WireGuard VPN with 2 or more subnets
I wanted to create a WireGuard VPN with 2 subnets in different physical places, each with their own server. I couldn’t find an example how to do that, so I wrote this one.
Introduction
This HowTo is Linux specific.
I’m going to use the IP range fd69::/48
for the VPN, fd69:0:0:1::/64
for
subnet 1 and fd69:0:0:2::/64
for subnet 2. I’m going to call the server of
subnet 1 server1
, its first client client1a
, the second one client1b
and
so on.
All clients in subnet 1 will connect to server1
and all clients in subnet 2
will connect to server2
. server1
and server2
will be connected. If
client1a
wants to connect to client2a
, the route will be:
client1a → server1 → server2 → client2a
.
Preparations
Install WireGuard, create /etc/wireguard
and generate a key-pair on each participating peer.
mkdir /etc/wireguard
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
Configure servers
echo "net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/ip-forward.conf
sysctl -p /etc/sysctl.d/ip-forward.conf
Note
|
IP forwarding will put your computer into "router-mode",
it will no longer autoconfigure via SLAAC.
If you need SLAAC, add net.ipv6.conf.DEVICE.accept_ra = 2 to ip-forward.conf .
|
server1:/etc/wireguard/wg0.conf
:# This peer
[Interface]
Address = fd69:0:0:1::1/48
PrivateKey = <PRIVATE KEY OF server1>
ListenPort = 51820
# Server of subnet 2
[Peer]
PublicKey = <PUBLIC KEY OF server2>
Endpoint = server2:51820
AllowedIPs = fd69:0:0:2::/64
# Clients of subnet 1
[Peer]
PublicKey = <PUBLIC KEY OF client1a>
AllowedIPs = fd69:0:0:1::a/128
[Peer]
PublicKey = <PUBLIC KEY OF client1b>
AllowedIPs = fd69:0:0:1::b/128
server2:/etc/wireguard/wg0.conf
:# This peer
[Interface]
Address = fd69:0:0:2::1/48
PrivateKey = <PRIVATE KEY OF server2>
ListenPort = 51820
# Server of subnet 1
[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69:0:0:1::/64
# Clients of subnet 2
[Peer]
PublicKey = <PUBLIC KEY OF client2a>
AllowedIPs = fd69:0:0:2::a/128
Configure clients
client1a:/etc/wireguard/wg0.conf
:[Interface]
Address = fd69:0:0:1::a/48
PrivateKey = <PRIVATE KEY OF client1a>
[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25
client1b:/etc/wireguard/wg0.conf
:[Interface]
Address = fd69:0:0:1::b/48
PrivateKey = <PRIVATE KEY OF client1b>
[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25
client2a:/etc/wireguard/wg0.conf
:[Interface]
Address = fd69:0:0:2::a/48
PrivateKey = <PRIVATE KEY OF client2a>
[Peer]
PublicKey = <PUBLIC KEY OF server2>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25
The AllowedIPs
setting acts as a routing table. When a peer tries to send a
packet to an IP, it will check AllowedIPs
, and if the IP appears in the list,
it will send it through the WireGuard interface.
The PersistentKeepalive
setting ensures that the connection is maintained and
that the peer continues to be reachable, even behind a NAT.
Start VPN
Run wg-quick up wg0
on each peer.
Further reading
The article How to easily configure WireGuard by Stavros Korokithakis helped me a great deal in understanding WireGuard.
Updates
-
Updated 2019-02-16 to include IP forwarding.
-
Updated 2019-02-16 with information on how to turn SLAAC back on.