Wireguard Site2Site

##########################
## Create Site2Site VPN ##
##########################

-Create Ubuntu 20.04 Cloud Server (WAN) -- I use Rackspace Cloud Servers
-Create Ubuntu 20.04 Internal Server (LAN)

---Replace the following where necessary---
<WAN_PUBLIC_IP>
<WAN_PRIVATE_KEY>
<WAN_PUBLIC_KEY>
<LAN_PRIVATE_KEY>
<LAN_PUBLIC_KEY>
<LAN_SUBNET>

Also, make sure the 'PostUp' and 'PostDown' interfaces are adjusted for each of your servers. My WAN had 'eth0'. My LAN had 'ens3'. 
##########################

1) Install latest Kernel 5.6 (with Wireguard modules built-in) on WAN and LAN hosts and reboot 

# apt install linux-headers-5.6.0-1011-oem linux-image-5.6.0-1011-oem linux-modules-5.6.0-1011-oem linux-tools-5.6.0-1011-oem fdutils
# reboot

2) Install wireguard on both WAN and LAN host

root@wan:~# apt install wireguard resolvconf ## installed resolvconf so i can use wireguard DNS config to resolve domains using my LAN DNS Server
root@lan:~# apt install wireguard

3) Generate a private key and public key for WAN

root@wan:~# wg genkey
<WAN_PRIVATE_KEY>
root@wan:~# echo "<WAN_PRIVATE_KEY>" | wg pubkey
<WAN_PUBLIC_KEY>

4) Generate a private key and public key for LAN

root@lan:~# wg genkey
<LAN_PRIVATE_KEY>
root@lan:~# echo "<LAN_PRIVATE_KEY>" | wg pubkey
<LAN_PUBLIC_KEY>

5) Create the config on WAN (make sure you use the LAN Public key under [PEER])

root@wan:~# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.8.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A INPUT -s 10.8.0.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D INPUT -s 10.8.0.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ListenPort = 51820
PrivateKey = <WAN_PRIVATE_KEY>
DNS = <LAN_DNS_SERVER1>,<LAN_DNS_SERVER2>,<LAN_DNS_SERVER3>

[Peer]
PublicKey = <LAN_PUBLIC_KEY>
AllowedIPs = 10.8.0.3/32, <LAN_SUBNET>
PersistentKeepalive = 25

6) Create the config on LAN (make sure you use the WAN Public key under [PEER])

root@lan:~# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.8.0.3/32
PrivateKey = <LAN_PRIVATE_KEY>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; iptables -A INPUT -s <LAN_SUBNET> -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; iptables -D INPUT -s <LAN_SUBNET> -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

[Peer]
PublicKey = <WAN_PUBLIC_KEY>
Endpoint = <WAN_PUBLIC_IP>:51820
AllowedIPs = 10.8.0.1/24
PersistentKeepalive = 25

7) Add to sysctl on both WAN and LAN

# cat << EOF >> /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

#kernel tuning for wireguard
net.core.wmem_max=12582912
net.core.rmem_max=12582912
net.ipv4.tcp_rmem= 10240 87380 12582912
net.ipv4.tcp_wmem= 10240 87380 12582912
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_no_metrics_save = 0
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
EOF

# sysctl -p

8) Up the service on WAN

root@wan:~# wg-quick up wg0
root@wan:~# wg show
root@wan:~# systemctl enable wg-quick@wg0

9) Up the service on LAN

root@lan:~# wg-quick up wg0
root@lan:~# wg show
root@lan:~# systemctl enable wg-quick@wg0