WireGuard Site-to-Site Example

This example demonstrates how to configure a site-to-site WireGuard tunnel between two TNSR peers (R1 and R2) with a static route for LAN-to-LAN connectivity.

This site-to-site example uses static routing, but WireGuard can also work with dynamic routing protocols such as BGP and OSPF.

See also

BGP works with WireGuard without any special steps so long as the peers are static and the peers have Tunnel Endpoint Next Hop Entries configured.

OSPF requires special configuration steps to work with WireGuard. See WireGuard VPN with OSPF Dynamic Routing for a full walkthrough of configuring WireGuard and OSPF.

Additionally, WireGuard is also capable of acting as a Remote Access VPN server for dynamic remote clients.

See also

See WireGuard VPN for Remote Access for a full walkthrough of configuring a remote access VPN using WireGuard.

Required Information

Generate Keys

Before starting, generate the necessary keys for both peers:

r1 $ wg genkey | tee r1.prv.key | wg pubkey > r1.pub.key
r1 $ cat r1.prv.key
r1 $ cat r1.pub.key
r2 $ wg genkey | tee r2.prv.key | wg pubkey > r2.pub.key
r2 $ cat r2.prv.key
r2 $ cat r2.pub.key

Settings Summary

The table Example WireGuard Configuration contains the Required Information and other configuration settings which form the WireGuard tunnel for this example.

Example WireGuard Configuration



R1 Address

R1 WG Private Key


R1 WG Public Key


R1 Local WG Port


R1 Local Network

R1 WG Interface

R2 Address

R2 WG Private Key


R2 WG Public Key


R2 Local WG Port


R2 Local Network

R2 WG Interface

Example Configuration

The commands below are performed from the CLI on each TNSR instance (R1 and R2) from within config mode.


First create the WireGuard instance on R1:

r1 tnsr(config)# interface wireguard 1
r1 tnsr(config-wireguard)# description WireGuard P2P - R1-R2
r1 tnsr(config-wireguard)# source-address
r1 tnsr(config-wireguard)# port 51820
r1 tnsr(config-wireguard)# private-key base64 IPbehUo58KvYl/qmA+50bAaWeXgB+eP+8QqmDkLV9XA=

When adding the peer entry, use values from R2:

r1 tnsr(config-wireguard)# peer 1
r1 tnsr(config-wireguard-peer)# description R2
r1 tnsr(config-wireguard-peer)# endpoint-address
r1 tnsr(config-wireguard-peer)# port 51820

The allowed-prefix list for this peer includes the WireGuard interface address of R2 and the local network at R2:

r1 tnsr(config-wireguard-peer)# allowed-prefix
r1 tnsr(config-wireguard-peer)# allowed-prefix

The public key in the peer is the public key of R2:

r1 tnsr(config-wireguard-peer)# public-key base64 kIGM3jon1y43ZiCh9YryxNNfda/Qh5d1aBHSfKZbYTA=
r1 tnsr(config-wireguard-peer)# exit
r1 tnsr(config-wireguard)# exit

Next configure the corresponding wg1 interface on R1:

r1 tnsr(config)# interface wg1
r1 tnsr(config-interface)# enable
r1 tnsr(config-interface)# description WireGuard P2P - R1-R2
r1 tnsr(config-interface)# ip address
r1 tnsr(config-interface)# exit

Then add a tunnel next hop entry for the WireGuard Peer at R2 using the wg1 interface:

r1 tnsr(config)# tunnel next-hops wg1
r1 tnsr(config-tunnel-nh-if)# ipv4-tunnel-destination ipv4-next-hop-address
r1 tnsr(config-tunnel-nh-if)# exit


VPP requires this entry to setup and locate the adjacency on a non-broadcast interface like those used by WireGuard. See WireGuard Next Hops.

Now add the static route to the LAN at R2:

r1 tnsr(config-route-table)# route
r1 tnsr(config-rttbl4-next-hop)# next-hop 0 via
r1 tnsr(config-rttbl4-next-hop)# exit
r1 tnsr(config-route-table)# exit


Moving over to R2, create the WireGuard instance there:

r2 tnsr(config)# interface wireguard 1
r2 tnsr(config-wireguard)# description WireGuard P2P - R2-R1
r2 tnsr(config-wireguard)# source-address
r2 tnsr(config-wireguard)# port 51820
r2 tnsr(config-wireguard)# private-key base64 EIe79EjECubUeIw+6EKkXOLeOIoFgxM33ydRyr2IJWE=

When creating the peer entry, use values for R1 inside the entry:

r2 tnsr(config-wireguard)# peer 1
r2 tnsr(config-wireguard-peer)# description R1
r2 tnsr(config-wireguard-peer)# endpoint-address
r2 tnsr(config-wireguard-peer)# port 51820
r2 tnsr(config-wireguard-peer)# allowed-prefix
r2 tnsr(config-wireguard-peer)# allowed-prefix
r2 tnsr(config-wireguard-peer)# public-key base64 K/l2cD3PCCioSnerIe7tOSAqyRQ8dB1LAoeiJqn0uiY=
r2 tnsr(config-wireguard-peer)# exit
r2 tnsr(config-wireguard)# exit

Now configure the R2 wg1 interface:

r2 tnsr(config)# interface wg1
r2 tnsr(config-interface)# enable
r2 tnsr(config-interface)# description WireGuard P2P - R2-R1
r2 tnsr(config-interface)# ip address
r2 tnsr(config-interface)# exit

Then add a tunnel next hop entry for the WireGuard Peer at R1 using the wg1 interface:

r2 tnsr(config)# tunnel next-hops wg1
r2 tnsr(config-tunnel-nh-if)# ipv4-tunnel-destination ipv4-next-hop-address
r2 tnsr(config-tunnel-nh-if)# exit

Finally, configure the static route to the R1 LAN:

r2 tnsr(config-route-table)# route
r2 tnsr(config-rttbl4-next-hop)# next-hop 0 via
r2 tnsr(config-rttbl4-next-hop)# exit
r2 tnsr(config-route-table)# exit