Skip to content

Instantly share code, notes, and snippets.

@deg0nz

deg0nz/Wireguard Site-2-Site VPN.md

Last active December 14, 2022 14:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save deg0nz/1be986eac7f64753063c0f7d2933c3c5 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save deg0nz/1be986eac7f64753063c0f7d2933c3c5 to your computer and use it in GitHub Desktop.
Download ZIP
Wireguard Site-2-Site VPN
Raw
cloud_router.conf
# This is the main router in the cloud
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <PrivateKey>
PostUp = iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -i %i -o %i -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -i %i -o %i -m conntrack --ctstate NEW -j ACCEPT
# Router location A
[Peer]
PublicKey = <PublicKey>
AllowedIPs = 10.0.0.2/32, 192.168.111.0/24
# Router location B
[Peer]
PublicKey = <PublicKey>
AllowedIPs = 10.0.0.3/32, 192.168.155.0/24
# External client 1 (Laptop)
[Peer]
PublicKey = <PublicKey>
AllowedIPs = 10.0.0.4/32
Raw
external_client_1.conf
# External client (Laptop)
[Interface]
PrivateKey = <PrivateKey>
Address = 10.0.0.4/32
[Peer]
PublicKey = <PublicKey_Cloud_Router>
AllowedIPs = 10.0.0.0/24, 192.168.155.0/24, 192.168.111.0/24
Endpoint = cloud-router.example.com:51820
PersistentKeepalive = 60
Raw
router_location_A.conf
# Router location A
[Interface]
PrivateKey = <PrivateKey>
Address = 10.0.0.2/32
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -A FORWARD -i eth0 -j ACCEPT; iptables -A FORWARD -o eth0 -j ACCEPT; iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -D FORWARD -i eth0 -j ACCEPT; iptables -D FORWARD -o eth0 -j ACCEPT; iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[Peer]
PublicKey = <PublicKey_Cloud_Router>
AllowedIPs = 10.0.0.0/24, 192.168.155.0/24
Endpoint = cloud-router.example.com:51820
PersistentKeepalive = 60
Raw
router_location_B.conf
# Router location B
[Interface]
Address = 10.0.0.3/32
PrivateKey = <PrivateKey>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -A FORWARD -i eth0 -j ACCEPT; iptables -A FORWARD -o eth0 -j ACCEPT; iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -D FORWARD -i eth0 -j ACCEPT; iptables -D FORWARD -o eth0 -j ACCEPT; iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[Peer]
PublicKey = <PublicKey_Cloud_Router>
AllowedIPs = 10.0.0.0/24, 192.168.111.0/24
Endpoint = cloud-router.example.com:51820
PersistentkeepAlive = 60
Raw
Wireguard Site-2-Site VPN.md

Source Tweet for network description: https://twitter.com/lindworm/status/1451878726807998467

Preconditions

We assume here, that all nodes are running Linux.

IP Forwarding must be enabled on all routing nodes:

sudo sysctl -w net.ipv4.ip_forward=1

Routing

Every node needs to know the route to the foreign nets. We can either add them manually or let our main router (the one that points to 0.0.0.0) know that the corresponding net is behind a VPN router.

So we need to point the route to the foreign net to the local address of the upstream VPN router.

  • On Fritz!Box: Heimnetz -> Netzwerk -> Netzwerkeinstellungen -> Statische Routingtabelle
  • Route example for reaching net B via router_location_A with local IP 192.168.111.100: ip route add 192.168.155.0/24 via 192.168.111.100

More Info

The files below should be named after the name of the VPN. Wireguard will name the VPN interface after the file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment