thoughtpile i write things here

WireGuard VPN with 2 or more subnets

I wanted to create a WireGuard VPN with 2 subnets in different physical places, each with their own server. I couldn’t find an example how to do that, so I wrote this one.

Introduction

This HowTo is Linux specific.

I’m going to use the IP range fd69::/48 for the VPN, fd69:0:0:1::/64 for subnet 1 and fd69:0:0:2::/64 for subnet 2. I’m going to call the server of subnet 1 server1, its first client client1a, the second one client1b and so on.

All clients in subnet 1 will connect to server1 and all clients in subnet 2 will connect to server2. server1 and server2 will be connected. If client1a wants to connect to client2a, the route will be: client1a → server1 → server2 → client2a.

Preparations

Install WireGuard, create /etc/wireguard and generate a key-pair on each participating peer.

mkdir /etc/wireguard
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Configure servers

Turn on IP forwarding:
echo "net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/ip-forward.conf
sysctl -p /etc/sysctl.d/ip-forward.conf
Note
IP forwarding will put your computer into "router-mode", it will no longer autoconfigure via SLAAC. If you need SLAAC, add net.ipv6.conf.DEVICE.accept_ra = 2 to ip-forward.conf.
server1:/etc/wireguard/wg0.conf:
# This peer
[Interface]
Address = fd69:0:0:1::1/48
PrivateKey = <PRIVATE KEY OF server1>
ListenPort = 51820

# Server of subnet 2
[Peer]
PublicKey = <PUBLIC KEY OF server2>
Endpoint = server2:51820
AllowedIPs = fd69:0:0:2::/64

# Clients of subnet 1
[Peer]
PublicKey = <PUBLIC KEY OF client1a>
AllowedIPs = fd69:0:0:1::a/128

[Peer]
PublicKey = <PUBLIC KEY OF client1b>
AllowedIPs = fd69:0:0:1::b/128
server2:/etc/wireguard/wg0.conf:
# This peer
[Interface]
Address = fd69:0:0:2::1/48
PrivateKey = <PRIVATE KEY OF server2>
ListenPort = 51820

# Server of subnet 1
[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69:0:0:1::/64

# Clients of subnet 2
[Peer]
PublicKey = <PUBLIC KEY OF client2a>
AllowedIPs = fd69:0:0:2::a/128

Configure clients

client1a:/etc/wireguard/wg0.conf:
[Interface]
Address = fd69:0:0:1::a/48
PrivateKey = <PRIVATE KEY OF client1a>

[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25
client1b:/etc/wireguard/wg0.conf:
[Interface]
Address = fd69:0:0:1::b/48
PrivateKey = <PRIVATE KEY OF client1b>

[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25
client2a:/etc/wireguard/wg0.conf:
[Interface]
Address = fd69:0:0:2::a/48
PrivateKey = <PRIVATE KEY OF client2a>

[Peer]
PublicKey = <PUBLIC KEY OF server2>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25

The AllowedIPs setting acts as a routing table. When a peer tries to send a packet to an IP, it will check AllowedIPs, and if the IP appears in the list, it will send it through the WireGuard interface.

The PersistentKeepalive setting ensures that the connection is maintained and that the peer continues to be reachable, even behind a NAT.

Start VPN

Run wg-quick up wg0 on each peer.

Further reading

The article How to easily configure WireGuard by Stavros Korokithakis helped me a great deal in understanding WireGuard.

Updates

  • Updated 2019-02-16 to include IP forwarding.

  • Updated 2019-02-16 with information on how to turn SLAAC back on.