I use site-to-site VPNs between datacenter and two remote locations and I had some strange issues with OpenVPN site-to-site performance of one particular VPN link to remote location, but the same OpenVPN configuration worked perfectly fine in another remote location. It was probably related to some UDP magic of that particular ISP. Monthly cost of that residential link is $20, so there was unrealistic to open support ticket with ISP and do some deep troubleshooting. Instead of that, I tried WireGuard VPN and it worked like a charm.
That was the reason I switched to from OpenVPN to WireGuard VPN and here is configuration of WireGuard VPN Server with two VPN clients.
I have FreeBSD based VPN box in each location and below is the diagram with WireGuard interfaces (wg0) in each datacenter. WireGuard in data center is obviously WireGuard Server (172.16.100.254/24) and in remote locations I have WireGuard Clients (172.16.100.1/24 and 172.16.100.2/24).
 |
| WireGuard site-to-site VPN Toplogy |
Installation and configuration of WireGuard Server
Install Wireguard
pkg install wireguard-tools
Enable Wireguard in /etc/rc.conf
sysrc wireguard_enable="YES"
sysrc wireguard_interfaces="wg0"
sysrc kld_list+="if_wg" # enable wireguard kernel module
Reboot server
reboot
Generate Private and Public Key
wg genkey | tee /usr/local/etc/wireguard/server_private.key | wg pubkey > /usr/local/etc/wireguard/server_public.key
Make Private Key readable just for root
chmod 600 /usr/local/etc/wireguard/server_private.key
Create configuration file of wg0 interface at /usr/local/etc/wireguard/wg0.conf
[Interface]
Address = 172.16.100.254/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = /sbin/ifconfig wg0 up
PostDown = /sbin/ifconfig wg0 down
# Client 1
[Peer]
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 172.16.100.1/32
# Client 2
[Peer]
PublicKey = CLIENT2_PUBLIC_KEY
AllowedIPs = 172.16.100.2/32
Installation and configuration of WireGuard Client 1
Install Wireguard
pkg install wireguard-tools
Enable Wireguard in /etc/rc.conf
sysrc wireguard_enable="YES"
sysrc wireguard_interfaces="wg0"
Reboot server
reboot
Generate Private and Public Key
wg genkey | tee /usr/local/etc/wireguard/client_private.key | wg pubkey > /usr/local/etc/wireguard/client_public.key
Make Private Key readable just for root
chmod 600 /usr/local/etc/wireguard/client_private.key
Create configuration file of wg0 interface at /usr/local/etc/wireguard/wg0.conf
[Interface]
Address = 172.16.100.1/24
PrivateKey = CLIENT_PRIVATE_KEY
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
Address = 172.16.100.1/24
PrivateKey = CLIENT_PRIVATE_KEY
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
AllowedIPs = 172.16.100.254/32
PersistentKeepalive = 25
Installation and configuration of WireGuard Client 2
The same installation steps as were done for client 1 but different keys and IP addresses in configuration file.Generate Private and Public Key
wg genkey | tee /usr/local/etc/wireguard/client_private.key | wg pubkey > /usr/local/etc/wireguard/client_public.key
Make Private Key readable just for root
chmod 600 /usr/local/etc/wireguard/client_private.key
Create configuration file of wg0 interface at /usr/local/etc/wireguard/wg0.conf
[Interface]
Address = 172.16.100.2/24
PrivateKey = CLIENT_PRIVATE_KEY
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
Address = 172.16.100.2/24
PrivateKey = CLIENT_PRIVATE_KEY
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
AllowedIPs = 172.16.100.254/32
PersistentKeepalive = 25
No comments:
Post a Comment