Wireguard VPN site to site

Hi
Have tried to follow this site to site setup:
https://docs.vyos.io/en/crux/vpn/wireguard.html
But is a little bit confused about where the different ip’s belong.


Can anyone tell me (draw a topologi) and asign the ip’s from picture above (where do they belong if I want to use example to connect 2 routers over the internet.

Should wg01 be on the same network ??

This is my personal topology:

Thanks in advance for helping.

BR
OFH
Denmark

Hey,

for you server side:

the ip of the wireguard interface
wg01 address 10.1.100.1/24.

the allowed ips in the tunnel, please change this if you want route other ips over the tunnel
in your case maybe 10.1.30.0/24 and 10.1.40.0/24
wg01 peer client1 allowed-ips 10.1.100.0/24

the tunnelendpoint of the remote peer,
wg01 peer client1 endpoint 10.1.20.2:PORT

the pubkey of the remote peer
wg01 peer client1 pubkey XXXXX

the listen port for wirguard on the server
wg01 port PORT

Hi

Thanks for reply

One question

You wrote:

the allowed ips in the tunnel, please change this if you want route other ips over the tunnel
in your case maybe 10.1.30.0/24 and 10.1.40.0/24
wg01 peer client1 allowed-ips 10.1.100.0/24 ``

How do I ad the two networks (30/40) ?

Is it the same setup for remote site ? :slight_smile:

BR

put them both in there

My “server” at the datacenter:

set interfaces wireguard wg101 address '10.200.200.1/30'
set interfaces wireguard wg101 description 'site2_VPN_VM'
set interfaces wireguard wg101 ip ospf authentication md5 key-id 1 md5-key 'xxxxxxxxxxxxxxxxx'
set interfaces wireguard wg101 ip ospf dead-interval '40'
set interfaces wireguard wg101 ip ospf hello-interval '10'
set interfaces wireguard wg101 ip ospf network 'point-to-point'
set interfaces wireguard wg101 ip ospf priority '100'
set interfaces wireguard wg101 ip ospf retransmit-interval '5'
set interfaces wireguard wg101 ip ospf transmit-delay '1'
set interfaces wireguard wg101 mtu '1420'
set interfaces wireguard wg101 peer site2-vpn allowed-ips '10.200.200.0/30'
set interfaces wireguard wg101 peer site2-vpn allowed-ips '10.100.128.0/27'
set interfaces wireguard wg101 peer site2-vpn allowed-ips '224.0.0.0/8'
set interfaces wireguard wg101 peer site2-vpn persistent-keepalive '15'
set interfaces wireguard wg101 peer site2-vpn pubkey 'randomStrinGOfCharaCTErs123456'
set interfaces wireguard wg101 port '50101'

Site2:

set interfaces wireguard wg101 address '10.200.200.2/30'
set interfaces wireguard wg101 ip ospf authentication md5 key-id 1 md5-key 'xxxxxxxxx'
set interfaces wireguard wg101 ip ospf dead-interval '40'
set interfaces wireguard wg101 ip ospf hello-interval '10'
set interfaces wireguard wg101 ip ospf network 'point-to-point'
set interfaces wireguard wg101 ip ospf priority '1'
set interfaces wireguard wg101 ip ospf retransmit-interval '5'
set interfaces wireguard wg101 ip ospf transmit-delay '1'
set interfaces wireguard wg101 mtu '1420'
set interfaces wireguard wg101 peer datacenter allowed-ips '0.0.0.0/0'
set interfaces wireguard wg101 peer datacenter endpoint 'PUBLICIPADDRESS'
set interfaces wireguard wg101 peer datacenter pubkey 'somerandomstringofcharacterssasdflkjg'
set protocols static interface-route 10.200.200.0/24 next-hop-interface wg101

This setup is passing OSPF across, so if you don’t need that, obviously leave that piece off, but the rest is super simple.

We use this configuration for several site-to-site configurations. Each site gets a new interface 101,102,103,104,etc

Thanks again for reply.
I will see forward to try this.
BR
Ofh

Any special on this ??

BR OFH

It’s the default MTU for wireguard

Thanks for info.
So Wireguard won’t work if not set to 1420 ??
BR
OFH

That’s not what I said.

It is the DEFAULT for WireGuard. Play around with different MTU if you want.

Ok, Thanks for helping.
BR
OFH

Why is this only setup on “Site2” (set protocols static interface-route) ??
BR

It’s on my “server” as well, I just didn’t include it here. I actually have lots of site-to-site tunnels and only pulled one of them for an example.

Ok, thanks again.
BR
Ofh

Hi (again) :slightly_smiling_face:
What if I involve NAT (SNAT with masqurade) client’s on both sites need access to internet.
Does the NAT rule execute before the static route ??
BR
OFH

You’re thinking way too hard on this.

Just try it.

:wink:Ok
I Will give it a try.
Good weekend.
BR

@ pirateghost @rob
Have now tried to setup a Server and remote site.
But still can’t ping PC on LAN (remote site) from LAN on Server side.

Here are my configuration on both sides:
Server.txt (2.3 KB)
Remote site.txt (2.3 KB)

What could be wrong ??
Any good commands to verify tunnel ??

BR
OFH

Can you ping from server 10.1.20.2?

Also, try to dump traffic on the wg01 interface. Do you see ICMP requests?

The first step, generate keys. On both nodes.

generate wireguard keypair

Take a close look at the keys and how they are located in the configuration on the routers.

vyos@left:~$ show wireguard pubkey 
b4612Vv/jeL2DRT/YHFrFi+QxhBaKifIRj7ksg8PQS0=
vyos@left:~$ 

vyos@right:~$ show wireguard pubkey 
unLicwlFoH2K1tgWJiep7H9YNW8pZmQ4UByJTDna4lY=
vyos@right:~$ 

Config from the “left” node.

set interfaces ethernet eth0 address '10.1.10.2/24'
set interfaces wireguard wg1 address '10.1.100.1/30'
set interfaces wireguard wg1 description 'Client'
set interfaces wireguard wg1 peer PEER01 allowed-ips '10.1.100.0/24'
set interfaces wireguard wg1 peer PEER01 endpoint '10.1.20.2:12345'
set interfaces wireguard wg1 peer PEER01 pubkey 'unLicwlFoH2K1tgWJiep7H9YNW8pZmQ4UByJTDna4lY='
set interfaces wireguard wg1 port '12345'
set protocols static route 0.0.0.0/0 next-hop 10.1.10.1
set system host-name 'left'

Configuration from the “right” node

set interfaces ethernet eth0 address '10.1.20.2/24'
set interfaces wireguard wg1 address '10.1.100.2/30'
set interfaces wireguard wg1 description 'Server-SERVER-10.1.10.2'
set interfaces wireguard wg1 peer SERVER allowed-ips '10.1.100.0/24'
set interfaces wireguard wg1 peer SERVER endpoint '10.1.10.2:12345'
set interfaces wireguard wg1 peer SERVER pubkey 'b4612Vv/jeL2DRT/YHFrFi+QxhBaKifIRj7ksg8PQS0='
set interfaces wireguard wg1 port '12345'
set protocols static interface-route 10.1.100.0/24 next-hop-interface wg1
set protocols static route 0.0.0.0/0 next-hop 10.1.20.1
set system host-name 'right'

Ping from “left” node and dump from “right” node

vyos@left:~$ ping 10.1.100.2 count 2
PING 10.1.100.2 (10.1.100.2) 56(84) bytes of data.
64 bytes from 10.1.100.2: icmp_seq=1 ttl=64 time=7.79 ms
64 bytes from 10.1.100.2: icmp_seq=2 ttl=64 time=2.06 ms

--- 10.1.100.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 2.065/4.932/7.799/2.867 ms
vyos@left:~$ 

vyos@right:~$ sudo tcpdump -ntvi wg1
tcpdump: listening on wg1, link-type RAW (Raw IP), capture size 262144 bytes
IP (tos 0x0, ttl 64, id 28118, offset 0, flags [DF], proto ICMP (1), length 84)
    10.1.100.1 > 10.1.100.2: ICMP echo request, id 4919, seq 1, length 64
IP (tos 0x0, ttl 64, id 43878, offset 0, flags [none], proto ICMP (1), length 84)
    10.1.100.2 > 10.1.100.1: ICMP echo reply, id 4919, seq 1, length 64
IP (tos 0x0, ttl 64, id 28184, offset 0, flags [DF], proto ICMP (1), length 84)
    10.1.100.1 > 10.1.100.2: ICMP echo request, id 4919, seq 2, length 64
IP (tos 0x0, ttl 64, id 44022, offset 0, flags [none], proto ICMP (1), length 84)
    10.1.100.2 > 10.1.100.1: ICMP echo reply, id 4919, seq 2, length 64

Thanks for reply
You don’t have “static interface-route” on left site, Why?

BR
Ofh

Because it Directly connected to interface wgX route /30 and in some cases it is not required.