WireGuard Site-to-Site VPN Configuration Example

This recipe explains how to setup a VPN tunnel between two firewalls using WireGuard.

This example is a minimal configuration, more complicated scenarios are possible, see WireGuard for details.

../_images/diagrams-wireguard-site-to-site.png

WireGuard Example Site-to-Site Network

Required Information

General Values

Item

Value

Design

Site-to-Site, one peer per tunnel

Tunnel Subnet

10.6.210.0/31

HQ:

Item

Value

WAN IP Address

198.51.100.15

Tunnel Address

10.6.210.0/31

Listen Port

51820

LAN Subnet

10.15.0.0/24

Satellite Office:

Item

Value

WAN IP Address

198.51.100.23

Tunnel Address

10.6.210.1/31

Listen Port

51820

LAN Subnet

10.23.0.0/24

WireGuard Configuration

  • Navigate to VPN > WireGuard > Settings

  • Fill in the following options:

    Enable:

    Checked

    Interface Group Membership:

    Only Unassigned Tunnels

  • Click Save

Tip

When allowing inbound connections from arbitrary remote networks, use rules only on assigned WireGuard interface tabs only to ensure proper return routing.

Note

Rules on assigned WireGuard interface tabs get reply-to which ensures that traffic entering a specific assigned WireGuard interface exits back out the same interface. Without that, return traffic will follow the default gateway.

Tunnel Configuration

First create the WireGuard tunnel on both sites:

  • Navigate to VPN > WireGuard > Tunnels

  • Click fa-plus Add Tunnel

  • Fill in the options using the information determined earlier, with variations noted for each site:

    Enabled:

    Checked

    HQ Settings:
    Description:

    Satellite Office VPN

    Satellite Office Settings:
    Description:

    HQ VPN

    Listen Port:

    51820

    Interface Keys:

    Click Generate to create a new set of keys.

  • Copy the public key from each firewall and note which is which

  • Click Save

Peer Configuration

The peer entry for the server can be added when editing the tunnel. Follow these steps on both sites, with the differences in settings noted inline.

Edit the tunnel:

  • Navigate to VPN > WireGuard > Tunnels

  • Locate the WireGuard tunnel for this VPN

  • Click fa-pencil at the end of the row for the tunnel

From the tunnel editing page, add a peer:

  • Click fa-plus Add Peer

  • Fill in the options using the information determined earlier, with variations noted for each site:

    HQ Settings:
    Description:

    Satellite Office Peer

    Dynamnic Endpoint:

    Unchecked

    Endpoint:

    198.51.100.23 (the WAN IP address of the Satellite Office)

    Endpoint Port:

    51820

    Public Key:

    The public key from the Satellite Office firewall

    Allowed IPs:

    10.6.210.0/31 and 10.23.0.0/24 (Tunnel network and Satellite Office LAN)

    Satellite Office Settings:
    Description:

    HQ VPN Peer

    Dynamnic Endpoint:

    Unchecked

    Endpoint:

    198.51.100.15 (the WAN IP address of HQ)

    Endpoint Port:

    51820

    Public Key:

    The public key from the HQ firewall

    Allowed IPs:

    10.6.210.0/31 and 10.15.0.0/24 (Tunnel network and HQ LAN)

  • Click Save Peer

Assign Interface

These steps should be done on both sites.

First, fix the default gateway so WireGuard isn’t automatically selected before it’s ready:

  • Navigate to System > Routing

  • Set Default Gateway IPv4 to a specific gateway (e.g. WANGW) or group

  • Set Default Gateway IPv6 in a similar manner if this VPN will also carry IPv6 traffic

  • Click Save

  • Click Apply Changes

Next, assign the interface (Assign a WireGuard Interface):

  • Navigate to Interfaces > Assignments

  • Select the appropriate tun_wg<number> interface in the Available network ports list

  • Click fa-plus Add to assign the interface as a new OPT interface (e.g. OPT1)

  • Navigate to the Interface configuration page, Interfaces > OPTx

  • Check Enable

  • Enter an appropriate Description which will become the interface name (e.g. VPN_HQ or VPN_SATELLITE)

  • Configure an appropriate MTU value for the WireGuard interface (e.g. 1420 for IPv4+IPv6 or 1440 for IPv4 only).

    For details on calculating the correct MTU, see in Assign a WireGuard Interface.

  • Fill in the options for the HQ endpoint using the information determined earlier:

    IPv4 Configuration Type:

    Static IPV4

    IPv4 Address:

    10.6.210.0/31

    IPv4 Upstream Gateway:

    • Click Add a new gateway

    • Fill in the options:

      Gateway Name:

      WG_VPN_SAT_V4

      Gateway IPv4:

      10.6.210.1

    • Click fa-plus Add

  • Fill in the options for the Satellite Office endpoint using the information determined earlier:

    IPv4 Configuration Type:

    Static IPV4

    IPv4 Address:

    10.6.210.1/31

    IPv4 Upstream Gateway:

    • Click Add a new gateway

    • Fill in the options:

      Gateway Name:

      WG_VPN_HQ_V4

      Gateway IPv4:

      10.6.210.0

    • Click fa-plus Add

  • Click Save

  • Click Apply Changes

Firewall Rules

First, add a rule to the WAN on both firewalls to allow traffic to reach WireGuard:

  • Navigate to Firewall > Rules, WAN tab

  • Click fa-turn-up Add to create a new firewall rule at the top of the list so that it matches before other rules

  • Configure the firewall rule as follows:

    Action:

    Pass

    Protocol:

    UDP

    Source:

    This can typically be left at Any, but it is more secure to fill in the IP address of the opposing firewall.

    Destination:

    WAN Address

    Destination Port Range:

    (other), 51820

    Description:

    Pass traffic to WireGuard

  • Click Save

  • Click Apply Changes

Next, add a rule to pass traffic inside the WireGuard tunnel on both firewalls:

  • Navigate to Firewall > Rules

  • Click the tab for the assigned WireGuard interface (e.g. VPN_SATELLITE or VPN_HQ)

  • Click fa-turn-up Add to add a new rule to the top of the list

  • Use the following settings:

    Action:

    Pass

    Protocol:

    Any

    Source:

    any

    Destination:

    any

    Description:

    Pass VPN traffic from WireGuard peers

    Note

    This rule allows all traffic between sites, which is easy but not a secure practice. Traffic between the sites can be restricted as needed with less permissive rules.

  • Click Save

  • Click Apply Changes

Routing

Specific networks can be routed across the VPN by adding a static route for the network(s) under System > Routing on the Static Routes tab.

These steps should be done on both sites.

  • Navigate to System > Routing > Static Routes

  • Click Add

  • Fill in the options using the information determined earlier, with variations noted for each site:

    HQ Settings:
    Destinaton Network:

    10.23.0.0/24 (e.g. Satellite office LAN segment)

    Gateway:

    WG_VPN_SAT_V4

    Satellite Office Settings:
    Destinaton Network:

    10.15.0.0/24 (e.g. HQ LAN segment)

    Gateway:

    WG_VPN_HQ_V4

  • Click Save

  • Click Apply Changes

See also

As an alternative to static routing in this way, dynamic routing protocols can also work with WireGuard. See WireGuard Routing for more information.

Tip

These gateways can also be used for policy routing if needed.

Finish Up

The configuration is now complete! The two sites should now have full LAN-to-LAN connectivity.

See also