mjtechguy / wireguard-site-to-site Goto Github PK

Wireguard site-to-site (network-to-network) VPN Configuration examples

wireguard wireguard-vpn wireguard-vpn-setup

wireguard-site-to-site's Introduction

Wireguard Site-to-Site VPN

This guide will show you how to connect two (or more) networks (not just clients) to each other via standard Linux machines and Wireguard VPN.

The goal of this guide is to:

Allow additional clients on the same private subnet as the connecting client to reach the private network of the Wireguard server
Allow clients connecting to the Wireguard server outside of the private network access to other clients private networks and the Wireguard private network

IMPORTANT: This does not address ACLs/Security groups to lock down the traffic that flows between the sites. Make sure you address this accordingly with iptables or another solution.

Installation of Wireguard:

I have installed Wireguard the following 3 ways when testing this configuration:

Official Wireguard Install documentation: https://www.wireguard.com/install/ and https://www.wireguard.com/quickstart/
Complex Organizations - Wireguard Installer Manager: https://github.com/complexorganizations/wireguard-installer-manager
LNS - Wireguard Install: https://github.com/l-n-s/wireguard-install

For simplicity sake and if you are new to Wireguard, I recommend using Option #3 to install Wireguard on your server.

Securing The Server

If you are installing this on a virtual private server on Digital Ocean, AWS or Linode, use an appropriate firewall or IPtables configuration to secure the server.

I use Digital Ocean and on the Digital Ocean firewall, I only open UDP on the port the Wireguard server is listening on to all IP addresses. I lock down SSH to my home or office IP to reduce the likelihood of an attacker gaining access to the system.

See the ListenPort in the /etc/wireguard/wg0.conf file to know what port you server is listening on.

[Interface]
Address = 10.9.0.1/24
ListenPort = 31030

Server Configuration

The server file created during the setup will have the basics you need to get connected from a WG Client to the WG Server.

In order to enable traffic to be passed from the client network to the private subnet of the server, you will need to add the following option.

PostUp IPTables rules: This will enable traffic flow and masquerade for the traffic coming from the client private network. Make sure you replace INTERNAL_IP_INTERFACE with the interface ID of your private network on your VPS, eg eth1.
PostDown IPTables rules: Undoes the IPTables rules one the tunnel is disconnected. Make sure you replace INTERNAL_IP_INTERFACE with the interface ID of your private network on your VPS, eg eth1.
Allowed IPs: Think of this as an ACL or allow rule for what IPs are allowed to pass traffic. The first IP is the IP of your WG Client. Add another range for the entire subnet of your CLIENT network. In the example below, my subnet it 192.168.100.0/23, which includes IPs 192.168.100.1 - 192.168.101.254.

Before:

[Interface]
Address = 10.9.0.1/24
ListenPort = 31030
PrivateKey = PRIVATE_KEY
SaveConfig = false

# client1
[Peer]
PublicKey = PUBLIC_KEY
AllowedIPs = 10.9.0.2/32

After:

[Interface]
Address = 10.9.0.1/24
ListenPort = 31030
PrivateKey = PRIVATE_KEY
SaveConfig = false

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o INTERNAL_IP_INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o INTERNAL_IP_INTERFACE -j MASQUERADE

# client1
[Peer]
PublicKey = PUBLIC_KEY
AllowedIPs = 10.9.0.2/32, 192.168.100.0/23

Client Configuration

In order to properly route traffic for the SERVER subnet and back, you will need to add a couple of items on the client side.

You will need to update the following on your client side.

PostUP: Config to the client .conf file to add IPtables rules to allow traffic back from the SERVER private subnet.
PostDown: Config to remove the IPtables rules after connection shutdown
Routing rules to access the SERVER private network via the wireguard server

Edit the client .conf file

Before

[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.9.0.2/24
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = WIREGUARD_SERVER_PUBLICIP:LISTENING_PORT
PersistentKeepalive = 25

After:

[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.9.0.2/24
DNS = 1.1.1.1, 1.0.0.1

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o INTERNAL_IP_INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o INTERNAL_IP_INTERFACE -j MASQUERADE

[Peer]
PublicKey = PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = WIREGUARD_SERVER_PUBLICIP:LISTENING_PORT
PersistentKeepalive = 25

Update the routing

If you want all machines on your CLIENT private network to be able to access the SERVER private subnet using the WG Client machine as a gateway, you will need to add routing information.

Below are examples and will need to be adjusted for your specific networks and config

Wireguard Windows client machine (self): route add 10.132.0.0/16 MASK 255.255.0.0 10.9.0.2
Wireguard Windows client machine (another host): route add 10.132.0.0/16 MASK 255.255.0.0 PRIVATE_IP_OF_WG_CLIENT
Wireguard Linux client machine (self): route add 10.132.0.0/16 via 10.9.0.2 dev wg0
Wireguard Linux client machine (another host): route add -net 10.132.0.0 netmask 255.255.0.0 gw PRIVATE_IP_OF_WG_CLIENT
Entire Network: Add a route to the entire SERVER private network on your router. Pointing 10.132.0.0/16 to the IP of the Wireguard CLIENT on your network.

Please ask me any question about the setup or post any corrections under "Issues".

Twitter: https://twitter.com/mjtechguy

wireguard-site-to-site's People

Contributors

Stargazers

Watchers

wireguard-site-to-site's Issues

Can't get server to client network routing to work...

Hey, thanks for the awesome tutorial..
I seem to have trouble getting the whole setup to work.

My Setup consist of a VPS @ OVH, and a local box that i use for running docker containers, running ubuntu.
From what I observe, that the ping packet i'm sending does not leave the docker machine back to the wireguard server.

(Small clarification: ens18 and enp0s18 are the same interface, I had some inconsistencies in my screenshots regaring that)

I have done some packet tracing and here are the results:

Wireguard config on docker01

[Interface]
PrivateKey = <****************************************>
Address = 10.200.1.4/24
DNS = 1.1.1.1, 1.0.0.1

PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE

PreDown = iptables -D FORWARD -i %i -j ACCEPT
PreDown = iptables -t nat -D POSTROUTING -o enp0s18 -j MASQUERADE

[Peer]
PublicKey = <****************************************>
AllowedIPs = 0.0.0.0/0, ::0
Endpoint = <**********>:<***>
PersistentKeepalive = 25

Wireguard config on vpn-server

[Interface]
Address = 10.200.1.1/24
SaveConfig = false

PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

PreDown = iptables -D FORWARD -i %i -j ACCEPT
PreDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

ListenPort = 51820
PrivateKey = <****************************************>

[Peer]
# Some client that shall later be able to reach 192.168.178.36 / desktop
PublicKey = <****************************************>
AllowedIPs = 10.200.1.2/32

[Peer]
# docker01
PublicKey = <****************************************>
AllowedIPs = 10.200.1.4/32, 192.168.178.0/24

Can someone help and point out what i am missing here? Do the firewall rules of docker maybe interference with the setup?

Possible backwards iptables config example

When using your examples I found something that I think is wrong (but not entirely sure about). In the client configuration, I think the interfaces in the iptables post up/down section are swapped. For me, when I changed this:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o INTERNAL_IP_INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o INTERNAL_IP_INTERFACE -j MASQUERADE

PostUp = iptables -A FORWARD -i INTERNAL_IP_INTERFACE -j ACCEPT; iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
PostDown = iptables -D FORWARD -i INTERNAL_IP_INTERFACE -j ACCEPT; iptables -t nat -D POSTROUTING -o %i -j MASQUERADE

My other clients on the client subnet could then have a static route like you mention at the end of the Readme ("another host" option) and actually reach the server subnet. Before I swapped those interface names around, only the client running Wireguard could reach the server subnet and would not route traffic for the other clients on the subnet.

In any case, thank you for putting this information out, I found it helpful!

Help me setup Gateway

Hi - relatively new to WG but I was able to setup a road warrior configuration, however now I'm interested in a site-to-site VPN connection.

Basically want to do a site to site VPN between Home Network/PfSense Router to a Digital Ocean Droplet.
Wireguard setup via GUI on pfsense
Digital Ocean Droplet - single instance of Ubuntu

Peer#1
Home Pfsense Router - Created Interface and Assigned a WG tunnel IP address of 10.8.110.1.
LAN behind Pfsense router uses 10.0.1.0/24 addresses
WAN IP address of server is pingable 69.xxx.xxx.xxx

Peer#2
Digital Ocean Droplet running Ubuntu
Wireguard installed on Ubuntu - wg0 Interface Created and assigned a WG tunnel IP address of 10.8.110.2
WAN IP address of Ubuntu server is pingable 142.xxx.xxx.xxx

Here is my Digital Ocean wg.conf

[Interface]
PrivateKey = <Private Key>
ListenPort = 51821
Address = 10.8.110.2/24
DNS = 10.8.110.1, 10.0.1.1, 9.9.9.9, domain.com
SaveConfig = true

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE


[Peer]
PublicKey = <Public Key>
PresharedKey = <PSK>
AllowedIPs = 10.0.1.0/24, 10.6.210.0/24
Endpoint = openvpn.domain.com:51821
PersistentKeepAlive = 360

I'm stumbling trying to setup the gateways and routes. I believe I need to setup gateways and routes on both pfsense and Ubuntu-digital ocean. I'm looking for entire 10.0.1.0/24 network to be able access Digital Ocean and also I think I need gateways and routes for the actual Wireguard tunnel addresses. Thanks. I think I'm stumped on this last part.

Wireguad Windows Client

Hi,
What I have:

Wireguard peer as a server on VPS
Wireguard peer client on Windows10
Plex Server on the same Windows machine.

Now, I use Wireguard to encrypt internet traffic on my PC and mobile devices, but I wonder how can I access Plex Server remotely thanks to Wireguard using mobile device?

I think I may need to set some routing in Windows, beause your manual not working for me. Do you know what to do?

Thanks for help

Question regarding NAT..

Any particular reason why using NAT i.e. doesn't regular routing work between the endpoints?

Unable to reach resources on the server network

Hi! I've followed your nice guide, and all seems being working, i can ping machines from one network to the other, but i'm still not able to reach resources (e.g. nas) on the other network.
I've this configuration:

Network 1 (server):
192.168.188.0/24 (eth0 is on 192.168.188.8)
wg0 is on 10.0.0.1

Network 2 (client):
192.168.0.0/24 (eth0 is on 192.168.0.24)
wg0 is on 10.0.0.3

I've just opened port 51820/UDP on both routers, pointing to the machines where wireguard in running.
Both networks have static public IPs.
wg show command gives both demons up, running and connected each other.
Why can't I reach my nas at 192.168.0.30 if i can ping it?
I think i'm missing something, like a static route, but i don't know where and how to confjgure it...