I use site-to-site VPNs between datacenter and two remote locations. Recently, I had some strange issues with OpenVPN site-to-site performance of one particular VPN link to remote location, but the same OpenVPN configuration worked perfectly fine in another remote location. It was probably related to some UDP magic of that particular ISP. Monthly cost of that residential link is $20, so there was unrealistic to open support ticket with ISP and do some deep troubleshooting. Instead of that, I tried WireGuard VPN and it worked like a charm.
That was the reason I switched from OpenVPN to WireGuard VPN and here is the configuration of WireGuard VPN Server with two VPN clients in topology called Hub and Spoke. Hub is a server and and multiple clients can connect to such server.
I have FreeBSD based VPN box in each location and below is the diagram with WireGuard interfaces (wg0) in each site. WireGuard in data center is obviously WireGuard Server (172.16.100.254/24) and in remote locations I have WireGuard Clients (172.16.100.1/24 and 172.16.100.2/24).
 |
| WireGuard site-to-site VPN Hub and Spoke Topology |
Installation and configuration of WireGuard Server
In this section, we will install and configure WireGuard Server.
Install Wireguard
pkg install wireguard-tools
Enable Wireguard in /etc/rc.conf
sysrc wireguard_enable="YES"
sysrc wireguard_interfaces="wg0"
Reboot server
reboot
Generate Private and Public Key
wg genkey | tee /usr/local/etc/wireguard/server_private.key | wg pubkey > /usr/local/etc/wireguard/server_public.key
Make Private Key readable just for root
chmod 600 /usr/local/etc/wireguard/server_private.key
Create configuration file of wg0 interface at /usr/local/etc/wireguard/wg0.conf
[Interface]
Address = 172.16.100.254/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = /sbin/ifconfig wg0 up
PostDown = /sbin/ifconfig wg0 down
# Client 1
[Peer]
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 172.16.100.1/32
# Client 2
[Peer]
PublicKey = CLIENT2_PUBLIC_KEY
AllowedIPs = 172.16.100.2/32
That's it for WireGuard Server.
Installation and configuration of WireGuard Client 1
In this section, we will install and configure the first WireGuard client.
Install Wireguard
pkg install wireguard-tools
Enable Wireguard in /etc/rc.conf
sysrc wireguard_enable="YES"
sysrc wireguard_interfaces="wg0"
Generate Private and Public Key
wg genkey | tee /usr/local/etc/wireguard/client_private.key | wg pubkey > /usr/local/etc/wireguard/client_public.key
Make Private Key readable just for root
chmod 600 /usr/local/etc/wireguard/client_private.key
Create configuration file of wg0 interface at /usr/local/etc/wireguard/wg0.conf
[Interface]
Address = 172.16.100.1/24
PrivateKey = CLIENT_PRIVATE_KEY
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
AllowedIPs = 172.16.100.254/32
PersistentKeepalive = 25
That's it for WireGuard Client #1.
Installation and configuration of WireGuard Client 2
In this section, we will install and configure the second WireGuard client. We will follow the same installation steps as were done for the first client, but different keys and IP addresses in configuration file.
Generate Private and Public Key
wg genkey | tee /usr/local/etc/wireguard/client_private.key | wg pubkey > /usr/local/etc/wireguard/client_public.key
Make Private Key readable just for root
chmod 600 /usr/local/etc/wireguard/client_private.key
Create configuration file of wg0 interface at /usr/local/etc/wireguard/wg0.conf
[Interface]
Address = 172.16.100.2/24
PrivateKey = CLIENT_PRIVATE_KEY
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
AllowedIPs = 172.16.100.254/32
PersistentKeepalive = 25
That's it for WireGuard Client #2.
Conclusion
In this blog post, we demonstrated the Hub and Spoke topology where two WireGuard clients (Client #1 and Client #2) can communicate with a single WireGuard server (Hub). In this particular configuration, the communication between clients is not allowed. This is intended design for some scenarios.
If you have scenario where you need communication between all WireGuard clients and WireGuard server in such Hub and Spoke topology, you can achieve it by the same configuration, but the AllowedIPs option must be set to AllowedIPs = 172.16.100.0/24 in all WireGuard configurations (/usr/local/etc/wireguard/wg0.conf).
Hope you found this information helpful. In case of any question or comment, do not hesitate to write a comment.
No comments:
Post a Comment