WireGuard Site-to-Site Example¶
This example demonstrates how to configure a site-to-site WireGuard tunnel between two TNSR peers (R1 and R2) with a static route for LAN-to-LAN connectivity.
This site-to-site example uses static routing, but WireGuard can also work with dynamic routing protocols such as BGP and OSPF.
See also
BGP works with WireGuard without any special steps so long as the peers are static and the peers have Tunnel Endpoint Next Hop Entries configured.
OSPF requires special configuration steps to work with WireGuard. See WireGuard VPN with OSPF Dynamic Routing for a full walkthrough of configuring WireGuard and OSPF.
Additionally, WireGuard is also capable of acting as a Remote Access VPN server for dynamic remote clients.
See also
See WireGuard VPN for Remote Access for a full walkthrough of configuring a remote access VPN using WireGuard.
Required Information¶
Generate Keys¶
Before starting, generate the necessary keys for both peers:
r1 $ wg genkey | tee r1.prv.key | wg pubkey > r1.pub.key
r1 $ cat r1.prv.key
IPbehUo58KvYl/qmA+50bAaWeXgB+eP+8QqmDkLV9XA=
r1 $ cat r1.pub.key
K/l2cD3PCCioSnerIe7tOSAqyRQ8dB1LAoeiJqn0uiY=
r2 $ wg genkey | tee r2.prv.key | wg pubkey > r2.pub.key
r2 $ cat r2.prv.key
EIe79EjECubUeIw+6EKkXOLeOIoFgxM33ydRyr2IJWE=
r2 $ cat r2.pub.key
kIGM3jon1y43ZiCh9YryxNNfda/Qh5d1aBHSfKZbYTA=
Settings Summary¶
The table Example WireGuard Configuration contains the Required Information and other configuration settings which form the WireGuard tunnel for this example.
Item |
Value |
---|---|
R1 Address |
|
R1 WG Private Key |
|
R1 WG Public Key |
|
R1 Local WG Port |
|
R1 Local Network |
|
R1 WG Interface |
|
R2 Address |
|
R2 WG Private Key |
|
R2 WG Public Key |
|
R2 Local WG Port |
|
R2 Local Network |
|
R2 WG Interface |
|
Example Configuration¶
The commands below are performed from the CLI on each TNSR instance (R1 and R2)
from within config
mode.
R1¶
First create the WireGuard instance on R1:
r1 tnsr(config)# interface wireguard 1
r1 tnsr(config-wireguard)# description WireGuard P2P - R1-R2
r1 tnsr(config-wireguard)# source-address 203.0.113.2
r1 tnsr(config-wireguard)# port 51820
r1 tnsr(config-wireguard)# private-key base64 IPbehUo58KvYl/qmA+50bAaWeXgB+eP+8QqmDkLV9XA=
When adding the peer entry, use values from R2:
r1 tnsr(config-wireguard)# peer 1
r1 tnsr(config-wireguard-peer)# description R2
r1 tnsr(config-wireguard-peer)# endpoint-address 203.0.113.25
r1 tnsr(config-wireguard-peer)# port 51820
The allowed-prefix
list for this peer includes the WireGuard interface
address of R2 and the local network at R2:
r1 tnsr(config-wireguard-peer)# allowed-prefix 10.2.111.2/32
r1 tnsr(config-wireguard-peer)# allowed-prefix 10.25.0.0/24
The public key in the peer is the public key of R2:
r1 tnsr(config-wireguard-peer)# public-key base64 kIGM3jon1y43ZiCh9YryxNNfda/Qh5d1aBHSfKZbYTA=
r1 tnsr(config-wireguard-peer)# exit
r1 tnsr(config-wireguard)# exit
Next configure the corresponding wg1
interface on R1:
r1 tnsr(config)# interface wg1
r1 tnsr(config-interface)# enable
r1 tnsr(config-interface)# description WireGuard P2P - R1-R2
r1 tnsr(config-interface)# ip address 10.2.111.1/30
r1 tnsr(config-interface)# exit
Add the static route to the peer on the WireGuard wg1
interface:
r1 tnsr(config)# route table default
r1 tnsr(config-route-table)# route 10.2.111.2/32
r1 tnsr(config-rttbl4-next-hop)# next-hop 0 via 0.0.0.0 wg1
r1 tnsr(config-rttbl4-next-hop)# exit
r1 tnsr(config-route-table)# exit
Note
VPP requires this entry to setup and locate the adjacency on a non-broadcast interface like those used by WireGuard. For more information, see WireGuard Next Hops. If this peer will use dynamic routing protocols, consider Tunnel Endpoint Next Hop Entries instead of the route method.
Add another static route for the LAN at R2:
r1 tnsr(config)# route table default
r1 tnsr(config-route-table)# route 10.25.0.0/24
r1 tnsr(config-rttbl4-next-hop)# next-hop 0 via 10.2.111.2
r1 tnsr(config-rttbl4-next-hop)# exit
r1 tnsr(config-route-table)# exit
R2¶
Moving over to R2, create the WireGuard instance there:
r2 tnsr(config)# interface wireguard 1
r2 tnsr(config-wireguard)# description WireGuard P2P - R2-R1
r2 tnsr(config-wireguard)# source-address 203.0.113.25
r2 tnsr(config-wireguard)# port 51820
r2 tnsr(config-wireguard)# private-key base64 EIe79EjECubUeIw+6EKkXOLeOIoFgxM33ydRyr2IJWE=
When creating the peer entry, use values for R1 inside the entry:
r2 tnsr(config-wireguard)# peer 1
r2 tnsr(config-wireguard-peer)# description R1
r2 tnsr(config-wireguard-peer)# endpoint-address 203.0.113.2
r2 tnsr(config-wireguard-peer)# port 51820
r2 tnsr(config-wireguard-peer)# allowed-prefix 10.2.111.1/32
r2 tnsr(config-wireguard-peer)# allowed-prefix 10.2.0.0/24
r2 tnsr(config-wireguard-peer)# public-key base64 K/l2cD3PCCioSnerIe7tOSAqyRQ8dB1LAoeiJqn0uiY=
r2 tnsr(config-wireguard-peer)# exit
r2 tnsr(config-wireguard)# exit
Now configure the R2 wg1
interface:
r2 tnsr(config)# interface wg1
r2 tnsr(config-interface)# enable
r2 tnsr(config-interface)# description WireGuard P2P - R2-R1
r2 tnsr(config-interface)# ip address 10.2.111.2/30
r2 tnsr(config-interface)# exit
Add the static route to the R1 peer on the WireGuard wg1
interface:
r2 tnsr(config)# route table default
r2 tnsr(config-route-table)# route 10.2.111.1/32
r2 tnsr(config-rttbl4-next-hop)# next-hop 0 via 0.0.0.0 wg1
r2 tnsr(config-rttbl4-next-hop)# exit
r2 tnsr(config-route-table)# exit
Finally, configure the static route to the R1 LAN:
r2 tnsr(config)# route table default
r2 tnsr(config-route-table)# route 10.2.0.0/24
r2 tnsr(config-rttbl4-next-hop)# next-hop 0 via 10.2.111.1
r2 tnsr(config-rttbl4-next-hop)# exit
r2 tnsr(config-route-table)# exit