Wireguard Site2Site.md

Create Site2Site VPN

• Create Ubuntu 22.04 Cloud Server (WAN) -- You can use Digital Ocean, Linode, whatever
• Create Ubuntu 22.04 Internal Server (LAN)

---Replace the following where necessary---
<WAN_PUBLIC_IP>
<WAN_PRIVATE_KEY>
<WAN_PUBLIC_KEY>
<LAN_PRIVATE_KEY>
<LAN_PUBLIC_KEY>
<LAN_SUBNET>

Also, make sure the 'PostUp' and 'PostDown' interfaces are adjusted for each of your servers. My WAN had 'eth0'. My LAN had 'ens3'.

##########################

1. Update packages on WAN and LAN hosts and reboot

# sudo apt update; sudo apt upgrade -y
# sudo update-grub2; sudo update-initramfs -u -k all
# reboot

2. Install wireguard on both WAN and LAN host

root@wan:~# apt install wireguard resolvconf ## installed resolvconf so i can use wireguard DNS config to resolve domains using my LAN DNS Server
root@lan:~# apt install wireguard

3. Generate a private key and public key for WAN

  root@wan:~# wg genkey
  <WAN_PRIVATE_KEY>
  root@wan:~# echo "<WAN_PRIVATE_KEY>" | wg pubkey
  <WAN_PUBLIC_KEY>

4. Generate a private key and public key for LAN

root@lan:~# wg genkey
<LAN_PRIVATE_KEY>
root@lan:~# echo "<LAN_PRIVATE_KEY>" | wg pubkey
<LAN_PUBLIC_KEY>

5. Create the config on WAN (make sure you use the LAN Public key under [PEER])

root@wan:~# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.8.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A INPUT -s 10.8.0.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D INPUT -s 10.8.0.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ListenPort = 51820
PrivateKey = <WAN_PRIVATE_KEY>
DNS = <LAN_DNS_SERVER1>,<LAN_DNS_SERVER2>,<LAN_DNS_SERVER3>

[Peer]
PublicKey = <LAN_PUBLIC_KEY>
AllowedIPs = 10.8.0.3/32, <LAN_SUBNET>
PersistentKeepalive = 25

6. Create the config on LAN (make sure you use the WAN Public key under [PEER])

root@lan:~# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.8.0.3/32
PrivateKey = <LAN_PRIVATE_KEY>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; iptables -A INPUT -s <LAN_SUBNET> -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; iptables -D INPUT -s <LAN_SUBNET> -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

[Peer]
PublicKey = <WAN_PUBLIC_KEY>
Endpoint = <WAN_PUBLIC_IP>:51820
AllowedIPs = 10.8.0.1/24
PersistentKeepalive = 25

7. Add to sysctl on both WAN and LAN

# cat << EOF >> /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

#kernel tuning for wireguard
net.core.wmem_max=12582912
net.core.rmem_max=12582912
net.ipv4.tcp_rmem= 10240 87380 12582912
net.ipv4.tcp_wmem= 10240 87380 12582912
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_no_metrics_save = 0
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
EOF

# sysctl -p

8. Up the service on WAN

root@wan:~# wg-quick up wg0
root@wan:~# wg show
root@wan:~# systemctl enable wg-quick@wg0

9. Up the service on LAN

root@lan:~# wg-quick up wg0
root@lan:~# wg show
root@lan:~# systemctl enable wg-quick@wg0