kernel is up to date.

• The following packages are installed:

  • curl
  • dig
  • software-properties-common

On CentOS/REHL:

• Please see attached the Prerequisites for the machine.
• Your kernel is up to date.

• The following packages are installed:

  • curl
  • bind-utils

If you're not sure you possess the appropriate image installation files, you can find them here (Ubuntu 18.04).

1. You should now see the connector under the Network section. Select the three-dotted menu (...) besides its icon, then select Configure. A similar window will open (the displayed command varies from connector to connector):

   

2. Copy the command.
3. Open the Linux Terminal as Root user and run the copied command (select Yes at Stage 4 for access-only).
4. Follow the instructions during the connector installation on the Linux server.

Verifying the connector is up

1. Connect to your SonicWall CloudEdge server with the designated app ( you can do it on any machine).

2. Open the terminal and run the following command:

   ping XXXX.XXXX.XXXX.XXXX (replace with one of the internal resources in your organization)

3. If the ping command fails, please make sure that port UDP/8000 is not blocked in your firewall/router, and that you went through all the steps.

4. If the issue persists, please contact our support services attaching the logs. These can be found at the following paths:
   

   ##Configuration file

   /etc/wireguard/wg0.conf

Setting up a WireGuard tunnel using a docker container

This article was written for the OSX Big Sur operating system, but should be able to support any system capable of running Docker. This behind the scenes process involves a similar setup to Wireguard Connector.

The basic docker container for WireGuard can run in its own container (We use the one from LinuxServer.io - but you can use one of your choice if you like). Then we download our peer config file for Wireguard and mount a shared folder to its location on the docker host in order to share it with the docker container. It's that easy!

Install Docker on your OS

1. Get Docker

2. Pull the WireGuard Docker Container from LinuxServer.io

Create a barebones config docker-compose.yaml file

Linux Version

---

version: "2.1"

services:

wireguard:

image: ghcr.io/linuxserver/wireguard

container_name: wireguard

cap_add:

- NET_ADMIN

- SYS_MODULE

environment:

- PUID=1000

- PGID=1000

- TZ=America/New_York

volumes:

- /var/tmp/config:/config

- /lib/modules:/lib/modules

ports:

- 8000:8000/udp

sysctls:

- net.ipv4.conf.all.src_valid_mark=1

restart: unless-stopped

Windows Version

---

version: "2.1"

services:

wireguard:

image: ghcr.io/linuxserver/wireguard

container_name: wireguard

cap_add:

- NET_ADMIN

- SYS_MODULE

environment:

- PUID=1000

- PGID=1000

- TZ=America/New_York

volumes:

- C://wgConfig:/config

- /lib/modules:/lib/modules

ports:

- 8000:8000/udp

sysctls:

- net.ipv4.conf.all.src_valid_mark=1

restart: unless-stopped

The primary difference between Linux and Windows is the volume mount for the config file

Create a wg0.conf file

• Make sure you create a config file and place it in this directory /var/tmp/config:

• /var/tmp/config/wg0.conf

• Reference for wg.conf file creation

This config contains accurate information for tunnel establishment. This information must match exactly in order for the tunnel to come up. Please make sure that the wg0.conf file is created correctly. Please do not share your private key with anyone.

Docker-compose run

Run the following command from command prompt or terminal. Make sure to run this from the directory where docker-compose.yaml resides

Docker-compose up -d

Mac OSX

Windows 10