Wireguard Site-2-Site VPN

cloud_router.conf

# This is the main router in the cloud 
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <PrivateKey>
PostUp = iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -i %i -o %i -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -i %i -o %i -m conntrack --ctstate NEW -j ACCEPT

# Router location A
[Peer]
PublicKey = <PublicKey>
AllowedIPs = 10.0.0.2/32, 192.168.111.0/24

# Router location B
[Peer]
PublicKey = <PublicKey>
AllowedIPs = 10.0.0.3/32, 192.168.155.0/24

# External client 1 (Laptop)
[Peer]
PublicKey = <PublicKey>
AllowedIPs = 10.0.0.4/32

external_client_1.conf

# External client (Laptop)
[Interface]
PrivateKey = <PrivateKey>
Address = 10.0.0.4/32

[Peer]
PublicKey = <PublicKey_Cloud_Router>
AllowedIPs = 10.0.0.0/24, 192.168.155.0/24, 192.168.111.0/24
Endpoint = cloud-router.example.com:51820
PersistentKeepalive = 60

router_location_A.conf

# Router location A
[Interface]
PrivateKey = <PrivateKey>
Address = 10.0.0.2/32
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -A FORWARD -i eth0 -j ACCEPT; iptables -A FORWARD -o eth0 -j ACCEPT; iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -D FORWARD -i eth0 -j ACCEPT; iptables -D FORWARD -o eth0 -j ACCEPT; iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

[Peer]
PublicKey = <PublicKey_Cloud_Router>
AllowedIPs = 10.0.0.0/24, 192.168.155.0/24
Endpoint = cloud-router.example.com:51820
PersistentKeepalive = 60

router_location_B.conf

# Router location B
[Interface]
Address = 10.0.0.3/32
PrivateKey = <PrivateKey>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -A FORWARD -i eth0 -j ACCEPT; iptables -A FORWARD -o eth0 -j ACCEPT; iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -D FORWARD -i eth0 -j ACCEPT; iptables -D FORWARD -o eth0 -j ACCEPT; iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

[Peer]
PublicKey = <PublicKey_Cloud_Router>
AllowedIPs = 10.0.0.0/24, 192.168.111.0/24
Endpoint = cloud-router.example.com:51820
PersistentkeepAlive = 60

Wireguard Site-2-Site VPN.md

Source Tweet for network description: https://twitter.com/lindworm/status/1451878726807998467

Preconditions

We assume here, that all nodes are running Linux.

IP Forwarding must be enabled on all routing nodes:

sudo sysctl -w net.ipv4.ip_forward=1

Routing

Every node needs to know the route to the foreign nets. We can either add them manually or let our main router (the one that points to 0.0.0.0) know that the corresponding net is behind a VPN router.

So we need to point the route to the foreign net to the local address of the upstream VPN router.

• On Fritz!Box: Heimnetz -> Netzwerk -> Netzwerkeinstellungen -> Statische Routingtabelle
• Route example for reaching net B via router_location_A with local IP 192.168.111.100: ip route add 192.168.155.0/24 via 192.168.111.100

More Info

The files below should be named after the name of the VPN. Wireguard will name the VPN interface after the file.