Setting Up a Site-to-Site VPN with WireGuard
Learn how to set up a site-to-site VPN using WireGuard between multiple servers.
Here is a configuration setup for a site-to-site VPN using WireGuard between three servers (
vm1.pilab.hu, vm2.pilab.hu, and vm3.pilab.hu). Each server will act as a peer in the VPN network, allowing them to communicate securely with each other.Assumptions:
- Each server has WireGuard installed.
- Each server has a unique IP in the VPN subnet (e.g.,
10.0.0.1,10.0.0.2,10.0.0.3). - The WireGuard network is
10.0.0.0/24. - Each server has a publicly accessible IP address or can resolve the hostname to its public IP.
- The VPN interface is named
wg0.
Configuration
1. Generate Keys
On each server, generate a private and public key pair:
wg genkey | tee privatekey | wg pubkey > publickeySave the output for the respective servers:
- Server1 (
vm1.pilab.hu)- Private Key:
<vm1-private-key> - Public Key:
<vm1-public-key>
- Private Key:
- Server2 (
vm2.pilab.hu)- Private Key:
<vm2-private-key> - Public Key:
<vm2-public-key>
- Private Key:
- Server3 (
vm3.pilab.hu)- Private Key:
<vm3-private-key> - Public Key:
<vm3-public-key>
- Private Key:
2. Configuration Files
Server1 (vm1.pilab.hu)
ini
1[Interface]
2PrivateKey = <vm1-private-key>
3Address = 10.0.0.1/24
4ListenPort = 51820
5
6[Peer]
7PublicKey = <vm2-public-key>
8AllowedIPs = 10.0.0.2/32
9Endpoint = vm2.pilab.hu:51820
10
11[Peer]
12PublicKey = <vm3-public-key>
13AllowedIPs = 10.0.0.3/32
14Endpoint = vm3.pilab.hu:51820Server2 (vm2.pilab.hu)
ini
1[Interface]
2PrivateKey = <vm2-private-key>
3Address = 10.0.0.2/24
4ListenPort = 51820
5
6[Peer]
7PublicKey = <vm1-public-key>
8AllowedIPs = 10.0.0.1/32
9Endpoint = vm1.pilab.hu:51820
10
11[Peer]
12PublicKey = <vm3-public-key>
13AllowedIPs = 10.0.0.3/32
14Endpoint = vm3.pilab.hu:51820Server3 (vm3.pilab.hu)
ini
1[Interface]
2PrivateKey = <vm3-private-key>
3Address = 10.0.0.3/24
4ListenPort = 51820
5
6[Peer]
7PublicKey = <vm1-public-key>
8AllowedIPs = 10.0.0.1/32
9Endpoint = vm1.pilab.hu:51820
10
11[Peer]
12PublicKey = <vm2-public-key>
13AllowedIPs = 10.0.0.2/32
14Endpoint = vm2.pilab.hu:518203. Enable and Start WireGuard
Save the configuration to
/etc/wireguard/wg0.conf on each server. Then start and enable the WireGuard service:bash
sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg04. Configure Firewall Rules
Ensure the WireGuard port (
51820) is open on each server. For example, with ufw:sudo ufw allow 51820/udp5. Test the Connection
Check the connection status with:
sh
sudo wg showPing between servers over the VPN subnet (e.g.,
ping 10.0.0.2 from vm1.pilab.hu).Notes
- Replace
<vm*-private-key>and<vm*-public-key>with the actual key values. - Adjust
ListenPortif51820conflicts with another service. - If servers are behind NAT, ensure port forwarding is configured for
51820/udp.
Created: Nov 21, 2024
Last updated: Nov 24, 2024
Author: Paal Gyula
Last updated: Nov 24, 2024
Author: Paal Gyula