Difference between revisions of "Wireguard Peer To Peer Configuration example"

From Teltonika Networks Wiki
m
Line 1: Line 1:
 
==Introduction==
 
==Introduction==
 
+
WireGuard is a simple, fast, lean, and modern VPN that utilizes secure and trusted cryptography. This example covers Peer-to-Peer configuration and LAN-to-LAN connectivity using WireGuard VPN.<br><br>
Introduction to a Peer-to-Peer WireGuard configuration example, this also covers LAN-TO-LAN connectivity aspect as well. WireGuard is simple, fast, lean, and modern VPN that utilizes secure and trusted cryptography.
+
'''Note:''' If you do not see WireGuard in '''Services → VPN'''. Go to '''System → Package Manager → Packages''' page and install it from there.
 
 
This page will show you an example on how to configure a basic tunnel between WireGuard interface and its peers.
 
<u><b>Note:</b> WireGuard is additional software that can be installed from the <b>System → Package Manager</b> page.</u>
 
  
 
==Prerequisites==
 
==Prerequisites==
For this example you need:
+
For this example, you will need:
<li>Three RUTOS devices</li>
+
*Three RUTOS devices with different LAN networks
<li>An end device to configure devices (PC, Laptop, Tablet or Smartphone) </li>
+
*One RUTOS device will need to have a '''Public IP''' address
<li>One end device must have <b>Public IP</b> address</li>
+
*An end device with the ability to install, set up WireGuard client, and configure RUTOS devices
 
+
*'''WebUI''' switched into '''Advanced''' mode
==WireGuard Instances==
 
To create Instance enter its name and click the <b>Add</b> button.
 
Then click the <b>Edit</b>[[File:Networking_rutx_manual_edit_button_v1.png]] button to configure it.
 
[[File: Wireguard_Add.png]]
 
 
 
 
 
==Server Configuration==
 
===Peer to Peer Setup===
 
 
 
The following part of example applies to both devices.
 
Before editing any fields click [[File:Networking_rutx_manual_generate_button_v1.png]] button to generate Public and Private keys.
 
After that you need to Enable this instance and in the <b>Listen Port</b> field enter your desired port. WireGuard by default uses <b>51820</b> port which will be used in this example.
 
Lastly you need to enter IP Address for instance. We will set the SERVER will have 10.0.0.1 and Clients will have 10.0.0.2 IP addresses and increasing.
 
<b>Note:</b> enter IP address <b>and</b> its mask e.g. <b>10.0.0.1/24</b>
 
<b>Note:</b> You will need to copy the Public and Private Keys for Peer instances between server and Clients
 
<li>Please ensure that you save the Public key for later use</li>
 
<li>Enter the IP address of the WireGuard Interface on the server (e.g. 10.0.0.1/24) </li>
 
[[File:WireGuard_Server.png]]
 
 
 
  
Please ensure that on the Server side, that you allow the Firewall to accept traffic going through the Server router for Peer-to-Peer traffic to flow
+
==WireGuard instance creation==
This can be located in <b>Network -> Firewall -> General settings</b>
+
To create a WireGuard interface follow these steps:
A zone for WireGuard to WireGuard can be created as below to ensure traffic is not restricted from the server
+
*Connect to WebUI
 +
*Go to '''Services → VPN → Wireguard'''
 +
*Enter the interface’s name and press Add
 +
[[File:Add_wireguard_instance.png|border|class=tlt-border]]
  
[[File:WireGuard_Firewall_Rules.png]]
+
== WireGuard instance general configuration==
 +
In this example, each interface’s general settings will be similar for all RUTOS devices. The difference will be in the assigned IP address. To set up the general configuration, follow these steps:
 +
*When you have pressed [[File:Networking_rutx_manual_edit_button_v1.png]] go to the '''General Setup''' section
 +
*'''Enable''' the interface
 +
*Press [[File:Networking_rutx_manual_generate_button_v1.png]]
 +
*Take note of the device’s public key
 +
*Set an IP address. For the '''server''' set '''10.0.0.1/24'''. For the '''clients''' set the IP to '''10.0.0.2/24 and higher'''. For example, client #1 – IP 10.0.0.2/24, client #2 – IP 10.0.0.3/24, and so on
 +
Below is an example of the server’s WireGuard interface:<br>
 +
[[File:WG server interface.png|border|class=tlt-border]]
  
 
==Peers Configuration==
 
==Peers Configuration==
===Peer to Peer Setup===
+
Next, we will add WireGuard peers. Go to each device's WireGuard interface and go to the Peers section (below the interface’s general/advanced settings).
In the <b>General Setup</b> section you need to enter <b>Public Key</b> and Allowed IPs from the Remote instance you want to connect to.
+
===Client 1 configuration===
In this example a peer from Client1 needs to connect to RUTX11, which means <b>SERVER</b> will enter Public Key and Allowed IPs from Client1.
+
To create client #1 to server/peer configuration, follow these steps:
You will need the Public Keys of the Client VPN users that you setup, so it is recommended to create the Instances to Generate the Keys for use of Peer instances
+
*Enter the instance’s '''name''' (for example, server) and press '''Add'''
 
+
*As '''Public Key''' set the server’s public key. To find it go to the server’s WireGuard interface settings. There you will find the public key
===Peers Configuration Client 1===
+
*As '''Endpoint host''' set the server’s public IP
Client 1 is setup with the following details, WireGuard Interface IP is set as 10.0.0.2 with a LAN range of 192.168.5.0/24
+
*In the '''Allowed IPs''' add IP addresses and networks you can want to access. In this example, we will add the VPN network and each peer’s LAN network
You will need to create a new WireGuard instance and Peer connection, please ensure you copy the public Key that was generated via the creation of the instance, as this will be used on the Server side for the VPN.
+
*Additionally, you can write the peer’s description
<li>Copy the Public Key and save it in a text file for later use, as it will be used on the Server Peer configuration</li>
+
*Enable '''Route allowed IPs'''
<li>Enter the IP address of the WireGuard interface e.g. 10.0.0.2/24</li>
+
*Press [[File:Save apply button.png]]
<li>Now we will Create a Peer connection</li>
+
The configuration could look like this:<br>
<li>Point 1 is the Server’s Public Key that was acquired when creating the instance on the Server/Main router side</li>
+
[[File:Wireguard client1 to server peer v2.png|border|class=tlt-border]]
<li>Allowed IPs are the IP ranges you want to have access to over the VPN (the remote side) </li>
 
<li>Please ensure you enable “Route allowed IPs” </li>
 
<li>Under “Advanced Settings” please ensure you enter the Server side Public IP address</li>
 
<li>Save and Apply the settings</li>
 
 
 
[[File:WireGuard_Client1.png]]
 
 
 
[[File:WireGuard_Client1_IP_list.png]]
 
 
 
[[File:WireGuard_Client1_HostEnd.png]]
 
===Peers Configuration Client 2===
 
Client 2 is setup with the following details, WireGuard Interface IP is set as 10.0.0.3 with a LAN range of 192.168.10.0/24
 
You will need to create a new WireGuard instance and Peer connection, please ensure you copy the public Key that was generated via the creation of the instance, as this will be used on the Server side for the VPN.
 
<li>Copy the Public Key and save it in a text file for later use, as it will be used on the Server Peer configuration</li>
 
<li>Enter the IP address of the WireGuard interface e.g. 10.0.0.3/24</li>
 
<li>Now we will Create a Peer connection</li>
 
<li>Point 1 is the Server’s Public Key that was acquired when creating the instance on the Server/Main router side</li>
 
<li>Allowed IPs are the IP ranges you want to have access to over the VPN (the remote side) </li>
 
<li>Please ensure you enable “Route allowed IPs” </li>
 
<li>Under “Advanced Settings” please ensure you enter the Server side Public IP address</li>
 
<li>Save and Apply the settings</li>
 
 
 
[[File:WireGuard_Client2.png]]
 
 
 
[[File:WireGuard_Client2_IP_list.png]]
 
 
 
[[File:WireGuard_Client2_HostEnd.png]]
 
===Peers Configuration Client 3===
 
Please ensure you download WireGuard for your PC (Windows Client)
 
Installation: https://www.wireguard.com/install/
 
Once you have created a new Tunnel, you will need to add the below lines of code to finish the VPN setup,
 
<li>Address = 10.0.0.4/24</li>
 
<li>DNS = 8.8.8.8</li>
 
<li> [Peer] </li>
 
<li>PublicKey = Which will be the Server’s Public Key</li>
 
<li>AllowedIPs = IP ranges you want access to (Remote side) </li>
 
<li>EndPoint = Server’s IP (our instance was 192.168.1.1 as it was part of the LAN) </li>
 
 
 
[[File:WireGuard_PC_Client.png]]
 
 
 
==Peers Configuration Server==
 
====Server to Peer Setup====
 
In the <b>General Setup</b> section you need to enter <b>Public Key</b> and <b>Allowed IPs</b> from the Remote instance you want to connect to.
 
We will be creating 3 instances, these will be the remote Peers we created above and will make use of their Public Keys to create them, such as below
 
  
[[File:WireGuard_Server_Clients.png]]
+
===Client 2 configuration===
===Server To Client 1===
+
To create client #2 to server/peer configuration, follow these steps:
Create your 1<sup>st</sup> client peer under the server
+
*Enter the instance’s '''name''' (for example, server) and press '''Add'''
<li>Enter the Public Key you created for Client 1</li>
+
*As '''Public Key''' set the server’s public key. To find it go to the server’s WireGuard interface settings. There you will find the public key
<li>Enter in the IP address you want to access on Client 1 side(LAN side and WireGuard Interface IP) </li>
+
*As '''Endpoint host''' set the server’s public IP
<li>Ensure you have enabled “Route allowed IPs” </li>
+
*In the '''Allowed IPs''' add IP addresses and networks you can want to access. In this example, we will add the VPN network and each peer’s LAN network
 +
*Additionally, you can write the peer’s description
 +
*Enable '''Route allowed IPs'''
 +
*Press [[File:Save apply button.png]]
 +
The configuration could look like this:<br>
 +
[[File:Wireguard client2 to server peer v2.png|border|class=tlt-border]]
  
 +
===Client 3 configuration===
 +
Firstly, ensure that you have downloaded and installed WireGuard client (https://www.wireguard.com/install/) for your PC. To create client #3 to server/peer configuration, follow these steps:
 +
*Launch the WireGuard software
 +
*At the bottom of the left corner select '''Add Tunnel → Add empty tunnel…'''
 +
*In the configuration window add these settings:
 +
Address = 10.0.0.4/32
 +
DNS = 8.8.8.8
 +
 +
[Peer]
 +
PublicKey = Server’s public key
 +
AllowedIPs = IP addresses and networks you can want to access. In this example, we will add the VPN network and each peer’s LAN network.
 +
Endpoint = Server’s IP with WireGuard port. In this example, client 3 is inside the server’s LAN network.
  
[[File:WireGuard_Server_Client1.png]]
+
The configuration could look like this:<br>
 +
[Interface]
 +
PrivateKey = wireguard-private-key
 +
Address = 10.0.0.4/24
 +
DNS = 8.8.8.8
 +
 +
[Peer]
 +
PublicKey = 2JIBoK+Bxe7MJzX9zV+lFjqHxLTvehLp3piEROaNJjw=
 +
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24, 192.168.6.1/24
 +
Endpoint = 192.168.9.1:51820
  
===Server To Client 2===
+
'''Note:''' do not forget to press Activate to connect client #3 (WireGuard client software) to the server.
Create your 2<sup>nd</sup> client peer under the server
 
<li>Enter the Public Key you created for Client 2</li>
 
<li>Enter in the IP address you want to access on Client 2 side(LAN side and WireGuard Interface IP) </li>
 
<li>Ensure you have enabled “Route allowed IPs” </li>
 
  
[[File:WireGuard_Server_Client2.png]]
+
===Server configuration===
===Server To Client 3 (PC)===
+
====Peer 1 configuration====
Create your 3<sup>rd</sup> client peer under the server
+
Follow the steps below to configure settings for client #1:
<li>Enter the Public Key you created for Client 2</li>
+
*Enter the peer’s '''name''' (for example, client1) and press '''Add'''
<li>Enter in the IP address you want to access on Client 3 side(LAN side and WireGuard Interface IP) </li>
+
*Set the peer's '''Public Key'''. To find it go to the client’s WireGuard interface general settings. There you will find the public key
<li>Ensure you have enabled “Route allowed IPs” </li>
+
*In the '''Allowed IPs''' add IP addresses and networks you can want to access. In this example, we will add client #1 WireGuard interface’s IP and its LAN network address
 +
*Enable '''Route allowed IPs'''
 +
*Press [[File:Save apply button.png]]
 +
The configuration could look like this:<br>
 +
[[File:Wireguard server to client peer v1.png|border|class=tlt-border]]
  
[[File:WireGuard_Server_Client3.png]] 
+
====Peer 2 configuration====
==Testing the Setup==
+
For client #2 the steps are the same. Remember that the public key will be different and the allowed IPs list will slightly differ compared to client 1 peer configuration.
===Testing===
 
Once you have setup the WireGuard Server and Peer settings, you can test by making use of the below
 
Once you have created your Peers and Host, via the CLI you will be able to see the new WireGuard interfaces and ping across the new VPN, below is an example
 
Show peers and uptime of WireGuard instances with use of “wg” command in the CLI
 
  
[[File:WireGuard_Test_interface_Server.png]]
+
====Peer 3 configuration====
 +
Since client #3 is a PC running WireGuard inside the server’s LAN the configuration will slightly differ compared to other clients. Follow these steps:
 +
*Enter the peer’s '''name''' (for example, client3) and press '''Add'''
 +
*Set the peer's '''Public Key'''. To find it go to the WireGuard software inside the PC. In the '''Interface section below''' the '''Status''' indicator, you will find the public key
 +
*Set the '''Endpoint host''' to the server’s public IP
 +
*In the '''Allowed IPs''' parameter add IP addresses and networks you can want to access. In this example, we will only add the client's WireGuard interface’s IP. We will not add its LAN network because client 3 is already inside the server’s LAN
 +
*Enable '''Route allowed IPs'''
 +
*Press [[File:Save apply button.png]]
  
Ping LAN to LAN
+
The final results could look like this:<br>
 +
[[File:Wireguard server to client all peers v2.png|border|class=tlt-border]]
  
[[File:WireGuard_Server_Test.png]]
+
==Additional Server configuration==
 +
After completing the previous steps, now we will need to configure the server’s firewall to allow Peer-to-Peer communication. Follow these steps, to do that:
 +
*Connect to the server’s WebUI
 +
*Go to '''Network → Firewall → General settings'''
 +
*Press '''Add''' to create a new zone
 +
*Set '''input, output''', and '''forward''' to Accept
 +
*Set '''Covered networks''' to the server’s WireGuard interface
 +
*Set '''Allow forward to destination zones''' and '''Allow forward from source zones''' to WireGuard
 +
The configuration could look like this:<br>
 +
[[File:Firewall_for_wireguard.png|border|class=tlt-border]]
  
Ping PC Client to Client 1
+
==Testing the configuration==
 +
Once you have finished the configuration, you can test it by checking if all the peers performed a handshake and if they can reach each other in the VPN network.
 +
===Checking for WireGuard handshakes===
 +
Connect to the server’s CLI and type
 +
wg show
 +
You will see the interface's and its peers' information. In the peer information section look for the latest handshake (a line below allowed IPs). If you can see “latest handshake” it means the peer made a connection to the server.
 +
This is an example of how the command’s output could look like:<br>
 +
[[File:WG show output v1.png|border|class=tlt-border]]
  
[[File:Client_to_Client_Test.png]]
+
===Checking the connectivity between the peers===
 +
Access client’s #3 (PC running WireGuard software) CLI. Then try to ping the client’s #1 and client’s #2 LAN networks. The test will be successful if you will see the same amount of transmitted and received packets.
 +
This is an example of how successful pings could look like:
 +
Pinging 192.168.1.1 with 32 bytes of data:
 +
Reply from 192.168.1.1: bytes=32 time=119ms TTL=63
 +
Reply from 192.168.1.1: bytes=32 time=127ms TTL=63
 +
 +
Ping statistics for 192.168.1.1:
 +
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 +
Approximate round trip times in milli-seconds:
 +
    Minimum = 119ms, Maximum = 127ms, Average = 123ms
 +
 +
Pinging 192.168.6.1 with 32 bytes of data:
 +
Reply from 192.168.6.1: bytes=32 time=78ms TTL=63
 +
Reply from 192.168.6.1: bytes=32 time=226ms TTL=63
 +
 +
Ping statistics for 192.168.6.1:
 +
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 +
Approximate round trip times in milli-seconds:
 +
    Minimum = 78ms, Maximum = 226ms, Average = 152ms

Revision as of 14:59, 6 November 2023

Main Page > General Information > Configuration Examples > VPN > Wireguard Peer To Peer Configuration example

Introduction

WireGuard is a simple, fast, lean, and modern VPN that utilizes secure and trusted cryptography. This example covers Peer-to-Peer configuration and LAN-to-LAN connectivity using WireGuard VPN.

Note: If you do not see WireGuard in Services → VPN. Go to System → Package Manager → Packages page and install it from there.

Prerequisites

For this example, you will need:

  • Three RUTOS devices with different LAN networks
  • One RUTOS device will need to have a Public IP address
  • An end device with the ability to install, set up WireGuard client, and configure RUTOS devices
  • WebUI switched into Advanced mode

WireGuard instance creation

To create a WireGuard interface follow these steps:

  • Connect to WebUI
  • Go to Services → VPN → Wireguard
  • Enter the interface’s name and press Add

Add wireguard instance.png

WireGuard instance general configuration

In this example, each interface’s general settings will be similar for all RUTOS devices. The difference will be in the assigned IP address. To set up the general configuration, follow these steps:

  • When you have pressed Networking rutx manual edit button v1.png go to the General Setup section
  • Enable the interface
  • Press Networking rutx manual generate button v1.png
  • Take note of the device’s public key
  • Set an IP address. For the server set 10.0.0.1/24. For the clients set the IP to 10.0.0.2/24 and higher. For example, client #1 – IP 10.0.0.2/24, client #2 – IP 10.0.0.3/24, and so on

Below is an example of the server’s WireGuard interface:
File:WG server interface.png

Peers Configuration

Next, we will add WireGuard peers. Go to each device's WireGuard interface and go to the Peers section (below the interface’s general/advanced settings).

Client 1 configuration

To create client #1 to server/peer configuration, follow these steps:

  • Enter the instance’s name (for example, server) and press Add
  • As Public Key set the server’s public key. To find it go to the server’s WireGuard interface settings. There you will find the public key
  • As Endpoint host set the server’s public IP
  • In the Allowed IPs add IP addresses and networks you can want to access. In this example, we will add the VPN network and each peer’s LAN network
  • Additionally, you can write the peer’s description
  • Enable Route allowed IPs
  • Press Save apply button.png

The configuration could look like this:
Wireguard client1 to server peer v2.png

Client 2 configuration

To create client #2 to server/peer configuration, follow these steps:

  • Enter the instance’s name (for example, server) and press Add
  • As Public Key set the server’s public key. To find it go to the server’s WireGuard interface settings. There you will find the public key
  • As Endpoint host set the server’s public IP
  • In the Allowed IPs add IP addresses and networks you can want to access. In this example, we will add the VPN network and each peer’s LAN network
  • Additionally, you can write the peer’s description
  • Enable Route allowed IPs
  • Press Save apply button.png

The configuration could look like this:
Wireguard client2 to server peer v2.png

Client 3 configuration

Firstly, ensure that you have downloaded and installed WireGuard client (https://www.wireguard.com/install/) for your PC. To create client #3 to server/peer configuration, follow these steps:

  • Launch the WireGuard software
  • At the bottom of the left corner select Add Tunnel → Add empty tunnel…
  • In the configuration window add these settings:
Address = 10.0.0.4/32
DNS = 8.8.8.8

[Peer]
PublicKey = Server’s public key
AllowedIPs = IP addresses and networks you can want to access. In this example, we will add the VPN network and each peer’s LAN network.
Endpoint = Server’s IP with WireGuard port. In this example, client 3 is inside the server’s LAN network.

The configuration could look like this:

[Interface]
PrivateKey = wireguard-private-key
Address = 10.0.0.4/24
DNS = 8.8.8.8

[Peer]
PublicKey = 2JIBoK+Bxe7MJzX9zV+lFjqHxLTvehLp3piEROaNJjw=
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24, 192.168.6.1/24
Endpoint = 192.168.9.1:51820

Note: do not forget to press Activate to connect client #3 (WireGuard client software) to the server.

Server configuration

Peer 1 configuration

Follow the steps below to configure settings for client #1:

  • Enter the peer’s name (for example, client1) and press Add
  • Set the peer's Public Key. To find it go to the client’s WireGuard interface general settings. There you will find the public key
  • In the Allowed IPs add IP addresses and networks you can want to access. In this example, we will add client #1 WireGuard interface’s IP and its LAN network address
  • Enable Route allowed IPs
  • Press Save apply button.png

The configuration could look like this:
Wireguard server to client peer v1.png

Peer 2 configuration

For client #2 the steps are the same. Remember that the public key will be different and the allowed IPs list will slightly differ compared to client 1 peer configuration.

Peer 3 configuration

Since client #3 is a PC running WireGuard inside the server’s LAN the configuration will slightly differ compared to other clients. Follow these steps:

  • Enter the peer’s name (for example, client3) and press Add
  • Set the peer's Public Key. To find it go to the WireGuard software inside the PC. In the Interface section below the Status indicator, you will find the public key
  • Set the Endpoint host to the server’s public IP
  • In the Allowed IPs parameter add IP addresses and networks you can want to access. In this example, we will only add the client's WireGuard interface’s IP. We will not add its LAN network because client 3 is already inside the server’s LAN
  • Enable Route allowed IPs
  • Press Save apply button.png

The final results could look like this:
Wireguard server to client all peers v2.png

Additional Server configuration

After completing the previous steps, now we will need to configure the server’s firewall to allow Peer-to-Peer communication. Follow these steps, to do that:

  • Connect to the server’s WebUI
  • Go to Network → Firewall → General settings
  • Press Add to create a new zone
  • Set input, output, and forward to Accept
  • Set Covered networks to the server’s WireGuard interface
  • Set Allow forward to destination zones and Allow forward from source zones to WireGuard

The configuration could look like this:
Firewall for wireguard.png

Testing the configuration

Once you have finished the configuration, you can test it by checking if all the peers performed a handshake and if they can reach each other in the VPN network.

Checking for WireGuard handshakes

Connect to the server’s CLI and type 

wg show

You will see the interface's and its peers' information. In the peer information section look for the latest handshake (a line below allowed IPs). If you can see “latest handshake” it means the peer made a connection to the server. This is an example of how the command’s output could look like:
File:WG show output v1.png

Checking the connectivity between the peers

Access client’s #3 (PC running WireGuard software) CLI. Then try to ping the client’s #1 and client’s #2 LAN networks. The test will be successful if you will see the same amount of transmitted and received packets. This is an example of how successful pings could look like: 

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=119ms TTL=63
Reply from 192.168.1.1: bytes=32 time=127ms TTL=63

Ping statistics for 192.168.1.1:
   Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 119ms, Maximum = 127ms, Average = 123ms

Pinging 192.168.6.1 with 32 bytes of data:
Reply from 192.168.6.1: bytes=32 time=78ms TTL=63
Reply from 192.168.6.1: bytes=32 time=226ms TTL=63

Ping statistics for 192.168.6.1:
   Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 78ms, Maximum = 226ms, Average = 152ms
Retrieved from "https://wiki.teltonika-networks.com/index.php?title=Wireguard_Peer_To_Peer_Configuration_example&oldid=115867"