Design Considerations¶
One of the main considerations when choosing a WireGuard implementation layout is whether to use one tunnel with many peers, or one tunnel per peer.
Routing to WireGuard Peers¶
WireGuard uses what it calls “Cryptokey Routing” to map traffic inside WireGuard to a specific peer which is then encrypted using the public key for that peer. In practice, this means that when multiple peers are defined on a WireGuard instance each peer instance must define the set of networks reachable through that peer. This can make managing networks and routes cumbersome when using a single instance with many peers for site-to-site connectivity.
When there is only one peer on a wireguard interface, it can instead assume that
the one peer is the correct destination for all traffic which crosses the
interface (e.g. Allowed Prefixes set to 0.0.0.0/0
or ::/0
). And in
that case, a routing protocol such as BGP or OSPF can manage the operating
system routing to the neighbor instead of static routes.
Due to the way WireGuard uses peer-to-peer non-broadcast interfaces in VPP,
WireGuard requires a special entry for each peer to locate neighbors on the VPN.
This can be either a special /32
prefix route or a tunnel next hop
configuration containing the peer address(es) to the appropriate WireGuard
interfaces and peer external addresses to find their adjacency. See
WireGuard Next Hops for details.
Design Style¶
Every WireGuard tunnel is a peer to peer connection, but there are different ways WireGuard can behave depending on whether or not a peer endpoint is known or defined on both sides:
- Site-to-Site:
Peer endpoint IP address and port filled in on both sides
Both peers can initiate traffic first
- Remote Access “Server”:
Remote peer knows the endpoint configuration
Local side does not contain endpoint configuration for the peer
Only remote peer can initiate traffic
- Remote Access “Client”:
Endpoint address and port filled in locally
Remote side does not contain endpoint configuration
Can initiate traffic to the peer
In each case, at least one peer must have a known endpoint address and port. Peers with unknown/dynamic addresses can roam to new addresses and/or ports. WireGuard will track and update their new location using the peer’s key data on the incoming packets.