WireGuard Site2Site VPN Guide

Setting up a Site 2 site VPN with WireGuard is pretty easy provided you have some basic WireGuard and IP routing knowlege. The scope of this guide is to provide sample configurations with additional explanations. You still have to use your brain and think what setup suits you best. This guide also only focuses on the current generation IP protocol IPv6. Legacy IPv4 addressing works exactly the same. This guide is also platform agnostic.

Example 1: Site 2 site with two sites with WireGuard installed on the router

The simplest and most conventient to set up.

Requirement: WireGuard must run on the default gateway/router on each site

Site A WireGuard config:

PrivateKey = redacted
ListenPort = 51820

# Site B
PublicKey = publicKeyOfSiteB
AllowedIPs = 2001:db8:cafe::/64

Site B WireGuard config:

PrivateKey = redacted
ListenPort = 51820

# Site A
PublicKey = publicKeyOfSiteA
AllowedIPs = 2001:db8:beef::/64

The AllowedIPs of each site has the IP network of the other side added to the AllowedIPs.

Example 2: Site 2 site with WireGuard not installed on the router

For example WireGurad running on a Raspberry Pi or another device.


The WireGuard config is the same as the one from example 1. But you need to add static routes on each site on the default gateway/router for the respective other IP network over the local wireguard host.

Site A static route on default gateway: 2001:db8:cafe::/64 via 2001:db8:beef::5
Site B static route on default gateway: 2001:db8:beef::/64 via 2001:db8:cafe::140

Packet flow from site A to site B:

Packet flow from Site B to Site A ist the same but reversed.
Rule of thumb: If WireGuard is running on the default gatway/router you don’t need to add static routes, as this router will already know how to route the packets. If WireGuard is done on another device you need to add static routes over that device.

Du hast einen Kommentar, einen Wunsch oder eine Verbesserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg)