WireGuard Site-to-Site VPN Configuration Example¶
This recipe explains how to setup a VPN tunnel between two firewalls using WireGuard.
This example is a minimal configuration, more complicated scenarios are possible, see WireGuard for details.
Required Information¶
General Values
Item |
Value |
---|---|
Design |
Site-to-Site, one peer per tunnel |
Tunnel Subnet |
|
HQ:
Item |
Value |
---|---|
WAN IP Address |
|
Tunnel Address |
|
Listen Port |
|
LAN Subnet |
|
Satellite Office:
Item |
Value |
---|---|
WAN IP Address |
|
Tunnel Address |
|
Listen Port |
|
LAN Subnet |
|
Tunnel Configuration¶
First create the WireGuard tunnel on both sites:
Navigate to VPN > WireGuard
Click
Add Tunnel
Fill in the options using the information determined earlier, with variations noted for each site:
- Enabled
Checked
- HQ Settings
- Description
Satellite Office VPN
- Address
10.15.210.1/24
- Satellite Office Settings
- Description
HQ VPN
- Address
10.15.210.2/24
- Listen Port
51820
- Interface Keys
Click Generate to create a new set of keys.
Copy the public key from each firewall and note which is which
Click Save
Peer Configuration¶
The peer entry for the server can be added when editing the tunnel. Follow these steps on both sites, with the differences in settings noted inline.
Edit the tunnel:
Navigate to VPN > WireGuard
Locate the WireGuard tunnel for this VPN provider
Click
at the end of the row for the tunnel
From the tunnel editing page, add a peer:
Click
Add Peer
Fill in the options using the information determined earlier:
- HQ Settings
- Description
Satellite Office Peer
- Endpoint
198.51.100.23
(the WAN IP address of the Satellite Office)- Endpoint Port
51820
- Public Key
The public key from the Satellite Office firewall
- Allowed IPs
10.15.210.2/32, 10.23.0.0/24
(Satellite office tunnel address and LAN)- Peer WireGuard Address
10.15.210.2
(Satellite office tunnel address)
- Satellite Office Settings
- Description
HQ VPN Peer
- Endpoint
198.51.100.15
(the WAN IP address of HQ)- Endpoint Port
51820
- Public Key
The public key from the HQ firewall
- Allowed IPs
10.15.210.1/32, 10.15.0.0/24
(HQ tunnel address and LAN)- Peer WireGuard Address
10.15.210.1
(HQ tunnel address)
Click Update
Click Save
Assign Interface¶
These steps should be done on both sites.
First, fix the default gateway so WireGuard isn’t automatically selected before it’s ready:
Navigate to System > Routing
Set Default Gateway IPv4 to a specific gateway (e.g. WANGW) or group
Set Default Gateway IPv6 in a similar manner if this VPN will also carry IPv6 traffic
Click Save
Click Apply Changes
Next, assign the interface so the automatic gateway can be used for policy routing (Assign a WireGuard Interface).
Navigate to Interfaces > Assignments
Select the appropriate
wg<number>
interface in the Available network ports listClick
Add to assign the interface as a new OPT interface (e.g. OPT1)
Navigate to the Interface configuration page, Interfaces > OPTx
Check Enable
Enter an appropriate Description which will become the interface name (e.g.
VPN_HQ
orVPN_Satellite
)Click Save
Click Apply Changes
Firewall Rules¶
First, add a rule to the WAN on both firewalls to allow traffic to reach WireGuard:
Navigate to Firewall > Rules, WAN tab
Click
Add to create a new firewall rule at the top of the list so that it matches before other rules
Configure the firewall rule as follows:
- Action
Pass
- Protocol
UDP
- Source
This can typically be left at Any, but it is more secure to fill in the IP address of the opposing firewall.
- Destination
WAN Address
- Destination Port Range
(other),
51820
- Description
Pass traffic to WireGuard
Click Save
Click Apply Changes
Next, add a rule to pass traffic inside the WireGuard tunnel on both firewalls:
Navigate to Firewall > Rules
Click the tab for the assigned WireGuard interface (e.g. VPN_Satellite or VPN_HQ)
Click
Add to add a new rule to the top of the list
Use the following settings:
- Action
Pass
- Protocol
Any
- Source
any
- Destination
any
- Description
Pass VPN traffic from WireGuard peers
Note
This rule allows all traffic between sites, which is easy but not a secure practice. Traffic between the sites can be restricted as needed with less permissive rules.
Click Save
Click Apply Changes
Routing¶
Since the networks for the peers were entered in the Allowed IPs field, the firewall will automatically handle setting up routes to the peer, so no additional routing work should be needed.
See also
As an alternative to static routing in this way, dynamic routing protocols can also work with WireGuard. See WireGuard Routing for more information.
The interface assignment also creates an automatic gateway which can be used for policy routing if needed.
Finish Up¶
The configuration is now complete! The two sites should now have full LAN-to-LAN connectivity.