WireGuard Site2Site VPN Guide

Tuesday, October 18 2022 · Lesezeit: 3 Minuten · 427 Wörter · Tags: wireguard Achtung! Dieser Artikel ist älter als ein Jahr. Der Inhalt ist möglicherweise nicht mehr aktuell!

Setting up a Site 2 site VPN with WireGuard is pretty easy provided you have some basic WireGuard and IP routing knowlege. The scope of this guide is to provide sample configurations with additional explanations. You still have to use your brain and think what setup suits you best. This guide also only focuses on the current generation IP protocol IPv6. Legacy IPv4 addressing works exactly the same. This guide is also platform agnostic.

Example 1: Site 2 site with two sites with WireGuard installed on the router

The simplest and most conventient to set up.

Requirement: WireGuard must run on the default gateway/router on each site
Setup:

• Site A IP network: 2001:db8:beef::/64
• Site B IP network: 2001:db8:cafe::/64

Site A WireGuard config:

[Interface]
PrivateKey = redacted
ListenPort = 51820

[Peer]
# Site B
PublicKey = publicKeyOfSiteB
AllowedIPs = 2001:db8:cafe::/64

Site B WireGuard config:

[Interface]
PrivateKey = redacted
ListenPort = 51820

[Peer]
# Site A
PublicKey = publicKeyOfSiteA
AllowedIPs = 2001:db8:beef::/64

The AllowedIPs of each site has the IP network of the other side added to the AllowedIPs.

Example 2: Site 2 site with WireGuard not installed on the router

For example WireGurad running on a Raspberry Pi or another device.

Setup:

• Site A IP network: 2001:db8:beef::/64
• Site A gateway: 2001:db8:beef::
• Site A WireGuard host: 2001:db8:beef::5
• Site B IP network: 2001:db8:cafe::/64
• Site B gateway: 2001:db8:cafe::
• Site B WireGuard host: 2001:db8:cafe::140

The WireGuard config is the same as the one from example 1. But you need to add static routes on each site on the default gateway/router for the respective other IP network over the local wireguard host.

Site A static route on default gateway: 2001:db8:cafe::/64 via 2001:db8:beef::5
Site B static route on default gateway: 2001:db8:beef::/64 via 2001:db8:cafe::140

Packet flow from site A to site B:

• Device with IP 2001:db8:cafe::fefe wants to contact 2001:db8:cafe::abba
• Routing table lookup comes to the conclusion: Reachable over the default gateway 2001:db8:beef::
• The default gateway does a routing table lookup and comes to the conflusion: Reachable over the gateway with the IP 2001:db8:cafe::5
• The WireGuard hosts send it into the VPN tunnel where it pops out on the WireGuard host on Site B
• WireGurad host on site B delivers the packet directly to the destination 2001:db8:cafe::abba

Packet flow from Site B to Site A ist the same but reversed.
Rule of thumb: If WireGuard is running on the default gatway/router you don’t need to add static routes, as this router will already know how to route the packets. If WireGuard is done on another device you need to add static routes over that device.

Du hast einen Kommentar, einen Wunsch oder eine Verbesserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg) Zurück