This is an old revision of the document!
This guide is designed to walk through the basic steps and configurations needed to:
Connect Multiple LANs together via a centralized Wireguard server.
Expose services running on the LANs to the internet via the centralized server.
Why use a centralized server for connecting LANs rather than a site to site VPN?
1. Not all routers/modems support site to site VPNs.
2. If your router is behind an ISP modem/router that does not support bridge mode, site to site will likely not work due to double NAT. (This is my initial reason for setting this up - my ISP updated the modems and broke bridge mode and is taking a long time to figure out what's actually wrong.)
Why use a centralized VPS to expose LAN services to the internet?
1. As above, you may not have the ability to directly expose the ports on your home modem/router.
2. Even if you can directly expose the ports, this adds a layer of security by not needing to publish the public IP of your LAN.
3. Your ISP may block ports on their side so even if you can expose on your modem/router, you can't use them anyway.
VPS1 - Wireguard Server and the server we will be using to expose services on LAN1 to the internet.
VPS2 - Another VPS - added to allow easy access and remove some public ports.
VPS3 - Another VPs - added to allow easy access and remove some public ports.
LAN1 - Home LAN
LAN2 - Work LAN
VPS1 runs Wireguard Server and uses Nginx Proxy Manager for forwarding services across Wireguard network to servers on LAN1.
LAN1 and LAN2 each have a server acting as the Wireguard gateway.
Wireguard Network:
VPS1: 10.0.0.1
LAN1: 10.0.0.2
LAN2: 10.0.0.3
VPS2: 10.0.0.10
VPS3: 10.0.0.11
LAN1:
Subnet: 192.168.100.0\24
Router: 192.168.100.1
WG PC: 192.168.100.4
Static Routes:
10.0.0.0\24 GW 192.168.100.4
192.168.150.0\24 GW 192.168.100.4
LAN2:
Subnet: 192.168.150.0\24
Router: 192.168.150.1
WG PC: 192.168.150.4
Static Routes:
10.0.0.0\24 GW 192.168.150.4
192.168.100.0\24 GW 192.168.150.4
Install Wireguard on the server and all clients.
On Linux distributions this is generally a package named wireguard, wireguard-tools, or both.
(I'm using Debian on my servers and clients, so you may need to adjust accordingly)
Generate the public and private key for the machine:
wg genkey | tee privatekey | wg pubkey > publickey
For gateways PCs and likely server if you don't already have it setup for serving services:
Edit /etc/sysctl.conf
Uncomment or add:
net.ipv4.ip_forward=1
Reload the config:
sysctl –system
Create /etc/wireguard/wg0.conf on each machine:
[Interface]
Address = 10.0.0.1/32
ListenPort = 51820
PrivateKey = <server private key>
# LAN1 WG PC (home)
[Peer]
PublicKey = <LAN1 WG PC Public Key>
AllowedIPs = 10.0.0.2/32, 192.168.100.0/24
# LAN2 WG PC (work)
[Peer]
PublicKey = <LAN2 WG PC Public Key>
AllowedIPs = 10.0.0.3/32, 192.168.150.0/24
# VPS2
[Peer]
PublicKey = <VPS2 Public Key>
AllowedIPs = 10.0.0.10/32
# VPS3
[Peer]
PublicKey = <VPS3 Public Key>
AllowedIPs = 10.0.0.11/32
[Interface]
Address = 10.0.0.2/32
PrivateKey = <LAN1 WG PC Private Key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
# Server
[Peer]
PublicKey = <VPS1 Public Key>
Endpoint = <VPS1 Public IP>:51820
AllowedIPs = 10.0.0.0/24, 192.168.150.0/24
PersistentKeepalive = 25
[Interface]
Address = 10.0.0.3/32
PrivateKey = <LAN2 WG PC Private Key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
# Server
[Peer]
PublicKey = <VPS1 Public Key>
Endpoint = <VPS1 Public IP>:51820
AllowedIPs = 10.0.0.0/24, 192.168.100.0/24
PersistentKeepalive = 25
[Interface]
Address = 10.0.0.10/32
PrivateKey = <VPS2 Private Key>
# Server
[Peer]
PublicKey = <VPS1 Public Key>
Endpoint = <VPS1 Public IP>:51820
AllowedIPs = 10.0.0.0/24, 192.168.100.0/24, 192.168.150.0/24
PersistentKeepalive = 25
[Interface]
Address = 10.0.0.11/32
PrivateKey = <VPS3 Private Key>
# Server
[Peer]
PublicKey = <VPS1 Public Key>
Endpoint = <VPS1 Public IP>:51820
AllowedIPs = 10.0.0.0/24, 192.168.100.0/24, 192.168.150.0/24
PersistentKeepalive = 25
The AllowedIPs directive specifies what networks the machine will allow to enter the Wireguard interface.
For CLIENTS you want with this to be the Wireguard network (10.0.0/24), and any REMOTE networks they will interact with (So in the case of LAN1 WG PC, you add 192.168.150.0/24 to allow routing to/from LAN2).
For SERVERS you want the Wireguard IP of the client (So 10.0.0.2/32 for LAN1 WG PC) and any networks that will route THROUGH that client (So 192.168.100.0/24 for LAN1 WG PC).
The basic principle here is to allow the Wireguard network and local server to communicate with each other so traffic will actually flow and so you can forward services to the Wireguard network.
I use the Shorewall firewall on my VPS, so that's the examples I'll have here. You should be able to accomplish the same thing with the appropriate UFW or IPTABLES commands.
You should only need to do this on the VPSs, unless you run local firewalls on the LAN WG PCs as well.
net eth0 dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
vpn wg0 routeback
fw firewall
net ipv4
vpn ipv4
$FW net ACCEPT
$FW vpn ACCEPT
vpn all ACCEPT
net all DROP info
all all REJECT info
?SECTION NEW
# Wireguard
ACCEPT net fw udp 51820
Make sure you've restarted the firewall services if necessary, then start Wireguard:
wg-quick up wg0
You should see it bring up the interface and add routes and whatnot.
To view the status run:
wg show
On clients this should show the connection information and stats.
On the server it should have a section for each client. It will show configured clients that aren't connected as well, but with minimal information.
Make sure you can ping the Wireguard IPs back and forth from clients to server and clients to other clients.
Once you have verified, you can configure the system to automatically start the connection on boot“
systemctl enable wg-quick@wg0
To enable proper cross LAN routing, and access to the Wireguard network from machines other than the gateway PCs, you need to add the appropriate static routes.
I'm using UniFi USG Pro's on my home and work LANs, so I just added the routes there.
You need a route for each remote network (including the Wireguard network) that the machines on your LAN will be accessing.
In our case, LAN1 needs access to Wireguard Network and LAN2, and LAN2 needs access to Wireguard network and LAN1.
10.0.0.0/24 GW 192.168.100.4 192.168.150.0/24 GW 192.168.100.4
10.0.0.0/24 GW 192.168.150.4 192.168.100.0/24 GW 192.168.150.4
If everything is correct, machines on each LAN should be able to access all machines on the Wireguard network as well as all machines on the other LAN.