WeOSWireGuard Site-To-Site
About
This is a configuration example of a WireGuard tunnel in a Site-To-Site scenario. In this setup, two separate networks are securely connected over a untrusted network using WireGuard VPN. The configuration demonstrates how to establish a fast, secure, and efficient communication channel between the sites.
Introduction
WireGuard provides a modern and simple approach to Site-To-Site VPN connectivity. Unlike traditional VPN solutions, WireGuard uses cryptokey routing where traffic is routed based on public keys and allowed IP addresses. This creates a secure overlay network with minimal configuration complexity.
.--.-.
( ( )__
(_, \ ) ,_) Internet/Public Network
'-'--`--'
| |
.------------------' '--------------------.
| |
|Public IP: |Public IP:
|172.16.1.1:51820 |172.16.1.2:51820
|Tunnel IP: |Tunnel IP:
|10.0.0.1 |10.0.0.2
.---+----. .---+----.
| Alice | WireGuard Tunnel | Bob |
| GW-1 |===================================| GW-2 |
| wg1 | | wg1 |
'---+----' '---+----'
|.1 (Site A) (Site B) |.1
| 192.168.1.0/24 192.168.2.0/24 |
---+------+---+------------- ---+----------+----+----
| | | |
|.11 |.5 |.11 |.5
.-+--. .-+--. .-+--. .-+--.
| H1 | | H2 | | H3 | | H4 |
'----' '----' '----' '----'
Figure 1: Site-To-Site tunnel using WireGuard.
In Figure 1, Alice and Bob each configure a WireGuard interface (wg1) with their own private/public key pairs. They exchange public keys and configure each other as peers. The tunnel IP addresses (10.0.0.1 and 10.0.0.2) are used for direct communication between the gateways, while the allowed IPs configuration enables routing between the site networks (192.168.1.0/24 and 192.168.2.0/24).
Prerequisites
Before configuring the tunnel, each site needs:
- A public IP address or hostname (172.16.1.1 for Alice, 172.16.1.2 for Bob)
- UDP port 51820 accessible through any firewalls
- Generated WireGuard key pairs (private and public keys)
Key Generation
Generate key pairs and preshared key externally using the wg command-line tool.
$> wg genkey | tee privatekey | wg pubkey > publickey $> wg genpsk > presharedkey
Private, Alice: OCGibrbxiumJsgHpQLb+oEl/KctdfkNVnV+sdn+ty3s= Public, Alice: IWhTmzGIFNQOb9kGBVnuKaVQzamEhnyJkcPesrsGewU= Private, Bob: EG8gc5SWzHqwwdmUWQm9xFb4tGd+1Uwm1Po9RjvHRko= Public, Bob: wq0ouxXud1N0X3rYUEOTY2uWwmFA6YpFLo/PKPud9jY= Preshared key: kHvZAEfyOj4B5Qs/z/hUwHMurmJeE1UQtXedKDEeDno=
Note: The keys shown above are examples. Always generate your own unique keys.
Alice Setup (Site A)
Configure Alice’s WireGuard tunnel instance:
alice:/#> config alice:/config/#> tunnel alice:/config/tunnel/#> wireguard 1 alice:/config/tunnel/wireguard-1/#> description "Site-A-to-Site-B" alice:/config/tunnel/wireguard-1/#> private-key OCGibrbxiumJsgHpQLb+oEl/KctdfkNVnV+sdn+ty3s= alice:/config/tunnel/wireguard-1/#> listen-port 51820 alice:/config/tunnel/wireguard-1/#> peer 1 alice:/config/tunnel/wireguard-1/peer-1#> public-key wq0ouxXud1N0X3rYUEOTY2uWwmFA6YpFLo/PKPud9jY= alice:/config/tunnel/wireguard-1/peer-1#> endpoint 172.16.1.2 alice:/config/tunnel/wireguard-1/peer-1#> listen-port 51820 alice:/config/tunnel/wireguard-1/peer-1#> allowed-ip 10.0.0.2/32 alice:/config/tunnel/wireguard-1/peer-1#> allowed-ip 192.168.2.0/24 alice:/config/tunnel/wireguard-1/peer-1#> persistent-keepalive 25 alice:/config/tunnel/wireguard-1/peer-1#> end alice:/config/tunnel/wireguard-wg0/#> end alice:/config/tunnel/#> end alice:/config/#> end
Set IP on Alice’s WireGuard interface:
alice:/config/iface wg1 alice:/config/iface-wg1/inet static 10.0.0.1/24 alice:/config/iface-wg1/inet-static-10.0.0.1/#>leave
Bob Setup (Site B)
Configure Bob’s WireGuard tunnel instance:
bob:/#> config bob:/config/#> tunnel bob:/config/tunnel/#> wireguard 1 bob:/config/tunnel/wireguard-1/#> description "Site-B-to-Site-A" bob:/config/tunnel/wireguard-1/#> private-key EG8gc5SWzHqwwdmUWQm9xFb4tGd+1Uwm1Po9RjvHRko= bob:/config/tunnel/wireguard-1/#> listen-port 51820 bob:/config/tunnel/wireguard-1/#> peer 1 bob:/config/tunnel/wireguard-1/peer-1#> public-key IWhTmzGIFNQOb9kGBVnuKaVQzamEhnyJkcPesrsGewU= bob:/config/tunnel/wireguard-1/peer-1#> endpoint 172.16.1.1 bob:/config/tunnel/wireguard-1/peer-1#> listen-port 51820 bob:/config/tunnel/wireguard-1/peer-1#> allowed-ip 10.0.0.1/32 bob:/config/tunnel/wireguard-1/peer-1#> allowed-ip 192.168.1.0/24 bob:/config/tunnel/wireguard-1/peer-1#> persistent-keepalive 25 bob:/config/tunnel/wireguard-1/peer-1#> end bob:/config/tunnel/wireguard-wg0/#> end bob:/config/tunnel/#> end bob:/config/#> end
Set IP on Bob’s WireGuard interface:
bob:/config/iface wg1 bob:/config/iface-wg1/inet static 10.0.0.2/24 bob:/config/iface-wg1/inet-static-10.0.0.2/#>leave
Configuration Explanation
Private Key: Each gateway’s private key, used for encryption and authentication. Never share this key.
Listen Port: UDP port 51820 (default for WireGuard). Must be accessible through firewalls.
Address: The tunnel IP address for the WireGuard interface. Used for direct gateway-to-gateway communication.
Peer Public Key: The public key of the remote gateway. This identifies and authenticates the peer.
Endpoint: The remote gateway’s public IP address and port. Required for both peers in a Site-To-Site setup.
Allowed IPs: Defines which IP ranges can be routed through this peer:
- 10.0.0.X/32: The remote gateway’s tunnel IP
- 192.168.X.0/24: The remote site’s network
Persistent Keepalive: Sends keepalive packets every 25 seconds to maintain NAT traversal and connection state. Essential for peers behind NAT or with stateful firewalls.
Verification
Check the tunnel status on Alice:
alice:/#> show tunnel wireguard WireGuard Tunnels Iface Public Key Listen Port wg1 IWhTmzGIFNQOb9kGBVnuKaVQzamEhnyJkcPesrsGewU= 51820 WireGuard Peers Iface Public Key Endpoint wg1 wq0ouxXud1N0X3rYUEOTY2uWwmFA6YpFLo/PKPud9jY= 172.16.1.2:51820
View detailed information for a specific interface:
alice:/#> show tunnel wireguard wg1 Iface : wg1 Public key : IWhTmzGIFNQOb9kGBVnuKaVQzamEhnyJkcPesrsGewU= Listen port: 51820 Peer : wq0ouxXud1N0X3rYUEOTY2uWwmFA6YpFLo/PKPud9jY= Endpoint : 172.16.1.2:51820 Latest handshake : 72 seconds Persistent keepalive: off seconds Rx bytes : 1372 Tx bytes : 1460 Allowed IPs CIDR 10.0.0.2/32 192.168.2.0/24
Key indicators of a healthy tunnel:
- Latest Handshake: Should be recent (within the last 2 minutes for active tunnels)
- Rx/Tx bytes: Shows data being transmitted through the tunnel
- Endpoint: Should show the remote peer’s address
Testing Connectivity
Test connectivity between the sites:
alice:/#> ping 10.0.0.2 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=3.92 ms 64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.817 ms --- 10.0.0.2 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss
Test access to Site B’s network:
alice:/#> ping 192.168.2.5 PING 192.168.2.5 (192.168.2.5) 56(84) bytes of data. 64 bytes from 192.168.2.5: icmp_seq=1 ttl=63 time=2.15 ms 64 bytes from 192.168.2.5: icmp_seq=2 ttl=63 time=0.783 ms --- 192.168.2.5 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss
Troubleshooting
No Handshake
If the latest handshake shows “(none)” or is very old:
- Verify that both peers have correct public keys configured
- Check that the endpoint addresses are correct and reachable
- Ensure UDP port 51820 is not blocked by firewalls
- Verify that private keys are correctly configured
Traffic Not Flowing
If handshake succeeds but traffic doesn’t flow:
- Verify allowed-ip configurations on both sides:
- Alice should allow 10.0.0.2/32 and 10.2.0.0/24
- Bob should allow 10.0.0.1/32 and 10.1.0.0/24
- Check routing tables on both gateways
- Verify that IP forwarding is enabled
- Check firewall rules
Connection Drops
If the connection drops frequently:
- Ensure persistent-keepalive is configured (25 seconds recommended)
- Check for network stability issues
- Verify that no aggressive firewall timeouts are interfering
Advanced Configuration
Using Preshared Keys for Additional Security
Add a preshared key for post-quantum resistance:
alice:/config/tunnel/wireguard-wg0/peer-1/#> preshared-key kHvZAEfyOj4B5Qs/z/hUwHMurmJeE1UQtXedKDEeDno=
Both peers must use the same preshared key.
Multiple Site Networks
To allow access to multiple networks at Site B, add more allowed-ip entries:
alice:/config/tunnel/wireguard-wg0/peer-1/#> allowed-ip 10.2.0.0/24 alice:/config/tunnel/wireguard-wg0/peer-1/#> allowed-ip 10.3.0.0/24 alice:/config/tunnel/wireguard-wg0/peer-1/#> allowed-ip 10.4.0.0/24
Security Considerations
- Key Protection: Never expose private keys. They should only be configured on their respective gateways.
- Firewall Rules: Limit access to UDP port 51820 to only the peer’s IP address if possible.
- Regular Monitoring: Check handshake times regularly to ensure connectivity.
- Key Rotation: Consider rotating keys periodically for enhanced security.
- Allowed IPs: Use specific network ranges rather than 0.0.0.0/0 to limit access to only necessary networks.
Summary
This HowTo demonstrated: - Generating WireGuard keys for both sites - Configuring WireGuard interfaces with tunnel IPs - Setting up peers with public keys and endpoints - Configuring allowed IPs for site-to-site routing - Enabling persistent keepalive for NAT traversal - Verifying tunnel status and testing connectivity
For more details on WireGuard configuration options, see the WireGuard Guide.