Wireguard
Setup a wireguard split tunnel.
Recently, I needed to bridge two private networks behind CGNAT. The decision was to use a Wireguard split tunnel configuration. Below I'll lay down the steps to accomplish that.
What you'll need
- Your own domain or a domain that you can manage the DNS and it supports DDNS
- One "server" machine in the cloud (i.e. DigitalOcean) and make sure that you will get real public ips for your instance.
- Two client machines / routers that support Wireguard.
- Basic *nix knowledge
- Basic networking knowledge
In our case 10.8.0.0/24 is the wireguard network and 192.168.100.0/24, 192.168.110.0/24, 192.168.180.0/24 are the internal networks that we want to route via the wireguard network. Replace the values below to reflect your needs.
Server setup
Assumming that you have Ubuntu installed, perform the following:
- sudo apt-get update && sudo apt-get upgrade
- sudo apt-get install wireguard
- sudo wg genkey | sudo tee /etc/wireguard/wg0_private.key
- sudo cat /etc/wireguard/wg0_private.key | sudo wg pubkey | sudo tee /etc/wireguard/wg0_public.key
- sudo vi /etc/wireguard/wg0.conf
-
Add the following:
- [Interface]
- Address = 10.8.0.1/32 or any other network that you choose. That will be your wireguard private network.
- SaveConfig = true
- PostUp = iptables -A FORWARD -i %i -j ACCEPT
- PostUp = iptables -A FORWARD -o %i -j ACCEPT
- PostDown = iptables -D FORWARD -i %i -j ACCEPT
- PostDown = iptables -D FORWARD -o %i -j ACCEPT
- ListenPort = 51820
- PrivateKey = "The contents of wg0_private.key"
- [Peer]
- PublicKey = first client public key (see 1st Client Setup)
- PresharedKey = first client preshared key (see 1st Client Setup)
- AllowedIPs = 192.168.100.0/24, 10.8.0.2/32
- Endpoint = public ip of FQDN of the first client
- [Peer]
- PublicKey = second client public key (see 2nd Client Setup)
- PresharedKey = second client preshared key (see 2nd Client Setup)
- AllowedIPs = 192.168.180.0/24, 192.168.110.0/24, 10.8.0.3/32
- Endpoint = public ip or fqdn of the second client
Enable routing
- Edit /etc/sysctl.conf
- Change net.ipv4.ip_forward from 0 to 1
- Change net.ipv6.conf.all.forwarding from 0 to 1
1st Client setup
Assumming that you have Ubuntu installed, perform the following:
- sudo apt-get update && sudo apt-get upgrade
- sudo apt-get install wireguard
- sudo wg genkey | sudo tee /etc/wireguard/wgcli_private.key
- sudo cat /etc/wireguard/wgcli_private.key | sudo wg pubkey | sudo tee /etc/wireguard/wgcli_public.key
- sudo wg genpsk | sudo tee /etc/wireguard/wgcli_preshared.key
- sudo vi /etc/wireguard/wgcli.conf
-
Add the following:
- [Interface]
- PrivateKey = "The contents of /etc/wireguard/wgcli_private.key"
- Address = 10.8.0.2/32
- [Peer]
- PublicKey = "The contents of the server public key that we created above (/etc/wireguard/wg0_public.key)"
- PresharedKey = "The contents of /etc/wireguard/wgcli_preshared.key"
- AllowedIPs = 192.168.180.0/24, 192.168.110.0/24, 10.8.0.0/24
- Endpoint = "Public ip of your server or FQDN":51820
- PersistentKeepalive = 15
2nd Client setup
If your 2nd client is ubuntu, then repeat the steps of the 1st client setup.
If it's a router then either follow the steps above to produce a similar file and upload the file to the router or follow the steps above to produce the keys and configure your router manually.
The wireguard config file will look like:
- [Interface]
- PrivateKey = "The contents of /etc/wireguard/wgcli2_private.key"
- Address = 10.8.0.3/32
- [Peer]
- PublicKey = "The contents of the server public key that we created above (/etc/wireguard/wg0_public.key)"
- PresharedKey = "The contents of /etc/wireguard/wgcli2_preshared.key"
- AllowedIPs = 192.168.180.0/24, 192.168.110.0/24, 10.8.0.0/24
- Endpoint = "Public ip of your server or FQDN":51820
- PersistentKeepalive = 15
Enjoy
- Configurations are provided AS-IS.
- You take full responsibility for problems caused when you modify your systems.
- If you face any issues I'll be happy to help.
- Contact me via Matrix or Mastodon (see footer).