4.2 KiB
title: "WireGuard VPN with 2 or more subnets" description: "How to connect 2 subnets with WireGuard." date: 2019-02-14T21:38:28+01:00 draft: false tags: - wireguard - vpn ---
I wanted to create a WireGuard VPN with 2 subnets in different physical places, each with their own server. I couldn’t find an example how to do that, so I wrote this one.
Introduction
This HowTo is Linux specific.
I’m going to use the IP range fd69::/48
for the VPN, fd69:0:0:1::/64
for
subnet 1 and fd69:0:0:2::/64
for subnet 2. I’m going to call the server of
subnet 1 server1
, its first client client1a
, the second one client1b
and
so on.
All clients in subnet 1 will connect to server1
and all clients in subnet 2
will connect to server2
. server1
and server2
will be connected. If
client1a
wants to connect to client2a
, the route will be:
client1a → server1 → server2 → client2a
.
Preparations
Install WireGuard, create /etc/wireguard
and generate a key-pair on each participating peer.
{{< highlight sh >}} mkdir /etc/wireguard cd /etc/wireguard umask 077 wg genkey | tee privatekey | wg pubkey > publickey {{< / highlight >}}
Configure servers
{{< highlight sh >}} echo "net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/ip-forward.conf sysctl -p /etc/sysctl.d/ip-forward.conf {{< / highlight >}}
Note
|
IP forwarding will put your computer into "router-mode",
it will no longer autoconfigure via SLAAC.
If you need SLAAC, add net.ipv6.conf.DEVICE.accept_ra = 2 to ip-forward.conf .
|
server1:/etc/wireguard/wg0.conf
:{{< highlight cfg >}} # This peer [Interface] Address = fd69:0:0:1::1/48 PrivateKey = <PRIVATE KEY OF server1> ListenPort = 51820 # Server of subnet 2 [Peer] PublicKey = <PUBLIC KEY OF server2> Endpoint = server2:51820 AllowedIPs = fd69:0:0:2::/64 # Clients of subnet 1 [Peer] PublicKey = <PUBLIC KEY OF client1a> AllowedIPs = fd69:0:0:1::a/128 [Peer] PublicKey = <PUBLIC KEY OF client1b> AllowedIPs = fd69:0:0:1::b/128 {{< / highlight >}}
server2:/etc/wireguard/wg0.conf
:{{< highlight cfg >}} # This peer [Interface] Address = fd69:0:0:2::1/48 PrivateKey = <PRIVATE KEY OF server2> ListenPort = 51820 # Server of subnet 1 [Peer] PublicKey = <PUBLIC KEY OF server1> Endpoint = server1:51820 AllowedIPs = fd69:0:0:1::/64 # Clients of subnet 2 [Peer] PublicKey = <PUBLIC KEY OF client2a> AllowedIPs = fd69:0:0:2::a/128 {{< / highlight >}}
Configure clients
client1a:/etc/wireguard/wg0.conf
:{{< highlight cfg >}} [Interface] Address = fd69:0:0:1::a/48 PrivateKey = <PRIVATE KEY OF client1a> [Peer] PublicKey = <PUBLIC KEY OF server1> Endpoint = server1:51820 AllowedIPs = fd69::/48 PersistentKeepalive = 25 {{< / highlight >}}
client1b:/etc/wireguard/wg0.conf
:{{< highlight cfg >}} [Interface] Address = fd69:0:0:1::b/48 PrivateKey = <PRIVATE KEY OF client1b> [Peer] PublicKey = <PUBLIC KEY OF server1> Endpoint = server1:51820 AllowedIPs = fd69::/48 PersistentKeepalive = 25 {{< / highlight >}}
client2a:/etc/wireguard/wg0.conf
:{{< highlight cfg >}} [Interface] Address = fd69:0:0:2::a/48 PrivateKey = <PRIVATE KEY OF client2a> [Peer] PublicKey = <PUBLIC KEY OF server2> Endpoint = server1:51820 AllowedIPs = fd69::/48 PersistentKeepalive = 25 {{< / highlight >}}
The AllowedIPs
setting acts as a routing table. When a peer tries to send a
packet to an IP, it will check AllowedIPs
, and if the IP appears in the list,
it will send it through the WireGuard interface.
The PersistentKeepalive
setting ensures that the connection is maintained and
that the peer continues to be reachable, even behind a NAT.
Start VPN
Run wg-quick up wg0
on each peer.
Further reading
The article How to easily configure WireGuard by Stavros Korokithakis helped me a great deal in understanding WireGuard.
Updates
-
Updated 2019-02-16 to include IP forwarding.
-
Updated 2019-02-16 with information on how to turn SLAAC back on.