tastytea/blog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
7acf0b6ba3
blog/content/posts/wireguard-vpn-with-2-or-more-subnets.adoc

154 lines
3.6 KiB
Plaintext
Raw Normal View History

initial commit
2019-02-15 01:31:21 +01:00
---
title: "WireGuard VPN with 2 or more subnets"
description: "How to connect 2 subnets with WireGuard."
date: 2019-02-14T21:38:28+01:00
Added lastmod
2019-02-15 01:36:23 +01:00
lastmod: 2019-02-15T01:36:00+01:00
initial commit
2019-02-15 01:31:21 +01:00
draft: false
tags:
- wireguard
- vpn
---
I wanted to create a https://en.wikipedia.org/wiki/WireGuard[WireGuard] VPN with
2 subnets in different physical places, each with their own server. I couldn't
test
2019-02-15 01:38:40 +01:00
find an example how to do that, so I wrote this one.
initial commit
2019-02-15 01:31:21 +01:00
== Introduction
I'm going to use the IP range `fd69::/48` for the VPN, `fd69:0:0:1::/64` for
subnet 1 and `fd69:0:0:2::/64` for subnet 2. I'm going to call the server of
subnet 1 `server1`, its first client `client1a`, the second one `client1b` and
so on.
All clients in subnet 1 will connect to `server1` and all clients in subnet 2
will connect to `server2`. `server1` and `server2` will be connected. If
`client1a` wants to connect to `client2a`, the route will be:
`client1a → server1 → server2 → client2a`.
== Preparations
https://www.wireguard.com/install/[Install WireGuard], create `/etc/wireguard`
and generate a key-pair on each participating peer.
----
{{< highlight sh >}}
mkdir /etc/wireguard
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
{{< / highlight >}}
----
== Configure servers
.`server1:/etc/wireguard/wg0.conf`:
----
{{< highlight cfg >}}
# This peer
[Interface]
Address = fd69:0:0:1::1/48
PrivateKey = <PRIVATE KEY OF server1>
ListenPort = 51820
# Server of subnet 2
[Peer]
PublicKey = <PUBLIC KEY OF server2>
Endpoint = server2:51820
AllowedIPs = fd69:0:0:2::/64
# Clients of subnet 1
[Peer]
PublicKey = <PUBLIC KEY OF client1a>
AllowedIPs = fd69:0:0:1::a/128
[Peer]
PublicKey = <PUBLIC KEY OF client1b>
AllowedIPs = fd69:0:0:1::b/128
{{< / highlight >}}
----
.`server2:/etc/wireguard/wg0.conf`:
----
{{< highlight cfg >}}
# This peer
[Interface]
Address = fd69:0:0:2::1/48
PrivateKey = <PRIVATE KEY OF server2>
ListenPort = 51820
# Server of subnet 1
[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69:0:0:1::/64
# Clients of subnet 2
[Peer]
PublicKey = <PUBLIC KEY OF client2a>
AllowedIPs = fd69:0:0:2::a/128
{{< / highlight >}}
----
== Configure clients
.`client1a:/etc/wireguard/wg0.conf`:
----
{{< highlight cfg >}}
[Interface]
Address = fd69:0:0:1::a/48
PrivateKey = <PRIVATE KEY OF client1a>
[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25
{{< / highlight >}}
----
.`client1b:/etc/wireguard/wg0.conf`:
----
{{< highlight cfg >}}
[Interface]
Address = fd69:0:0:1::b/48
PrivateKey = <PRIVATE KEY OF client1b>
[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25
{{< / highlight >}}
----
.`client2a:/etc/wireguard/wg0.conf`:
----
{{< highlight cfg >}}
[Interface]
Address = fd69:0:0:2::a/48
PrivateKey = <PRIVATE KEY OF client2a>
[Peer]
PublicKey = <PUBLIC KEY OF server2>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25
{{< / highlight >}}
----
The `AllowedIPs` setting acts as a routing table. When a peer tries to send a
packet to an IP, it will check `AllowedIPs`, and if the IP appears in the list,
it will send it through the WireGuard interface.
The `PersistentKeepalive` setting ensures that the connection is maintained and
that the peer continues to be reachable, even behind a NAT.
== Start VPN
Run `wg-quick up wg0` on each peer.
== Further reading
The article https://www.stavros.io/posts/how-to-configure-wireguard/[How to easily configure WireGuard]
by Stavros Korokithakis helped me a great deal in understanding WireGuard.
Reference in New Issue Copy Permalink