tastytea
/
blog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
blog/content/posts/wireguard-vpn-with-2-or-mor...

169 lines
4.1 KiB
Plaintext
Raw Normal View History

initial commit
2019-02-15 01:31:21 +01:00
---
title: "WireGuard VPN with 2 or more subnets"
description: "How to connect 2 subnets with WireGuard."
date: 2019-02-14T21:38:28+01:00
draft: false
tags:
- wireguard
- vpn
Switched comment system to comtodon.
2019-11-03 07:42:56 +01:00
comtodon: 9fqBQKGZa6qMf98wIC
initial commit
2019-02-15 01:31:21 +01:00
---
Switch highlighting to pygments.
2019-12-04 21:48:56 +01:00
:source-highlighter: pygments
initial commit
2019-02-15 01:31:21 +01:00
I wanted to create a https://en.wikipedia.org/wiki/WireGuard[WireGuard] VPN with
2 subnets in different physical places, each with their own server. I couldn't
I think it'll work now. :-)
2019-02-15 02:34:09 +01:00
find an example how to do that, so I wrote this one.
initial commit
2019-02-15 01:31:21 +01:00
== Introduction
Added information on how to turn SLAAC back on.
2019-02-16 03:25:30 +01:00
This HowTo is Linux specific.
initial commit
2019-02-15 01:31:21 +01:00
I'm going to use the IP range `fd69::/48` for the VPN, `fd69:0:0:1::/64` for
subnet 1 and `fd69:0:0:2::/64` for subnet 2. I'm going to call the server of
subnet 1 `server1`, its first client `client1a`, the second one `client1b` and
so on.
All clients in subnet 1 will connect to `server1` and all clients in subnet 2
will connect to `server2`. `server1` and `server2` will be connected. If
`client1a` wants to connect to `client2a`, the route will be:
`client1a → server1 → server2 → client2a`.
== Preparations
https://www.wireguard.com/install/[Install WireGuard], create `/etc/wireguard`
and generate a key-pair on each participating peer.
Switch highlighting to pygments.
2019-12-04 21:48:56 +01:00
[source,shell]
initial commit
2019-02-15 01:31:21 +01:00
----
mkdir /etc/wireguard
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
----
== Configure servers
Added IP forwarding section to VPN-article
2019-02-16 01:11:14 +01:00
.Turn on IP forwarding:
Switch highlighting to pygments.
2019-12-04 21:48:56 +01:00
[source,shell]
Added IP forwarding section to VPN-article
2019-02-16 01:11:14 +01:00
----
echo "net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/ip-forward.conf
sysctl -p /etc/sysctl.d/ip-forward.conf
----
Added information on how to turn SLAAC back on.
2019-02-16 03:25:30 +01:00
[NOTE]
http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/[IP forwarding will put your computer into "router-mode"],
it will no longer autoconfigure via https://en.wikipedia.org/wiki/SLAAC[SLAAC].
Changed appearance of note in wireguard-article.
2019-03-08 22:21:15 +01:00
If you need SLAAC, add `net.ipv6.conf.DEVICE.accept_ra = 2` to `ip-forward.conf`.
Added information on how to turn SLAAC back on.
2019-02-16 03:25:30 +01:00
initial commit
2019-02-15 01:31:21 +01:00
.`server1:/etc/wireguard/wg0.conf`:
Switch highlighting to pygments.
2019-12-04 21:48:56 +01:00
[source,cfg]
initial commit
2019-02-15 01:31:21 +01:00
----
# This peer
[Interface]
Address = fd69:0:0:1::1/48
PrivateKey = <PRIVATE KEY OF server1>
ListenPort = 51820
# Server of subnet 2
[Peer]
PublicKey = <PUBLIC KEY OF server2>
Endpoint = server2:51820
AllowedIPs = fd69:0:0:2::/64
# Clients of subnet 1
[Peer]
PublicKey = <PUBLIC KEY OF client1a>
AllowedIPs = fd69:0:0:1::a/128
[Peer]
PublicKey = <PUBLIC KEY OF client1b>
AllowedIPs = fd69:0:0:1::b/128
----
.`server2:/etc/wireguard/wg0.conf`:
Switch highlighting to pygments.
2019-12-04 21:48:56 +01:00
[source,cfg]
initial commit
2019-02-15 01:31:21 +01:00
----
# This peer
[Interface]
Address = fd69:0:0:2::1/48
PrivateKey = <PRIVATE KEY OF server2>
ListenPort = 51820
# Server of subnet 1
[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69:0:0:1::/64
# Clients of subnet 2
[Peer]
PublicKey = <PUBLIC KEY OF client2a>
AllowedIPs = fd69:0:0:2::a/128
----
== Configure clients
.`client1a:/etc/wireguard/wg0.conf`:
Switch highlighting to pygments.
2019-12-04 21:48:56 +01:00
[source,cfg]
initial commit
2019-02-15 01:31:21 +01:00
----
[Interface]
Address = fd69:0:0:1::a/48
PrivateKey = <PRIVATE KEY OF client1a>
[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25
----
.`client1b:/etc/wireguard/wg0.conf`:
Switch highlighting to pygments.
2019-12-04 21:48:56 +01:00
[source,cfg]
initial commit
2019-02-15 01:31:21 +01:00
----
[Interface]
Address = fd69:0:0:1::b/48
PrivateKey = <PRIVATE KEY OF client1b>
[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25
----
.`client2a:/etc/wireguard/wg0.conf`:
Switch highlighting to pygments.
2019-12-04 21:48:56 +01:00
[source,cfg]
initial commit
2019-02-15 01:31:21 +01:00
----
[Interface]
Address = fd69:0:0:2::a/48
PrivateKey = <PRIVATE KEY OF client2a>
[Peer]
PublicKey = <PUBLIC KEY OF server2>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25
----
The `AllowedIPs` setting acts as a routing table. When a peer tries to send a
packet to an IP, it will check `AllowedIPs`, and if the IP appears in the list,
it will send it through the WireGuard interface.
The `PersistentKeepalive` setting ensures that the connection is maintained and
that the peer continues to be reachable, even behind a NAT.
== Start VPN
test
2019-02-15 01:56:10 +01:00
Run `wg-quick up wg0` on each peer.
initial commit
2019-02-15 01:31:21 +01:00
== Further reading
The article https://www.stavros.io/posts/how-to-configure-wireguard/[How to easily configure WireGuard]
by Stavros Korokithakis helped me a great deal in understanding WireGuard.
Added IP forwarding section to VPN-article
2019-02-16 01:11:14 +01:00
== Updates
Added information on how to turn SLAAC back on.
2019-02-16 03:25:30 +01:00
* Updated 2019-02-16 to include IP forwarding.
* Updated 2019-02-16 with information on how to turn SLAAC back on.