WireGuard Site-to-Site Example

This example demonstrates how to configure a site-to-site WireGuard tunnel between two TNSR peers (R1 and R2) with a static route for LAN-to-LAN connectivity.

This site-to-site example uses static routing, but WireGuard can also work with dynamic routing protocols such as BGP and OSPF.

See also

BGP works with WireGuard without any special steps so long as the peers are static and the peers have Tunnel Endpoint Next Hop Entries configured.

OSPF requires special configuration steps to work with WireGuard. See WireGuard VPN with OSPF Dynamic Routing for a full walkthrough of configuring WireGuard and OSPF.

Additionally, WireGuard is also capable of acting as a Remote Access VPN server for dynamic remote clients.

See also

See WireGuard VPN for Remote Access for a full walkthrough of configuring a remote access VPN using WireGuard.

Required Information

Generate Keys

Before starting, generate the necessary keys for both peers:

r1 $ wg genkey | tee r1.prv.key | wg pubkey > r1.pub.key
r1 $ cat r1.prv.key
IPbehUo58KvYl/qmA+50bAaWeXgB+eP+8QqmDkLV9XA=
r1 $ cat r1.pub.key
K/l2cD3PCCioSnerIe7tOSAqyRQ8dB1LAoeiJqn0uiY=
r2 $ wg genkey | tee r2.prv.key | wg pubkey > r2.pub.key
r2 $ cat r2.prv.key
EIe79EjECubUeIw+6EKkXOLeOIoFgxM33ydRyr2IJWE=
r2 $ cat r2.pub.key
kIGM3jon1y43ZiCh9YryxNNfda/Qh5d1aBHSfKZbYTA=

Settings Summary

The table Example WireGuard Configuration contains the Required Information and other configuration settings which form the WireGuard tunnel for this example.

Example WireGuard Configuration

Item

Value

R1 Address

203.0.113.2

R1 WG Private Key

IPbehUo58KvYl/qmA+50bAaWeXgB+eP+8QqmDkLV9XA=

R1 WG Public Key

K/l2cD3PCCioSnerIe7tOSAqyRQ8dB1LAoeiJqn0uiY=

R1 Local WG Port

51820

R1 Local Network

10.2.0.0/24

R1 WG Interface

10.2.111.1/30

R2 Address

203.0.113.25

R2 WG Private Key

EIe79EjECubUeIw+6EKkXOLeOIoFgxM33ydRyr2IJWE=

R2 WG Public Key

kIGM3jon1y43ZiCh9YryxNNfda/Qh5d1aBHSfKZbYTA=

R2 Local WG Port

51820

R2 Local Network

10.25.0.0/24

R2 WG Interface

10.2.111.2/30

Example Configuration

The commands below are performed from the CLI on each TNSR instance (R1 and R2) from within config mode.

R1

First create the WireGuard instance on R1:

r1 tnsr(config)# interface wireguard 1
r1 tnsr(config-wireguard)# description WireGuard P2P - R1-R2
r1 tnsr(config-wireguard)# source-address 203.0.113.2
r1 tnsr(config-wireguard)# port 51820
r1 tnsr(config-wireguard)# private-key base64 IPbehUo58KvYl/qmA+50bAaWeXgB+eP+8QqmDkLV9XA=

When adding the peer entry, use values from R2:

r1 tnsr(config-wireguard)# peer 1
r1 tnsr(config-wireguard-peer)# description R2
r1 tnsr(config-wireguard-peer)# endpoint-address 203.0.113.25
r1 tnsr(config-wireguard-peer)# port 51820

The allowed-prefix list for this peer includes the WireGuard interface address of R2 and the local network at R2:

r1 tnsr(config-wireguard-peer)# allowed-prefix 10.2.111.2/32
r1 tnsr(config-wireguard-peer)# allowed-prefix 10.25.0.0/24

The public key in the peer is the public key of R2:

r1 tnsr(config-wireguard-peer)# public-key base64 kIGM3jon1y43ZiCh9YryxNNfda/Qh5d1aBHSfKZbYTA=
r1 tnsr(config-wireguard-peer)# exit
r1 tnsr(config-wireguard)# exit

Next configure the corresponding wg1 interface on R1:

r1 tnsr(config)# interface wg1
r1 tnsr(config-interface)# enable
r1 tnsr(config-interface)# description WireGuard P2P - R1-R2
r1 tnsr(config-interface)# ip address 10.2.111.1/30
r1 tnsr(config-interface)# exit

Add the static route to the peer on the WireGuard wg1 interface:

r1 tnsr(config)# route table default
r1 tnsr(config-route-table)# route 10.2.111.2/32
r1 tnsr(config-rttbl4-next-hop)# next-hop 0 via 0.0.0.0 wg1
r1 tnsr(config-rttbl4-next-hop)# exit
r1 tnsr(config-route-table)# exit

Note

VPP requires this entry to setup and locate the adjacency on a non-broadcast interface like those used by WireGuard. For more information, see WireGuard Next Hops. If this peer will use dynamic routing protocols, consider Tunnel Endpoint Next Hop Entries instead of the route method.

Add another static route for the LAN at R2:

r1 tnsr(config)# route table default
r1 tnsr(config-route-table)# route 10.25.0.0/24
r1 tnsr(config-rttbl4-next-hop)# next-hop 0 via 10.2.111.2
r1 tnsr(config-rttbl4-next-hop)# exit
r1 tnsr(config-route-table)# exit

R2

Moving over to R2, create the WireGuard instance there:

r2 tnsr(config)# interface wireguard 1
r2 tnsr(config-wireguard)# description WireGuard P2P - R2-R1
r2 tnsr(config-wireguard)# source-address 203.0.113.25
r2 tnsr(config-wireguard)# port 51820
r2 tnsr(config-wireguard)# private-key base64 EIe79EjECubUeIw+6EKkXOLeOIoFgxM33ydRyr2IJWE=

When creating the peer entry, use values for R1 inside the entry:

r2 tnsr(config-wireguard)# peer 1
r2 tnsr(config-wireguard-peer)# description R1
r2 tnsr(config-wireguard-peer)# endpoint-address 203.0.113.2
r2 tnsr(config-wireguard-peer)# port 51820
r2 tnsr(config-wireguard-peer)# allowed-prefix 10.2.111.1/32
r2 tnsr(config-wireguard-peer)# allowed-prefix 10.2.0.0/24
r2 tnsr(config-wireguard-peer)# public-key base64 K/l2cD3PCCioSnerIe7tOSAqyRQ8dB1LAoeiJqn0uiY=
r2 tnsr(config-wireguard-peer)# exit
r2 tnsr(config-wireguard)# exit

Now configure the R2 wg1 interface:

r2 tnsr(config)# interface wg1
r2 tnsr(config-interface)# enable
r2 tnsr(config-interface)# description WireGuard P2P - R2-R1
r2 tnsr(config-interface)# ip address 10.2.111.2/30
r2 tnsr(config-interface)# exit

Add the static route to the R1 peer on the WireGuard wg1 interface:

r2 tnsr(config)# route table default
r2 tnsr(config-route-table)# route 10.2.111.1/32
r2 tnsr(config-rttbl4-next-hop)# next-hop 0 via 0.0.0.0 wg1
r2 tnsr(config-rttbl4-next-hop)# exit
r2 tnsr(config-route-table)# exit

Finally, configure the static route to the R1 LAN:

r2 tnsr(config)# route table default
r2 tnsr(config-route-table)# route 10.2.0.0/24
r2 tnsr(config-rttbl4-next-hop)# next-hop 0 via 10.2.111.1
r2 tnsr(config-rttbl4-next-hop)# exit
r2 tnsr(config-route-table)# exit