User Tools

Site Tools


guides:wireguard_multilan_tunnels

This is an old revision of the document!


Connecting Multiple LANs with a Central Wireguard Server and Exposing Services Publicly

This guide is designed to walk through the basic steps and configurations needed to:
Connect Multiple LANs together via a centralized Wireguard server.
Expose services running on the LANs to the internet via the centralized server.

Why use a centralized server for connecting LANs rather than a site to site VPN?
1. Not all routers/modems support site to site VPNs.
2. If your router is behind an ISP modem/router that does not support bridge mode, site to site will likely not work due to double NAT. (This is my initial reason for setting this up - my ISP updated the modems and broke bridge mode and is taking a long time to figure out what's actually wrong.)

Why use a centralized VPS to expose LAN services to the internet?
1. As above, you may not have the ability to directly expose the ports on your home modem/router.
2. Even if you can directly expose the ports, this adds a layer of security by not needing to publish the public IP of your LAN.
3. Your ISP may block ports on their side so even if you can expose on your modem/router, you can't use them anyway.

Basic Overview of Sample Setup

VPS1 - Wireguard Server and the server we will be using to expose services on LAN1 to the internet.
VPS2 - Another VPS - added to allow easy access and remove some public ports.
VPS3 - Another VPs - added to allow easy access and remove some public ports.
LAN1 - Home LAN
LAN2 - Work LAN

VPS1 runs Wireguard Server and uses Nginx Proxy Manager for forwarding services across Wireguard network to servers on LAN1.
LAN1 and LAN2 each have a server acting as the Wireguard gateway.

Wireguard Network:
VPS1: 10.0.0.1
LAN1: 10.0.0.2
LAN2: 10.0.0.3
VPS2: 10.0.0.10
VPS3: 10.0.0.11

LAN1:
Subnet: 192.168.100.0\24
Router: 192.168.100.1
WG PC: 192.168.100.4

Static Routes:
10.0.0.0\24 GW 192.168.100.4
192.168.150.0\24 GW 192.168.100.4

LAN2:
Subnet: 192.168.150.0\24
Router: 192.168.150.1
WG PC: 192.168.150.4

Static Routes:
10.0.0.0\24 GW 192.168.150.4
192.168.100.0\24 GW 192.168.150.4

Wireguard Setup

Install Wireguard

Install Wireguard on the server and all clients.
On Linux distributions this is generally a package named wireguard, wireguard-tools, or both.
(I'm using Debian on my servers and clients, so you may need to adjust accordingly)

Generate Key Pair

Generate the public and private key for the machine:
wg genkey | tee privatekey | wg pubkey > publickey

Enable IP Forwarding

For gateways PCs and likely server if you don't already have it setup for serving services:
Edit /etc/sysctl.conf
Uncomment or add:
net.ipv4.ip_forward=1

Reload the config:
sysctl –system

Create Config Files

Create /etc/wireguard/wg0.conf on each machine:

VPS1 (Server)

[Interface]
Address = 10.0.0.1/32
ListenPort = 51820
PrivateKey = <server private key>

# LAN1 WG PC (home)
[Peer]
PublicKey = <LAN1 WG PC Public Key>
AllowedIPs = 10.0.0.2/32, 192.168.100.0/24

# LAN2 WG PC (work)
[Peer]
PublicKey = <LAN2 WG PC Public Key>
AllowedIPs = 10.0.0.3/32, 192.168.150.0/24

# VPS2
[Peer]
PublicKey = <VPS2 Public Key>
AllowedIPs = 10.0.0.10/32

# VPS3
[Peer]
PublicKey = <VPS3 Public Key>
AllowedIPs = 10.0.0.11/32

LAN1 WG PC

[Interface]
Address = 10.0.0.2/32
PrivateKey = <LAN1 WG PC Private Key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE

# Server
[Peer]
PublicKey = <VPS1 Public Key>
Endpoint = <VPS1 Public IP>:51820
AllowedIPs = 10.0.0.0/24, 192.168.150.0/24
PersistentKeepalive = 25

LAN2 WG PC

[Interface]
Address = 10.0.0.3/32
PrivateKey = <LAN2 WG PC Private Key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <LAN interface, i.e. eth0> -j MASQUERADE

# Server
[Peer]
PublicKey = <VPS1 Public Key>
Endpoint = <VPS1 Public IP>:51820
AllowedIPs = 10.0.0.0/24, 192.168.100.0/24
PersistentKeepalive = 25

VPS2

[Interface]
Address = 10.0.0.10/32
PrivateKey = <VPS2 Private Key>

# Server
[Peer]
PublicKey = <VPS1 Public Key>
Endpoint = <VPS1 Public IP>:51820
AllowedIPs = 10.0.0.0/24, 192.168.100.0/24, 192.168.150.0/24
PersistentKeepalive = 25

VPS3

[Interface]
Address = 10.0.0.11/32
PrivateKey = <VPS3 Private Key>

# Server
[Peer]
PublicKey = <VPS1 Public Key>
Endpoint = <VPS1 Public IP>:51820
AllowedIPs = 10.0.0.0/24, 192.168.100.0/24, 192.168.150.0/24
PersistentKeepalive = 25

A Note on AllowedIPs

The AllowedIPs directive specifies what networks the machine will allow to enter the Wireguard interface.
For CLIENTS you want with this to be the Wireguard network (10.0.0/24), and any REMOTE networks they will interact with (So in the case of LAN1 WG PC, you add 192.168.150.0/24 to allow routing to/from LAN2).
For SERVERS you want the Wireguard IP of the client (So 10.0.0.2/32 for LAN1 WG PC) and any networks that will route THROUGH that client (So 192.168.100.0/24 for LAN1 WG PC).

Configure VPS Firewalls

The basic principle here is to allow the Wireguard network and local server to communicate with each other so traffic will actually flow and so you can forward services to the Wireguard network.
I use the Shorewall firewall on my VPS, so that's the examples I'll have here. You should be able to accomplish the same thing with the appropriate UFW or IPTABLES commands.
You should only need to do this on the VPSs, unless you run local firewalls on the LAN WG PCs as well.

/etc/shorewall/interfaces

net eth0 dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
vpn wg0 routeback

/etc/shorewall/zones

fw firewall
net ipv4
vpn ipv4

/etc/shorewall/policy

$FW net ACCEPT
$FW vpn ACCEPT
vpn all ACCEPT
net all DROP info
all all REJECT info

/etc/shorewall/rules (Only needed on VPS1 - Server)

?SECTION NEW
# Wireguard
ACCEPT net fw udp 51820

Test the Setup

Make sure you've restarted the firewall services if necessary, then start Wireguard:
wg-quick up wg0

You should see it bring up the interface and add routes and whatnot.
To view the status run:
wg show
On clients this should show the connection information and stats.
On the server it should have a section for each client. It will show configured clients that aren't connected as well, but with minimal information.

Make sure you can ping the Wireguard IPs back and forth from clients to server and clients to other clients.
Once you have verified, you can configure the system to automatically start the connection on boot“
systemctl enable wg-quick@wg0

Enable Cross LAN Routing

To enable proper cross LAN routing, and access to the Wireguard network from machines other than the gateway PCs, you need to add the appropriate static routes.
I'm using UniFi USG Pro's on my home and work LANs, so I just added the routes there.
You need a route for each remote network (including the Wireguard network) that the machines on your LAN will be accessing.
In our case, LAN1 needs access to Wireguard Network and LAN2, and LAN2 needs access to Wireguard network and LAN1.

LAN1 Routes

10.0.0.0/24 GW 192.168.100.4 192.168.150.0/24 GW 192.168.100.4

LAN2 Routes

10.0.0.0/24 GW 192.168.150.4 192.168.100.0/24 GW 192.168.150.4

If everything is correct, machines on each LAN should be able to access all machines on the Wireguard network as well as all machines on the other LAN.

Exposing External Services

guides/wireguard_multilan_tunnels.1734038058.txt.gz · Last modified: 2024/12/12 16:14 by techiem2