Wireguard
Setting Up WireGuard
Using Wireguard for Site to Site Connection
In today’s interconnected world, businesses and organizations often need secure communication between multiple sites in different regions. WireGuard, a modern and efficient VPN solution, provides a lightweight and high-performance way to establish site-to-site tunnels with policy-based routing. In this blog post, we’ll walk through setting up a WireGuard tunnel to connect three remote sites while implementing policy-based routing to control traffic flow between them.
## **Scenario Overview**
We have three sites located in different regions:
– **Site A** (HQ) – 192.168.1.0/24
– **Site B** (Branch 1) – 192.168.2.0/24
– **Site C** (Branch 2) – 192.168.3.0/24
Each site has its own WireGuard server, and we will configure peer connections to enable site-to-site communication with specific routing policies.
## **Prerequisites**
– A Linux server or router at each site with WireGuard installed.
– Public IP addresses for each site.
– Firewall rules allowing UDP traffic on WireGuard’s designated port (default: 51820).
## **Step 1: Install WireGuard**
On each site’s Linux machine, install WireGuard:
“`bash
sudo apt update && sudo apt install wireguard -y
“`
Enable IP forwarding:
“`bash
echo “net.ipv4.ip_forward=1” | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
“`
## **Step 2: Generate Keys for Each Site**
Each site needs a private and public key:
“`bash
wg genkey | tee privatekey | wg pubkey > publickey
“`
## **Step 3: Configure WireGuard Interfaces**
### **Site A Configuration**
Create the WireGuard config file for Site A:
“`ini[Interface]PrivateKey =
Address = 10.0.0.1/24
ListenPort = 51820
AllowedIPs = 192.168.2.0/24
Endpoint = :51820
PersistentKeepalive = 25 [Peer]PublicKey =
AllowedIPs = 192.168.3.0/24
Endpoint = :51820
PersistentKeepalive = 25
“`
### **Site B Configuration**
“`ini[Interface]PrivateKey =
Address = 10.0.0.2/24
ListenPort = 51820
AllowedIPs = 192.168.1.0/24
Endpoint = :51820
PersistentKeepalive = 25 [Peer]PublicKey =
AllowedIPs = 192.168.3.0/24
Endpoint = :51820
PersistentKeepalive = 25
“`
### **Site C Configuration**
“`ini[Interface]PrivateKey =
Address = 10.0.0.3/24
ListenPort = 51820
AllowedIPs = 192.168.1.0/24
Endpoint = :51820
PersistentKeepalive = 25 [Peer]PublicKey =
AllowedIPs = 192.168.2.0/24
Endpoint = :51820
PersistentKeepalive = 25
“`
## **Step 4: Policy-Based Routing**
To control how traffic flows between sites, we will create custom routing tables and rules.
### **Create Routing Tables**
Add new routing tables in `/etc/iproute2/rt_tables`:
“`bash
echo “200 siteB” | sudo tee -a /etc/iproute2/rt_tables
echo “201 siteC” | sudo tee -a /etc/iproute2/rt_tables
“`
### **Apply Routing Rules**
For Site A:
“`bash
ip rule add from 192.168.1.0/24 table siteB
ip route add 192.168.2.0/24 via 10.0.0.2 dev wg0 table siteB
ip rule add from 192.168.1.0/24 table siteC
ip route add 192.168.3.0/24 via 10.0.0.3 dev wg0 table siteC
“`
For Site B:
“`bash
ip rule add from 192.168.2.0/24 table siteA
ip route add 192.168.1.0/24 via 10.0.0.1 dev wg0 table siteA
ip rule add from 192.168.2.0/24 table siteC
ip route add 192.168.3.0/24 via 10.0.0.3 dev wg0 table siteC
“`
For Site C:
“`bash
ip rule add from 192.168.3.0/24 table siteA
ip route add 192.168.1.0/24 via 10.0.0.1 dev wg0 table siteA
ip rule add from 192.168.3.0/24 table siteB
ip route add 192.168.2.0/24 via 10.0.0.2 dev wg0 table siteB
“`
## **Step 5: Enable WireGuard Service**
Enable and start WireGuard at each site:
“`bash
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
“`
## **Testing the Tunnel**
To verify connectivity, try pinging from Site A to Site B:
“`bash
ping 192.168.2.1
“`
Or from Site C to Site A:
“`bash
ping 192.168.1.1
“`
If everything is configured correctly, the pings should succeed.
## **Conclusion**
With WireGuard and policy-based routing, we have successfully created a secure and efficient site-to-site VPN tunnel connecting three different regions. This setup ensures that traffic is properly routed between the sites based on predefined policies, optimizing network performance and security.
If you found this guide useful or have any questions, feel free to leave a comment below!
