WireGuard is a simple, fast, and secure VPN that utilizes state-of-the-art cryptography. With a small source code footprint, it aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec. WireGuard is still under development, but even in its unoptimized state it is faster than the popular OpenVPN protocol. You can read more about Wireguard and its code from github repository but here we will quickly see how to establish site-site VPN tunnel in easy steps unlike other protocols which takes more effort to configure and establish multi-site tunnel.
I followed this to install and connect all sites that I use which are at different locations across the globe.
Let's assume we have 4 sites at different locations - NY,LA,SH,DE, we will name these sites S1,S2,S3 and S4. We will treat S1 to be the main entry point to which we can establish a public connection and access resources from either of the sites.
On S1 , perform the below.
Download the install script
wget https://raw.githubusercontent.com/l-n-s/wireguard-install/master/wireguard-install.sh -O wireguard-install.sh
Run the script
bash wireguard-install.sh
Wireguard and all required packages will be installed automatically and the script also generates a client configuration file at /root/client-wg0.conf.
Run the script bash wireguard-install.sh again to generate client config files for S2,S3 and S4.
Now edit all of the config files and replace 0.0.0.0/0 in AllowedIP parameter to the private subnet of S1 which will be 10.9.0.1. This is done to prevent forwarding all traffic to wireguard interface wg0 and instead route only private traffic through the tunnel.
Once done, you can verify if S2,S3 and S4 are added as peers by running wg. The output will show private IPs of all peers for which you have generated the config files.
On S2,S3 and S4, do the below(ofcourse individually).
sudo add-apt-repository ppa:wireguard/wireguard -y && sudo apt update && sudo apt install wireguard -y
Download the config files generated in S1 via FTP or SFTP.
Place the files in /etc/wireguard/ and rename to wg0.conf. wg0 is the name of virtual interface created by Wireguard. Hence Wireguard expects the config file to be the same name as the interface.
Once you have placed the config files in /etc/wireguard , you are now ready to creat the tunnel by running
wg-quick up wg0
The command should get completed and return you to the shell. If not, there is something wrong with the firewall or the config file.
Assuming you have followed the above and started the interface on all sites, you should now be able to ping all sites from one another. S1 should be able to communicate with S2,S3 and S4, similarly S2,S3 and S4 should be able to communicate amoung each other.
Wow, you have now setup multi-site VPN tunnel using Wireguard and you can safely now block all incoming and outgoing connections to S2,S3 and S4 if you wanted to establish private tunnel across sites and use S1 as the main site to communicate with others.
Remember to allow the port used by Wireguard in your firewall which can be found in the config files.