Wireguard

Setup a wireguard split tunnel.

Recently, I needed to bridge two private networks behind CGNAT. The decision was to use a Wireguard split tunnel configuration. Below I'll lay down the steps to accomplish that.

What you'll need

  1. Your own domain or a domain that you can manage the DNS and it supports DDNS
  2. One "server" machine in the cloud (i.e. DigitalOcean) and make sure that you will get real public ips for your instance.
  3. Two client machines / routers that support Wireguard.
  4. Basic *nix knowledge

Server setup

Assumming that you have Ubuntu installed, perform the following:
  • sudo apt-get update && sudo apt-get upgrade
  • sudo apt-get install wireguard
  • sudo wg genkey | sudo tee /etc/wireguard/wg0_private.key
  • sudo cat /etc/wireguard/wg0_private.key | sudo wg pubkey | sudo tee /etc/wireguard/wg0_public.key
  • sudo vi /etc/wireguard/wg0.conf
  • Add the following:

    • [Interface]
    • Address = 10.8.0.1/24 or any other network that you choose. That will be your wireguard private network.
    • SaveConfig = true
    • PostUp = iptables -A FORWARD -i %i -j ACCEPT
    • PostUp = iptables -A FORWARD -o %i -j ACCEPT
    • PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
    • PostDown = iptables -D FORWARD -i %i -j ACCEPT
    • PostDown = iptables -D FORWARD -o %i -j ACCEPT
    • PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
    • ListenPort = 51820
    • PrivateKey = "The contents of wg0_private.key"

Client setup

Assumming that you have Ubuntu installed, perform the following:
  • sudo apt-get update && sudo apt-get upgrade
  • sudo apt-get install wireguard
  • sudo wg genkey | sudo tee /etc/wireguard/wgcli_private.key
  • sudo cat /etc/wireguard/wgcli_private.key | sudo wg pubkey | sudo tee /etc/wireguard/wgcli_public.key
  • sudo wg genpsk | sudo tee /etc/wireguard/wgcli_preshared.key
  • sudo vi /etc/wireguard/wgcli.conf

  • Add the following:

    • [Interface]
    • PrivateKey = "The contents of /etc/wireguard/wgcli_private.key"
    • Address = 10.8.0.2/32

    • [Peer]
    • PublicKey = "The contents of /etc/wireguard/wg0_public.key"
    • PresharedKey = "The contents of /etc/wireguard/wgcli_preshared.key"
    • AllowedIPs = 10.8.0.0/24, 192.168.180.0/24, 192.168.110.0/24
    • Endpoint = "Public ip of your server or FQDN":51820
    • PersistentKeepalive = 15