Wireguard site-to-site (network-to-network) VPN Configuration examples
This guide will show you how to connect two (or more) networks (not just clients) to each other via standard Linux machines and Wireguard VPN.
The goal of this guide is to:
IMPORTANT: This does not address ACLs/Security groups to lock down the traffic that flows between the sites. Make sure you address this accordingly with iptables or another solution.
I have installed Wireguard the following 3 ways when testing this configuration:
For simplicity sake and if you are new to Wireguard, I recommend using Option #3 to install Wireguard on your server.
If you are installing this on a virtual private server on Digital Ocean, AWS or Linode, use an appropriate firewall or IPtables configuration to secure the server.
I use Digital Ocean and on the Digital Ocean firewall, I only open UDP on the port the Wireguard server is listening on to all IP addresses. I lock down SSH to my home or office IP to reduce the likelihood of an attacker gaining access to the system.
See the ListenPort
in the /etc/wireguard/wg0.conf file to know what port you server is listening on.
[Interface]
Address = 10.9.0.1/24
ListenPort = 31030
The server file created during the setup will have the basics you need to get connected from a WG Client to the WG Server.
In order to enable traffic to be passed from the client network to the private subnet of the server, you will need to add the following option.
INTERNAL_IP_INTERFACE
with the interface ID of your private network on your VPS, eg eth1
.INTERNAL_IP_INTERFACE
with the interface ID of your private network on your VPS, eg eth1
.192.168.100.1 - 192.168.101.254
.Before:
[Interface]
Address = 10.9.0.1/24
ListenPort = 31030
PrivateKey = PRIVATE_KEY
SaveConfig = false
# client1
[Peer]
PublicKey = PUBLIC_KEY
AllowedIPs = 10.9.0.2/32
After:
[Interface]
Address = 10.9.0.1/24
ListenPort = 31030
PrivateKey = PRIVATE_KEY
SaveConfig = false
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o INTERNAL_IP_INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o INTERNAL_IP_INTERFACE -j MASQUERADE
# client1
[Peer]
PublicKey = PUBLIC_KEY
AllowedIPs = 10.9.0.2/32, 192.168.100.0/23
In order to properly route traffic for the SERVER subnet and back, you will need to add a couple of items on the client side.
You will need to update the following on your client side.
Before
[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.9.0.2/24
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = WIREGUARD_SERVER_PUBLICIP:LISTENING_PORT
PersistentKeepalive = 25
After:
[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.9.0.2/24
DNS = 1.1.1.1, 1.0.0.1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o INTERNAL_IP_INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o INTERNAL_IP_INTERFACE -j MASQUERADE
[Peer]
PublicKey = PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = WIREGUARD_SERVER_PUBLICIP:LISTENING_PORT
PersistentKeepalive = 25
If you want all machines on your CLIENT private network to be able to access the SERVER private subnet using the WG Client machine as a gateway, you will need to add routing information.
Below are examples and will need to be adjusted for your specific networks and config
Please ask me any question about the setup or post any corrections under "Issues".
Twitter: https://twitter.com/mjtechguy