Wireguard Site-2-Site VPN

cloud_router.conf

# This is the main router in the cloud
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <PrivateKey>

# Router location A
[Peer]
PublicKey = <PublicKey>
AllowedIPs = 10.0.0.2/32, 192.168.111.0/24

# Router location B
[Peer]
PublicKey = <PublicKey>
AllowedIPs = 10.0.0.3/32, 192.168.155.0/24

# External client 1 (Laptop)
[Peer]
PublicKey = <PublicKey>
AllowedIPs = 10.0.0.4/32

external_client_1.conf

# External client (Laptop)
[Interface]
PrivateKey = <PrivateKey>
Address = 10.0.0.4/32

[Peer]
PublicKey = <PublicKey_Cloud_Router>
AllowedIPs = 10.0.0.0/24, 192.168.155.0/24, 192.168.111.0/24
Endpoint = cloud-router.example.com:51820
PersistentKeepalive = 60

router_location_A.conf

# Router location A
[Interface]
PrivateKey = <PrivateKey>
Address = 10.0.0.2/32
PreUp = sysctl -w net.ipv4.ip_forward=1
PostUp   = iptables --table mangle --append PREROUTING --in-interface %i --jump MARK --set-mark 0x30
PostUp   = iptables --table nat --append POSTROUTING ! --out-interface %i --match mark --mark 0x30 --jump MASQUERADE
PostDown = iptables --table mangle --delete PREROUTING --in-interface %i --jump MARK --set-mark 0x30
PostDown = iptables --table nat --delete POSTROUTING ! --out-interface %i --match mark --mark 0x30 --jump MASQUERADE

[Peer]
PublicKey = <PublicKey_Cloud_Router>
AllowedIPs = 10.0.0.0/24, 192.168.155.0/24
Endpoint = cloud-router.example.com:51820
PersistentKeepalive = 60

router_location_B.conf

# Router location B
[Interface]
Address = 10.0.0.3/32
PrivateKey = <PrivateKey>
PreUp = sysctl -w net.ipv4.ip_forward=1
PostUp   = iptables --table mangle --append PREROUTING --in-interface %i --jump MARK --set-mark 0x30
PostUp   = iptables --table nat --append POSTROUTING ! --out-interface %i --match mark --mark 0x30 --jump MASQUERADE
PostDown = iptables --table mangle --delete PREROUTING --in-interface %i --jump MARK --set-mark 0x30
PostDown = iptables --table nat --delete POSTROUTING ! --out-interface %i --match mark --mark 0x30 --jump MASQUERADE

[Peer]
PublicKey = <PublicKey_Cloud_Router>
AllowedIPs = 10.0.0.0/24, 192.168.111.0/24
Endpoint = cloud-router.example.com:51820
PersistentkeepAlive = 60

Wireguard Site-2-Site VPN.drawio.svg

Wireguard Site-2-Site VPN.md

Wireguard Site-to-Site VLAN


Source: https://twitter.com/lindworm/status/1451878726807998467

Preconditions

We assume here, that all nodes are running Linux. IP Forwarding will be enabled on all routing nodes. The config files should be named after the name of the VPN. Wireguard will name the VPN interface after the file.

Routing

Every node needs to know the route to the foreign nets. We can either add them manually or let our main router (the one that points to 0.0.0.0) know that the corresponding net is behind a VPN router.

So we need to point the route to the foreign net to the local address of the upstream VPN router.

• On Fritz!Box: Heimnetz -> Netzwerk -> Netzwerkeinstellungen -> Statische Routingtabelle

• Route example for reaching net B via router_location_A with local IP 192.168.111.100:

  $ ip route add 192.168.155.0/24 via 192.168.111.100

Troubleshooting

• List all iptables rules

  $ iptables --list-rules
  $ iptables --list-rules --table nat
  $ iptables --flush
  $ iptables --flush --table nat

• Turn on iptables logging

  $ iptables --append INPUT --jump LOG
  $ iptables --append OUTPUT --jump LOG
  $ iptables --append FORWARD --jump LOG
  $ iptables --append PREROUTING --table nat --jump LOG

• Turn off iptables logging

  $ iptables --delete INPUT --jump LOG
  $ iptables --delete OUTPUT --jump LOG
  $ iptables --delete FORWARD --jump LOG
  $ iptables --delete PREROUTING --table nat --jump LOG

References

• https://www.procustodibus.com/blog/2020/11/wireguard-point-to-site-config

Thanks for the feedback. I'm not using this setup anymore; tailscale is far too easy ;-)