Wireguard Setup

wg0-diagram.md

wg0.conf-PEER1

# PEER 1
[Interface]
Address = 172.16.1.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s31f6 -j MASQUERADE
ListenPort = 51820
PrivateKey = <redacted>

# PEER 2
[Peer]
PublicKey = k2pYq8YG1J6DzxE7PdQ1EjidiZayOTbAH7o85tNtORk=
AllowedIPs = 192.168.2.0/24, 172.16.1.2/32
Endpoint = peer2.example.com:51820
PersistentKeepalive = 20

# PEER 3
[Peer]
PublicKey = Y4BSlYdgtit7+Tl+3qlgCs5W3HODGfnC/CDQ8mjbOy8=
AllowedIPs = 192.168.3.0/24, 172.16.1.3/32
Endpoint = peer3.example.com:51820
PersistentKeepalive = 20

wg0.conf-PEER2

# PEER 2
[Interface]
Address = 172.16.1.2/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s31f6 -j MASQUERADE
ListenPort = 51820
PrivateKey = <redacted>

# PEER 1
[Peer]
PublicKey = OuRuavuj4ePwbOco29e1lBy+TsM5y+PXqO8h87BapjI=
AllowedIPs = 192.168.1.0/24, 172.16.1.1/32
Endpoint = peer1.example.com:51820
PersistentKeepalive = 20

# PEER 3
[Peer]
PublicKey = Y4BSlYdgtit7+Tl+3qlgCs5W3HODGfnC/CDQ8mjbOy8=
AllowedIPs = 192.168.3.0/24, 172.16.1.3/32
Endpoint = peer3.example.com:51820
PersistentKeepalive = 20

Dear @cbluth,

Sorry for bother you on your 2 years old problem.

Did you solve this problem?
https://lists.zx2c4.com/pipermail/wireguard/2018-August/003203.html

I met the same problem recently.
And a solution I found is using bridge network instead of default NAT(virtual bridge) network.
https://computingforgeeks.com/how-to-create-and-configure-bridge-networking-for-kvm-in-linux/

But this way, KVM virtual machines sits on the same subnet as KVM host...
If you've found another way to solve this problem, please let me know.
Any inputs are truly appreciated.

Best,

@panda1100

the solution looks something like this: https://github.com/Aigent/infra-example

important bits are:

• set MTU value as 2800 in wireguard
• configure libvirt network as open on each host
• put libvirt network in allowedIPs of wireguard

@cbluth

I'm grateful to you for your help.
This works pretty well on my test environment too 👍
( to make KVM guests access to the Internet, I added static route settings to home router.
every KVM hosts connected to that home router.)

I didn't change MTU to 2800 (I'm using default value), and it seems work fine at least for now.
I'm using 1GigE wired network for test.

Is this MTU modification is for performance tuning? (ex. using MTU 9000 on 10GigE network)
Do you have any reference for this setting???

Oh my bad, sorry for bother you again.
I googled about MTU 2800, but I couldn't find helpful information.

@panda1100

the value 2800 is just "copied" from what zerotier uses as an MTU value.
a value larger than 1528 is required for the libvirt networks default value of 1500 can pass through the wireguard connection.

the purpose is so that packets from the libvirt guests dont get dropped.

@cbluth

Thank you for the input.

Test router connects to the Internet via PPPoE. And my ISP recommends 1454 for MTU.
The overhead of WireGuard is about 80 according to this page https://lists.zx2c4.com/pipermail/wireguard/2016-July/000314.html
So I decided to use 1374 for MTU (MTU for device wg0).
and I didn't change MTU of libvirt network.

My test environment looks like this:
(KVM host) Site A <--PPPoE (MTU=1454)--> The Internet <--PPPoE (MTU=1454)--> Site B (KVM host)

Site A <----Wireguard(MTU=1374)----> Site B

and I got around 500Mbps on Wireguard connection. (Site A's Internet bandwidth is around 600Mbps)
I use iper3 for measurement.
From Site A:
iperf3 -c SITE_B_IP -f m -w 64K -P 128 --omit 1 --time 10 --reverse

Thank you again for your help!