WireGuard Site-to-Site VPN Configuration Example¶

This recipe explains how to setup a VPN tunnel between two firewalls using WireGuard.

This example is a minimal configuration, more complicated scenarios are possible, see WireGuard for details.

../_images/diagrams-wireguard-site-to-site.png

WireGuard Example Site-to-Site Network¶

Required Information¶

General Values

Item	Value
Design	Site-to-Site, one peer per tunnel
Tunnel Subnet	`10.6.210.0/31`

HQ:

Item	Value
WAN IP Address	`198.51.100.15`
Tunnel Address	`10.6.210.0/31`
Listen Port	`51820`
LAN Subnet	`10.15.0.0/24`

Satellite Office:

Item	Value
WAN IP Address	`198.51.100.23`
Tunnel Address	`10.6.210.1/31`
Listen Port	`51820`
LAN Subnet	`10.23.0.0/24`

WireGuard Configuration¶

Navigate to VPN > WireGuard > Settings
Fill in the following options:

Enable

Checked

Interface Group Membership

Only Unassigned Tunnels
Click Save

Tip

When allowing inbound connections from arbitrary remote networks, use rules only on assigned WireGuard interface tabs only to ensure proper return routing.

Note

Rules on assigned WireGuard interface tabs get reply-to which ensures that traffic entering a specific assigned WireGuard interface exits back out the same interface. Without that, return traffic will follow the default gateway.

Tunnel Configuration¶

First create the WireGuard tunnel on both sites:

Navigate to VPN > WireGuard > Tunnels
Click Add Tunnel
Fill in the options using the information determined earlier, with variations noted for each site:

Enabled

Checked

HQ Settings

Description

Satellite Office VPN

Satellite Office Settings

Description

HQ VPN

Listen Port

51820

Interface Keys

Click Generate to create a new set of keys.
Copy the public key from each firewall and note which is which
Click Save

Peer Configuration¶

The peer entry for the server can be added when editing the tunnel. Follow these steps on both sites, with the differences in settings noted inline.

Edit the tunnel:

Navigate to VPN > WireGuard > Tunnels
Locate the WireGuard tunnel for this VPN
Click at the end of the row for the tunnel

From the tunnel editing page, add a peer:

Click Add Peer
Fill in the options using the information determined earlier, with variations noted for each site:

HQ Settings

Description

Satellite Office Peer

Endpoint

198.51.100.23 (the WAN IP address of the Satellite Office)

Endpoint Port

51820

Public Key

The public key from the Satellite Office firewall

Allowed IPs

10.6.210.0/31 and 10.23.0.0/24 (Tunnel network and Satellite Office LAN)

Satellite Office Settings

Description

HQ VPN Peer

Endpoint

198.51.100.15 (the WAN IP address of HQ)

Endpoint Port

51820

Public Key

The public key from the HQ firewall

Allowed IPs

10.6.210.0/31 and 10.15.0.0/24 (Tunnel network and HQ LAN)
Click Save Peer

Assign Interface¶

These steps should be done on both sites.

First, fix the default gateway so WireGuard isn’t automatically selected before it’s ready:

Navigate to System > Routing
Set Default Gateway IPv4 to a specific gateway (e.g. WANGW) or group
Set Default Gateway IPv6 in a similar manner if this VPN will also carry IPv6 traffic
Click Save
Click Apply Changes

Next, assign the interface (Assign a WireGuard Interface):

Navigate to Interfaces > Assignments
Select the appropriate tun_wg<number> interface in the Available network ports list
Click Add to assign the interface as a new OPT interface (e.g. OPT1)
Navigate to the Interface configuration page, Interfaces > OPTx
Check Enable
Enter an appropriate Description which will become the interface name (e.g. VPN_HQ or VPN_SATELLITE)
Fill in the options for the HQ endpoint using the information determined earlier:
IPv4 Configuration Type

Static IPV4

IPv4 Address

10.6.210.0/31

IPv4 Upstream Gateway
- Click Add a new gateway
- Fill in the options:
  
  Gateway Name
  
  WG_VPN_SAT_V4
  
  Gateway IPv4
  
  10.6.210.1
- Click Add
Fill in the options for the Satellite Office endpoint using the information determined earlier:
IPv4 Configuration Type

Static IPV4

IPv4 Address

10.6.210.1/31

IPv4 Upstream Gateway
- Click Add a new gateway
- Fill in the options:
  
  Gateway Name
  
  WG_VPN_HQ_V4
  
  Gateway IPv4
  
  10.6.210.0
- Click Add
Click Save
Click Apply Changes

Firewall Rules¶

First, add a rule to the WAN on both firewalls to allow traffic to reach WireGuard:

Navigate to Firewall > Rules, WAN tab
Click Add to create a new firewall rule at the top of the list so that it matches before other rules
Configure the firewall rule as follows:

Action

Pass

Protocol

UDP

Source

This can typically be left at Any, but it is more secure to fill in the IP address of the opposing firewall.

Destination

WAN Address

Destination Port Range

(other), 51820

Description

Pass traffic to WireGuard
Click Save
Click Apply Changes

Next, add a rule to pass traffic inside the WireGuard tunnel on both firewalls:

Navigate to Firewall > Rules
Click the tab for the assigned WireGuard interface (e.g. VPN_SATELLITE or VPN_HQ)
Click Add to add a new rule to the top of the list
Use the following settings:

Action

Pass

Protocol

Any

Source

any

Destination

any

Description

Pass VPN traffic from WireGuard peers

Note

This rule allows all traffic between sites, which is easy but not a secure practice. Traffic between the sites can be restricted as needed with less permissive rules.
Click Save
Click Apply Changes

Routing¶

Specific networks can be routed across the VPN by adding a static route for the network(s) under System > Routing on the Static Routes tab.

These steps should be done on both sites.

Navigate to System > Routing > Static Routes
Click Add
Fill in the options using the information determined earlier, with variations noted for each site:

HQ Settings

Destinaton Network

10.23.0.0/24 (e.g. Satellite office LAN segment)

Gateway

WG_VPN_SAT_V4

Satellite Office Settings

Destinaton Network

10.15.0.0/24 (e.g. HQ LAN segment)

Gateway

WG_VPN_HQ_V4
Click Save
Click Apply Changes

Finish Up¶

The configuration is now complete! The two sites should now have full LAN-to-LAN connectivity.