Thursday, February 2, 2023

Wireguard Site To Site VPN

Don't Miss

Remote Access Roadwarrior Example

Tutorial: pfsense Wireguard For Remote Access

With WireGuard, a Road Warrior VPN config is similar to a site-to-siteVPN. It just lacks the address and port statements.

In the following example, the IPs for the remote clients are defined inthe peers. This allows the peers to interact with one another.

wireguard wg0     peer iPhone     port 2224}

The following is the config for the iPhone peer above. Itâs important tonote that the AllowedIPs wildcard setting directs all IPv4 and IPv6 trafficthrough the connection.

PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf=Address =, 2001:DB8:470:22::20/64DNS =, = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc=AllowedIPs =, ::/0Endpoint = = 25

However, split-tunneling can be achieved by specifing the remote subnets.This ensures that only traffic destined for the remote site is sent over the tunnel.All other traffic is unaffected.

PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go=Address =, 2001:DB8:470:22::30/64PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc=AllowedIPs =, 2001:DB8:470:22::/64Endpoint = = 25

Delete a keypair, this can be either the default key, or any othernamed key-pair.

Ip And Routing Configuration

Lastly, IP and routing information must be configured to allow traffic to be sent over the tunnel.


/ip/addressadd address= interface=wireguard1/ip/routeadd dst-address= gateway=wireguard1


/ip/addressadd address= interface=wireguard1/ip/routeadd dst-address= gateway=wireguard1

Extra: Securing Your Internet

One of the benefits to this setup is that you no longer need to expose your Internet-facing servers SSH port publicly. You can use the VPN to access it instead.

  • Set up your computer as a WireGuard client using the same method that you used to set up your home LAN server as a client. Or, just use your home LAN server as a bastion host, so you must be SSHd into it to SSH into your Internet-facing server.
  • Set up ufw on your Internet-facing server using these commands:
    # turn on ufw  ufw enable# allow inbound access to WireGuard's port  ufw allow 51820/udp# allow VPN IPs to access SSH on port 22  ufw allow from to any port 22 proto tcp# remove default SSH allow rules  ufw delete allow SSH  ufw delete allow 22/tcp
  • Now you should only be able to access SSH on your Internet-facing server via the VPN IP address,

    Recommended Reading: How To Change Netflix Location With VPN

    Configuring Local Wg0 Interface

    Now that we have the key pairs of each host, we can procceed to configure the wg0 interfaces. In /etc/wireguard/ directory, we create a wg0.conf file on each host with the info of the local wireguard interface wg0.

    Host-A wg0.conf file:

    # Host-APrivateKey=< Host-A-Private-key> Address=

    Host-B wg0.conf file:

    # Host-BPrivateKey=< Host-B-Private-key> Address=

    Configuring The Interface Section

    WireGuard VPN Road Warrior Setup

    We need to define the VPN IP address this node will use and the port that it will listen on for connections from peers. Begin by adding ListenPort and SaveConfig lines so that your file looks like this:

    generated_private_keyListenPort = 5555SaveConfig = true

    This sets the port that WireGuard will listen on. This can be any free, bindable port, but in this guide we will set up our VPN on port 5555 for both servers. Set the ListenPort on each host to the port youâve selected:

    We also set SaveConfig to true. This will tell the wg-quick service to automatically save its active configuration to this file at shutdown.

    Note: When SaveConfig is enabled, the wg-quick service will overwrite the contents of the /etc/wireguard/wg0.conf file whenever the service shuts down. If you need to modify the WireGuard configuration, either shut down the wg-quick service prior to editing the /etc/wireguard/wg0.conf file or make the changes to the running service using the wg command . Any changes made to the configuration file while the service is running will be overwritten when wg-quick stores its active configuration.

    Next, add a unique Address definition to each server so that the wg-quick service can set the network information when it brings up the WireGuard interface. We will use the subnet as the address space for our VPN. For each computer, you will need to pick a unique address within this range and specify the address and subnet using CIDR notation.

    You May Like: What Is The Safest VPN

    Setting Up The Tunnels

    There are a lot of ways to brind up a WireGuard tunnel . I prefer to starting it as a service, and enabling it if I want the tunnel to always be up. So following this the commands to run on each host are:


    Now if you force the tunnel with a ping request, the tunnel will initiate a handshake and start working. Execute a wg command to see relevant information about the wireguard VPN tunnels.

    Note that some static routes, regarding the encryption domain are added to the route table. So traffic generated from Host-A LAN will be masquerated-NATed behind the wg0 IP address of Host-A. If you want you can remove the static route, and add another one with next hop the wg0 IP address of Host-B respectively, or just install FRR and run a dynamic protocol on top of Wireguard! )

    Starting Wireguard And Enabling It At Boot

    With the configuration in place, we are ready to start the server. WireGuard has a convenient wrapper called wg-quick that can be used to start new interfaces without needing to go into the setup details. You can use it to start your configuration using the following command.

    wg-quick up wg0

    You should see an output like below upon successfully starting the interface.

     ip link add wg0 type wireguard wg setconf wg0 /dev/fd/63 ip -4 address add dev wg0 ip link set mtu 1420 up dev wg0 iptables -A FORWARD -i wg0 -j ACCEPT  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    Your WireGuard server is then running. You can check your configuration with the following command.

    wg show
    interface: wg0  public key: pcDxSxSZp5x87cNoRJaHdAOzxrxDfDUn7pGmrY/AmzI=  private key:   listening port: 51820peer: gCQKfJL8Xff2MNmvceVQ0nQAmLsSM0tXClhvVNzSil4=  allowed ips:

    To enable WireGuard to start automatically at system boot, also enable the systemd service.

    In case you get an error starting the server such as the example below.

    RTNETLINK answers: Operation not supportedUnable to access interface: Protocol not supported

    Make sure your server software is fully up-to-date.

    sudo apt-get update & &  sudo apt-get upgrade -y

    Then check that the WireGuard kernel module is loaded with the command below. If successful, you should not see any output.

    sudo modprobe wireguard

    If you get an error saying the module is missing, restart your WireGuard server and try again.

    sudo reboot

    Read Also: How To VPN On Pc

    Application Deployment With Ansible

    With the infrastructure in place, now we can use Ansible to install and configure the applications.

    $ ansible-playbook playbook-wireguard.yml...PLAY RECAP *************************************aws-ubuntu-priv-web : ok=12 changed=10 unreachable=0 failed=0 skipped=33 rescued=0 ignored=0 aws-ubuntu-pub-wg : ok=40 changed=27 unreachable=0 failed=0 skipped=6 rescued=0 ignored=0 gcp-ubuntu-priv-web : ok=12 changed=10 unreachable=0 failed=0 skipped=33 rescued=0 ignored=0 gcp-ubuntu-pub-wg : ok=40 changed=27 unreachable=0 failed=0 skipped=6 rescued=0 ignored=0 localhost : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 

    When complete, you will have WireGuard endpoints on both sides, and the VPN site-to-site tunnel will be established. Per the diagram below, you can see that each /etc/wireguard/wg0.conf has the other listed as its peer.

    Adding The Missing Peer Information On The Command Line

    How To Build Your Own Wireguard VPN Server in The Cloud

    On the first server , enter the peering information manually using the following format. The second serverâs public key can be found in the output of sudo wg from the second server:

  • sudo wg set wg0 peer public_key_of_second_serverpublic_IP_of_second_server:5555 allowed-ips
  • You can confirm that the information is now in the active configuration by typing sudo wg again on the first server:

  • sudo wg
  •   private key:   listening port: 5555peer: public_key_of_second_serverpublic_IP_of_second_server:5555  allowed ips:

    Our point-to-point connection should now be available. Try pinging the VPN address of the second server from the first:

  • ping -c 310.0.0.2
  • Output on first serverPING  56 bytes of data.64 bytes from icmp_seq=1 ttl=64 time=0.635 ms64 bytes from icmp_seq=2 ttl=64 time=0.615 ms64 bytes from icmp_seq=3 ttl=64 time=0.841 ms--- ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 1998msrtt min/avg/max/mdev = 0.615/0.697/0.841/0.102 ms

    If everything is working correctly, you can save the configuration on the first server back to the /etc/wireguard/wg0.conf file by restarting the service:


    If you want to start the tunnel at boot, you can enable the service on each machine by typing:


    The VPN tunnel should now be automatically started whenever the machine boots.

    Don’t Miss: Free VPN Server List With Username And Password

    Building Out The Wireguard Tunnel

    Step 1: In the Main Office Router well create the WireGuard Interface. All you have to do, is give it a name. It will auto generate the Public and Private Keys on its own. Each side of the tunnel will have different public and private keys. I used UDP port 51820 because the WireGuard Project used that particular port in their documentation. I also experimented with the MikroTik default of 13231 and other ports and, of course, it worked just fine.

    Step 2: Repeat Step 1 for Satellite Office Gateway.

    Step 3 & 4: Set the Peers on each side. The Allowed Address field needs to contain all subnets that you will need to reach on the far side. At the time of this writing, there is a bug in Winbox with the Endpoint Port. To set the Endpoint Port, you must configure it in the CLI on both sides as shown. Dont forget that if you make changes here, it may remove the Endpoint port, which you can only confirm/ fix from the CLI.

    Step 7 & 8: Add a static route to each side, just as you would with any other tunnel.

    Step 9: Verify Connectivity. On the tunnel interface, you should see TX and RX packets . Notice, if you disable and re-enable the tunnel just how quickly the tunnel forms and can start passing packets again. Once you have bi-directional traffic flowing, use Host A & B to send data back and forth.

    Notes about performance


    Deploy A New Cloud Server

    Deploying a new server on UpCloud is an easy and straightforward process. To get started, log into your UpCloud Control Panel and select to Deploy a server under the Servers section.

    The deployment page shows a number of options for customizing a new cloud server.

  • Choose the server location from the available data centres
  • Pick a configuration, the $5 per month plan is a good starting point
  • Select Ubuntu 18.04 for the operating system
  • Add any SSH keys you want to use
  • Give your server a hostname and description
  • Deploy!
  • You can find more detailed instructions on server deployment at the UpCloud newcomers tutorials.

    Also Check: Which VPN Gives Free Data

    Extra: Alternative Wireguard Distributions

    The official WireGuard distribution comes as a kernel mod. While the official implementation is best, there are also some alternatives that run in userspace, if youre unwilling/unable to install a kernel mod:

    • wireguard-go – This is WireGuards official userspace implementation, written in Go. Recommended.
    • wireguard-rs – Another userspace implementation, also by the WireGuard authors, written in Rust. WIP, not recommended for production.

    Best VPNs That Support Wireguard

    How to install WireGuard Road Warrior VPN on VPS or Server  HostNamaste

    Many VPN users are showing a preference for VPNs that run using WireGuard.

    It makes sense this protocol has several benefits! My best VPN for WireGuard is NordVPN.

    NordVPN combines with WireGuard to provide watertight security and speeds required for an uninterrupted VPN experience.

    In this guide, Ill connect you to an entire list of best WireGuard VPNs and discuss what you can expect from each service.

    Continue reading for a detailed overview of my top WireGuard VPN picks.

    You May Like: Can I Add VPN To My Router

    Provision Infrastructure Using Terraform

    Start the build using the following commands.

    # make ssh auth key for VMs that will be builtmake create-keypair# validate that AWS credentials and GCP credentials existsmake serviceaccount-prereq

    Build the AWS infrastructure WARNING: AWS will bill you for this usage!

    $ cd aws-infra$ terraform init$ terraform apply -auto-approve...Apply complete! Resources: 19 added, 0 changed, 0 destroyed.Outputs:aws-ubuntu-priv-web-private_ip = ""aws-ubuntu-pub-wg_private_ip = ""aws-ubuntu-pub-wg_public_ip = ""# go back to main directory$ cd ..

    Build the GCP infrastructure WARNING: GCP will bill you for this usage!

    $ cd gcp-infra$ terraform init$ terraform apply -auto-approve...Apply complete! Resources: 12 added, 0 changed, 0 destroyed.Outputs:gcp-ubuntu-priv-web-private_ip = ""gcp-ubuntu-pub-wg_private_ip = ""gcp-ubuntu-pub-wg_public_ip = ""# go back to main directory$ cd ..

    Now that the infrastructure has been built, parse the specific IP addresses and populate the Ansible inventory and group variables.

    make get-ansible-ready

    Where Does Wireguard Beat Openvpn Ipsec And L2tp

    Wireguard IPsec IKEv2
    Very fast with little overhead and state-of-the-art cryptography Popular and open source but, not based on standards as it uses custom security protocols with SSL/TLS Standard protocol for secure communication. Developed by Cisco and Microsoft
    Uses Curve25519, ChaCha20, Poly1305, and BLAKE2 protocols for encryption Uses OpenSSL library and TLS protocols for encryption Uses algorithms such as AES, Camellia, Blowfish and 3DES for encryption
    No known major security vulnerabilities. Its smaller code base also enables easy audits for everyone. No known major security vulnerabilities. But must be careful while implementing. Secure encryption algorithms should be implemented. No known major security vulnerabilities, however, leaked NSA presentation indicates it can be compromised.
    Very high speed with low overhead Can match IPSec if used with UDP connection instead of TCP Faster than OpenVPN but does not match WireGuard
    Can be configured on any port with UDP Can be configured on any port with both TCP and UDP 500 for initial key exchange, 4500 for NAT traversal, and 50 for IPSec encrypted data.

    You May Like: Should I Leave VPN On All The Time

    Opnsense Wireguard VPN Site

    The Open Source firewall OPNsense supports several technologies for setting up VPN connections.In addition to IPsec and OpenVPN, OPNsense version 19.7 offers the possibility to set up a VPN with WireGuard. In this article we show the configuration of the WireGuard VPN service to connect two OPNsense firewalls to a Site-to-Site VPN.

    Testing The VPN Tunnel

    Untangle Version 16 with Wireguard VPN & Updated SSL Inspection

    With all the steps done on all of your Peers we can test the tunnel connectivity. I have no firewalls in place, therefore I just used simple ping from both sites.

    As you can see in the picture both sites respond to the ping test! This confirms that we have successfully connected remote and local site. However, we are not done yet! Remember, we wanted to access my LAN network from the Remote site! so let’s try that now:

    This doesn’t work out of the box and we get to why in the next section.

    Don’t Miss: How To Run VPN On Ps4

    Vyprvpn Owns And Manages All Its Wireguard Servers

    VyprVPNs website doesnt explain how it implements WireGuard.

    So, I used the Live Chat feature to fish for details.

    My support agent, Yas, was quick to help.

    According to VyprVPN support, the provider offers NAT Firewall, an extra layer of security that prevents your activity from being scanned for information.

    The difference between a NAT and a double NAT system is that the former uses a single router to do its bidding, while double NAT directs traffic through two routed networks.

    The double NAT system is better for security, but this extra tunnel can slow your speeds, which may be why PIA, CyberGhost, and VyprVPN outdid NordVPN in the speed department .

    My speed test result for VyprVPN:

    NAT Firewalls also assign each user a unique private IP address, with the idea of masking your whereabouts.

    The downfall of this supportive WireGuard implementation is your uniquely assigned IP address can still be tracked by the VPN provider or any third party they share this information with.

    So, while no logs are stored, and your real IP address and online activity remain encrypted, theres still a speck of trackability.

    This concern can, however, be counteracted by VyprVPNs Swiss jurisdiction. Switzerland scores 96/100 on Freedom House, making it one of the most privacy-friendly locations in the world.

    Chances are, the request for any of your information will be denied.

    Customize > Connections > Manage VyprVPN > Enable NAT Firewall

    NordVPN, Surfshark, and CyberGhost own some servers.

    Opening The Firewall And Starting The VPN

    First, open up the WireGuard port in the firewall on each server:

  • sudo ufw allow 5555
  • Now, start the wg-quick service using the wg0 interface file we defined:


    This will start of the wg0 network interface on the machine. We can confirm this by typing:

  • ip addr show wg0
  • Output on first server6: wg0: < POINTOPOINT,NOARP,UP,LOWER_UP>  mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1    link/none     inet scope global wg0       valid_lft forever preferred_lft forever

    We can use the wg tool to view information about the active configuration of the VPN:

  • sudo wg
  • On the server without a peer definition, the display will look something like this:

    Output on first serverpublic_key_of_this_server  private key:   listening port: 5555

    On the server with a peer configuration already defined, the output will also contain that information:

    Output on second server  private key:   listening port: 5555peer: public_key_of_first_serverpublic_IP_of_first_server:5555  allowed ips:

    To complete the connection, we now need to add the second serverâs peering information to the first server using the wg command.

    Read Also: Why Use VPN For Streaming

    Endpoint With Changing Ip

    After resolving a server’s domain, WireGuard will not check for changes in DNS again.

    If the WireGuard server is frequently changing its IP-address due DHCP, Dyndns, IPv6, etc., any WireGuard client is going to lose its connection, until its endpoint is updated via something like wg set “$INTERFACE” peer “$PUBLIC_KEY” endpoint “$ENDPOINT”.

    Also be aware, if the endpoint is ever going to change its address , just updating DNS will not be enough, so periodically running reresolve-dns might make sense on any DNS-based setup.

    Luckily, wireguard-tools provides an example script /usr/share/wireguard-tools/examples/reresolve-dns/, that parses WG configuration files and automatically resets the endpoint address.

    One needs to run the /usr/share/wireguard-tools/examples/reresolve-dns/ /etc/wireguard/wg.conf periodically to recover from an endpoint that has changed its IP.

    One way of doing so is by updating all WireGuard endpoints once every thirty seconds via a systemd timer:

    Description=Periodically reresolve DNS of all WireGuard endpointsOnCalendar=*:*:0/
    Description=Reresolve DNS of all WireGuard endpointsWants=network-online.targetAfter=network-online.targetType=oneshotExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf  do /usr/share/wireguard-tools/examples/reresolve-dns/ "$i"  done'

    Wireguard Pros And Cons

    What Is VPN Gateway Address

    WireGuard is an incredibly sleek protocol. Where OpenVPN requires roughly 400,000 lines of code, WireGuard has under 4000. That makes it more lightweight and easier for VPNs to implement, reduces the risk of flaws or vulnerabilities, and makes the code easier to audit.

    WireGuard also uses the very latest super-fast cryptographic primitives .

    This combination of simplicity and high-speed encryption methods allows for excellent performance and reliability. Where the complexities of OpenVPN or IPSec sometimes lead to slowed connections, WireGuard can actually boost your speeds.

    It also allows you to connect or reconnect to your VPN almost instantaneously, with fewer disconnections.

    This is especially useful if you use your VPN on your smartphone or other mobile devices. With WireGuard, you experience no downtime from your VPN even when switching between networks .

    But this new technology isn’t perfect. For starters, WireGuard admits that it’s not entirely finished. It’s still undergoing testing and has yet to be independently audited.

    Next, the way WireGuard assigns you an IP address could contradict the strict no-logs policies employed by most VPNs.

    Unlike OpenVPN or other tunneling protocols, WireGuard can’t dynamically assign IP addresses. Instead, it assigns you a static IP address.

    You May Like: Why Does My Internet Speed Slow Down When Using VPN

    More articles

    Popular Articles