Wireguard

WireGuard for Site-to-Site Connections

Posted on by saidearly
02
Feb
WireGuard Site-to-Site VPN Guide

Setting up Wireguard

Learn how to create secure, high-performance site-to-site VPN tunnels with WireGuard and policy-based routing. This guide will connect three remote sites while controlling traffic flow efficiently.

Scenario Overview

  • Site A (HQ) – 192.168.1.0/24
  • Site B (Branch 1) – 192.168.2.0/24
  • Site C (Branch 2) – 192.168.3.0/24

Prerequisites

  • Linux server or router with WireGuard installed
  • Public IP addresses for each site
  • Firewall rules allowing UDP traffic on WireGuard port 51820

Step 1: Install WireGuard

sudo apt update && sudo apt install wireguard -y
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Step 2: Generate Keys for Each Site

wg genkey | tee privatekey | wg pubkey > publickey

Step 3: Configure WireGuard Interfaces

Site A Configuration

[Interface]
PrivateKey =
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey =
AllowedIPs = 192.168.2.0/24
Endpoint = :51820
PersistentKeepalive = 25

[Peer]
PublicKey =
AllowedIPs = 192.168.3.0/24
Endpoint = :51820
PersistentKeepalive = 25

Site B Configuration

[Interface]
PrivateKey =
Address = 10.0.0.2/24
ListenPort = 51820

[Peer]
PublicKey =
AllowedIPs = 192.168.1.0/24
Endpoint = :51820
PersistentKeepalive = 25

[Peer]
PublicKey =
AllowedIPs = 192.168.3.0/24
Endpoint = :51820
PersistentKeepalive = 25

Site C Configuration

[Interface]
PrivateKey =
Address = 10.0.0.3/24
ListenPort = 51820

[Peer]
PublicKey =
AllowedIPs = 192.168.1.0/24
Endpoint = :51820
PersistentKeepalive = 25

[Peer]
PublicKey =
AllowedIPs = 192.168.2.0/24
Endpoint = :51820
PersistentKeepalive = 25

Step 4: Policy-Based Routing

Create routing tables and rules for controlled traffic flow between sites:

Routing Tables

echo "200 siteB" | sudo tee -a /etc/iproute2/rt_tables
echo "201 siteC" | sudo tee -a /etc/iproute2/rt_tables

Routing Rules

# Example for Site A
ip rule add from 192.168.1.0/24 table siteB
ip route add 192.168.2.0/24 via 10.0.0.2 dev wg0 table siteB
ip rule add from 192.168.1.0/24 table siteC
ip route add 192.168.3.0/24 via 10.0.0.3 dev wg0 table siteC

Step 5: Enable WireGuard Service

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Testing the Tunnel

✅ Ping from Site A to Site B: ping 192.168.2.1

✅ Ping from Site C to Site A: ping 192.168.1.1

Conclusion

This guide shows how to establish a secure, high-performance site-to-site VPN with WireGuard and policy-based routing. Traffic between sites flows according to predefined rules, ensuring efficiency and security.

saidearly

Leave a Reply

Please select your product
This site uses cookies to offer you a better browsing experience. By browsing this website, you agree to our use of cookies.
More info