--- title: "WireGuard VPN with 2 or more subnets" description: "How to connect 2 subnets with WireGuard." date: 2019-02-14T21:38:28+01:00 draft: false tags: - wireguard - vpn --- I wanted to create a https://en.wikipedia.org/wiki/WireGuard[WireGuard] VPN with 2 subnets in different physical places, each with their own server. I couldn't find an example how to do that, so I wrote this one. == Introduction This HowTo is Linux specific. I'm going to use the IP range `fd69::/48` for the VPN, `fd69:0:0:1::/64` for subnet 1 and `fd69:0:0:2::/64` for subnet 2. I'm going to call the server of subnet 1 `server1`, its first client `client1a`, the second one `client1b` and so on. All clients in subnet 1 will connect to `server1` and all clients in subnet 2 will connect to `server2`. `server1` and `server2` will be connected. If `client1a` wants to connect to `client2a`, the route will be: `client1a → server1 → server2 → client2a`. == Preparations https://www.wireguard.com/install/[Install WireGuard], create `/etc/wireguard` and generate a key-pair on each participating peer. ---- {{< highlight sh >}} mkdir /etc/wireguard cd /etc/wireguard umask 077 wg genkey | tee privatekey | wg pubkey > publickey {{< / highlight >}} ---- == Configure servers .Turn on IP forwarding: ---- {{< highlight sh >}} echo "net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/ip-forward.conf sysctl -p /etc/sysctl.d/ip-forward.conf {{< / highlight >}} ---- [NOTE] http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/[IP forwarding will put your computer into "router-mode"], it will no longer autoconfigure via https://en.wikipedia.org/wiki/SLAAC[SLAAC]. If you need SLAAC, add this to `ip-forward.conf`: ---- {{< highlight cfg >}} net.ipv6.conf.DEVICE.accept_ra = 2 {{< / highlight >}} ---- .`server1:/etc/wireguard/wg0.conf`: ---- {{< highlight cfg >}} # This peer [Interface] Address = fd69:0:0:1::1/48 PrivateKey = ListenPort = 51820 # Server of subnet 2 [Peer] PublicKey = Endpoint = server2:51820 AllowedIPs = fd69:0:0:2::/64 # Clients of subnet 1 [Peer] PublicKey = AllowedIPs = fd69:0:0:1::a/128 [Peer] PublicKey = AllowedIPs = fd69:0:0:1::b/128 {{< / highlight >}} ---- .`server2:/etc/wireguard/wg0.conf`: ---- {{< highlight cfg >}} # This peer [Interface] Address = fd69:0:0:2::1/48 PrivateKey = ListenPort = 51820 # Server of subnet 1 [Peer] PublicKey = Endpoint = server1:51820 AllowedIPs = fd69:0:0:1::/64 # Clients of subnet 2 [Peer] PublicKey = AllowedIPs = fd69:0:0:2::a/128 {{< / highlight >}} ---- == Configure clients .`client1a:/etc/wireguard/wg0.conf`: ---- {{< highlight cfg >}} [Interface] Address = fd69:0:0:1::a/48 PrivateKey = [Peer] PublicKey = Endpoint = server1:51820 AllowedIPs = fd69::/48 PersistentKeepalive = 25 {{< / highlight >}} ---- .`client1b:/etc/wireguard/wg0.conf`: ---- {{< highlight cfg >}} [Interface] Address = fd69:0:0:1::b/48 PrivateKey = [Peer] PublicKey = Endpoint = server1:51820 AllowedIPs = fd69::/48 PersistentKeepalive = 25 {{< / highlight >}} ---- .`client2a:/etc/wireguard/wg0.conf`: ---- {{< highlight cfg >}} [Interface] Address = fd69:0:0:2::a/48 PrivateKey = [Peer] PublicKey = Endpoint = server1:51820 AllowedIPs = fd69::/48 PersistentKeepalive = 25 {{< / highlight >}} ---- The `AllowedIPs` setting acts as a routing table. When a peer tries to send a packet to an IP, it will check `AllowedIPs`, and if the IP appears in the list, it will send it through the WireGuard interface. The `PersistentKeepalive` setting ensures that the connection is maintained and that the peer continues to be reachable, even behind a NAT. == Start VPN Run `wg-quick up wg0` on each peer. == Further reading The article https://www.stavros.io/posts/how-to-configure-wireguard/[How to easily configure WireGuard] by Stavros Korokithakis helped me a great deal in understanding WireGuard. == Updates * Updated 2019-02-16 to include IP forwarding. * Updated 2019-02-16 with information on how to turn SLAAC back on.