Wireguard site-to-site setup?

Hi, at the moment I have a site-to-site configuration with multiple clients using OpenVPN.

For each client I have a vtunX interface with a private IP and some settings for ipv6 using openvpn-option (since it’s not in the scripts).

I’m basically announcing my own /24 and then routing a /29 and a /56 (IPv6) per tunnel.

How would I do this using Wireguard? wg0, wg1, wg2, etc.? Any suggestions?

Hi @sebastianm,

what do you mean with ‘announcing my own /24…’? Via bgp or another dynamic routing protocol?
You can terminate all tunnels on a single interface, or you can spread it through multiple ones. A wg interface can handle multiple endpoints.

Yes, I have a VM at Vultr and a /24 prefix which I’m announcing via BGP.

How can I configure a network such as /30 or /31 between my router and the peer though?

With OpenVPN I can just use “ifconfig” (mapped to VyOS shell) & “ifconfig-ipv6”.

Several options, either you define a policy via wg allowed-ips, or you set allowed-ips to, ::/0 and set an interface route if you want to use multiple interfaces.

wg01 has 3 peers.
peer1 allowed-ips:
peer2 allowed-ips
peer2 allowed-ips:

the interface route would be then interface wg01. Allowed IPs is basically your policy of the destination IPs.

If you want to use 1 interface per peer, then allowed IPs is either a list of destination IPs, or, the your route would be interface wg01, interface wg01 and so on.

Thanks, I’ll try that. The issue I’m having right now is that apparently the wireguard module isn’t included in the latest rolling ISO. I’m getting the “modprobe: FATAL: Module wireguard not found” error.

Yes, we are already aware of that issue. The wireguard modules is actually installed, but the kernel version installed in the iso is a different one.

I can confirm that DHCPv6 & WireGuard works fine in “vyos-1.2.0-rolling+201810290337-amd64.iso”.

@hagbard one of the wireguard interfaces “dissapears” from the config after boot. “wg” shows it’s active (wg0+wg1) & they are both in /config/config.boot but “show” command shows only wg1.

wireguard wg0 {
        peer mgmt-vpn {
            endpoint server1:51820
            persistent-keepalive 15
            pubkey nopenopenope
    wireguard wg1 {
        peer data-vpn {
            endpoint server2:51820
            persistent-keepalive 15
            pubkey nopenopenope

okay so apparently if there are multiple wg interfaces only the last one is shown by the “show” command.

Hi @sebastianm the show command is working fine, however I found a bug with setting the ip for a second interface, it set’s everything but it looks like the config parser calls the commands in a loop and therefore it is not marked as applied. I’m gonna open a bug for it and have a look. Meanwhile, you can terminate multple peers on a single wg interface.

Interface IP Address S/L Description

eth0 u/u
eth1 - u/u
lo u/u
wg0 u/u wg0
wg1 u/u wg1


Ok I’ve reverted back to using OpenVPN instead of WireGuard for my tunnels because I had various issues with MTU (I think).

Running speedtest-cli on VMs that were on the subnet going through WireGuard was flaky, sometimes it would be stuck on “Retrieving speedtest.net configuration…” and sometimes it would work (fine or w/ 0mbps download speed & proper upload).

After reverting back to OpenVPN it now works fine though I’ve left the wg0 interface for my management network (ESXi web interface, SNMP & such) which itself is configured in a star topology.

I’m not sure if I’ll have issues with the management WireGuard VPN. If I do, I’ll report back.

You can set a different mtu, but I doubt that it will be an issue if you don’t filter icmp. in my tests, it was outperforming openvpn.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.