This is an old revision of the document!
This guide is designed to walk through the basic steps and configurations needed to:
Connect Multiple LANs together via a centralized Wireguard server.
Expose services running on the LANs to the internet via the centralized server.
Why use a centralized server for connecting LANs rather than a site to site VPN?
1. Not all routers/modems support site to site VPNs.
2. If your router is behind an ISP modem/router that does not support bridge mode, site to site will likely not work due to double NAT. (This is my initial reason for setting this up - my ISP updated the modems and broke bridge mode and is taking a long time to figure out what's actually wrong.)
Why use a centralized VPS to expose LAN services to the internet?
1. As above, you may not have the ability to directly expose the ports on your home modem/router.
2. Even if you can directly expose the ports, this adds a layer of security by not needing to publish the public IP of your LAN.
3. Your ISP may block ports on their side so even if you can expose on your modem/router, you can't use them anyway.
VPS1 - Wireguard Server and the server we will be using to expose services on LAN1 to the internet.
VPS2 - Another VPS - added to allow easy access and remove some public ports.
VPS3 - Another VPs - added to allow easy access and remove some public ports.
LAN1 - Home LAN
LAN2 - Work LAN
VPS1 runs Wireguard Server and uses Nginx Proxy Manager for forwarding services across Wireguard network to servers on LAN1.
LAN1 and LAN2 each have a server acting as the Wireguard gateway.
Wireguard Network:
VPS1: 10.0.0.1
LAN1: 10.0.0.2
LAN2: 10.0.0.3
VPS2: 10.0.0.10
VPS3: 10.0.0.11
LAN1:
Subnet: 192.168.100.0\24
Router: 192.168.100.1
WG PC: 192.168.100.4
Static Routes:
10.0.0.0\24 GW 192.168.100.4
192.168.150.0\24 GW 192.168.100.4
LAN2:
Subnet: 192.168.150.0\24
Router: 192.168.150.1
WG PC: 192.168.150.4
Static Routes:
10.0.0.0\24 GW 192.168.150.4
192.168.100.0\24 GW 192.168.150.4
Install Wireguard on the server and all clients.
On Linux distributions this is generally a package named wireguard, wireguard-tools, or both.
(I'm using Debian on my servers and clients, so you may need to adjust accordingly)
Generate the public and private key for the machine:
wg genkey | tee privatekey | wg pubkey > publickey
For gateways PCs and likely server if you don't already have it setup for serving services:
Edit /etc/sysctl.conf
Uncomment or add:
net.ipv4.ip_forward=1
Reload the config:
sysctl –system
Create /etc/wireguard/wg0.conf on each machine:
[Interface]
Address = 10.0.0.1/32
ListenPort = 51820
PrivateKey = <server private key>
# LAN1 WG PC (home)
[Peer]
PublicKey = <LAN1 WG PC Public Key>
AllowedIPs = 10.0.0.2/32, 192.168.100.0/24
# LAN2 WG PC (work)
[Peer]
PublicKey = <LAN2 WG PC Public Key>
AllowedIPs = 10.0.0.3/32, 192.168.150.0/24
# VPS2
[Peer]
PublicKey = <VPS2 Public Key>
AllowedIPs = 10.0.0.10/32
# VPS3
[Peer]
PublicKey = <VPS3 Public Key>
AllowedIPs = 10.0.0.11/32
[Interface]
Address = 10.0.0.2/32
PrivateKey = <LAN1 WG PC Private Key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
# Server
[Peer]
PublicKey = <VPS1 Public Key>
Endpoint = <VPS1 Public IP>:51820
AllowedIPs = 10.0.0.0/24, 192.168.150.0/24
PersistentKeepalive = 25
[Interface]
Address = 10.0.0.3/32
PrivateKey = <LAN2 WG PC Private Key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
# Server
[Peer]
PublicKey = <VPS1 Public Key>
Endpoint = <VPS1 Public IP>:51820
AllowedIPs = 10.0.0.0/24, 192.168.100.0/24
PersistentKeepalive = 25
[Interface]
Address = 10.0.0.10/32
PrivateKey = <VPS2 Private Key>
# Server
[Peer]
PublicKey = <VPS1 Public Key>
Endpoint = <VPS1 Public IP>:51820
AllowedIPs = 10.0.0.0/24, 192.168.100.0/24, 192.168.150.0/24
PersistentKeepalive = 25
[Interface]
Address = 10.0.0.11/32
PrivateKey = <VPS3 Private Key>
# Server
[Peer]
PublicKey = <VPS1 Public Key>
Endpoint = <VPS1 Public IP>:51820
AllowedIPs = 10.0.0.0/24, 192.168.100.0/24, 192.168.150.0/24
PersistentKeepalive = 25
The AllowedIPs directive specifies what networks the machine will allow to enter the Wireguard interface.
For CLIENTS you want with this to be the Wireguard network (10.0.0/24), and any REMOTE networks they will interact with (So in the case of LAN1 WG PC, you add 192.168.150.0/24 to allow routing to/from LAN2).
For SERVERS you want the Wireguard IP of the client (So 10.0.0.2/32 for LAN1 WG PC) and any networks that will route THROUGH that client (So 192.168.100.0/24 for LAN1 WG PC).
The basic principle here is to allow the Wireguard network and local server to communicate with each other so traffic will actually flow and so you can forward services to the Wireguard network.
I use the Shorewall firewall on my VPS, so that's the examples I'll have here. You should be able to accomplish the same thing with the appropriate UFW or IPTABLES commands.
net eth0 dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
vpn wg0 routeback
fw firewall
net ipv4
vpn ipv4
$FW net ACCEPT
$FW vpn ACCEPT
vpn all ACCEPT
net all DROP info
all all REJECT info
?SECTION NEW
# Wireguard
ACCEPT net fw udp 51820