Introduction
This tutorial will show you how to connect a client to a site using a WireGuard gateway. This is useful if you want to connect a client to a site that is behind a NAT. This is also useful if you want to connect a client to a site that is behind a firewall that blocks incoming connections.
- networks
10.1.0.0/24for point to point connections from clients to gate10.1.0.1/32gate10.1.0.2/32client A10.1.0.3/32client B
10.1.1.0/32for point to point connection from gate to site router10.1.1.1/32gate10.1.1.2/32site router
10.2.0.0/24for site network that should be accessed
- all machines run Ubuntu 22.04 minimal with WireGuard installed
Generate all your keys
- on client A
1
2
3
root@clientA:/etc/wireguard# (umask 0077; wg genkey > clientA.key)
root@clientA:/etc/wireguard# wg pubkey < clientA.key > clientA.pub
root@clientA:/etc/wireguard# (umask 0077; wg genpsk > gate-clientA.psk)
- on client B
1
2
3
root@clientB:/etc/wireguard# (umask 0077; wg genkey > clientB.key)
root@clientB:/etc/wireguard# wg pubkey < clientB.key > clientB.pub
root@clientB:/etc/wireguard# (umask 0077; wg genpsk > gate-clientB.psk)
- on gate
1
2
root@gate:/etc/wireguard# (umask 0077; wg genkey > gate.key)
root@gate:/etc/wireguard# wg pubkey < gate.key > gate.pub
- on site router
1
2
3
root@site:/etc/wireguard# (umask 0077; wg genkey > site.key)
root@site:/etc/wireguard# wg pubkey < site.key > site.pub
root@site:/etc/wireguard# (umask 0077; wg genpsk > gate-site.psk)
Distribute keys
- on client A
1
root@clientA:/etc/wireguard# echo 'GATE_PUB_KEY' > gate.pub
- on client B
1
root@clientB:/etc/wireguard# echo 'GATE_PUB_KEY' > gate.pub
- on gate
1
2
3
4
5
6
root@gate:/etc/wireguard# echo 'CLIENTA_PUB_KEY' > clientA.pub
root@gate:/etc/wireguard# echo 'GATE_CLIENTA_PSK' > gate-clientA.psk
root@gate:/etc/wireguard# echo 'CLIENTB_PUB_KEY' > clientB.pub
root@gate:/etc/wireguard# echo 'GATE_CLIENTB_PSK' > gate-clientB.psk
root@gate:/etc/wireguard# echo 'SITE_PUB_KEY' > site.pub
root@gate:/etc/wireguard# echo 'GATE_SITE_PSK' > gate-site.psk
- on site router
1
root@client:/etc/wireguard# echo 'GATE_PUB_KEY' > gate.pub
Write configs
- on client A
1
2
3
4
5
6
7
8
9
10
11
12
13
root@clientA:/etc/wireguard# export GATE_EXT_IP='GATE_EXT_IP'
root@clientA:/etc/wireguard# umask 0077; cat <<EOF > wg0.conf
[Interface]
Address = 10.1.0.2
PrivateKey = $(cat clientA.key)
[Peer]
PublicKey = $(cat gate.pub)
PresharedKey = $(cat gate-clientA.psk)
Endpoint = $GATE_EXT_IP:51820
AllowedIPs = 10.1.0.1/32, 10.1.1.1/32, 10.1.1.2/32, 10.2.0.0/24
PersistentKeepalive = 25
EOF
- on client B
1
2
3
4
5
6
7
8
9
10
11
12
13
root@clientB:/etc/wireguard# GATE_EXT_IP='GATE_EXT_IP'
root@clientB:/etc/wireguard# umask 0077; cat <<EOF > wg0.conf
[Interface]
Address = 10.1.0.3
PrivateKey = $(cat clientB.key)
[Peer]
PublicKey = $(cat gate.pub)
PresharedKey = $(cat gate-clientB.psk)
Endpoint = $GATE_EXT_IP:51820
AllowedIPs = 10.1.0.1/32, 10.1.1.1/32, 10.1.1.2/32, 10.2.0.0/24
PersistentKeepalive = 25
EOF
- on gate
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@gate:/etc/wireguard# umask 0077; cat <<EOF > wg0.conf
[Interface]
Address = 10.1.0.1
ListenPort = 51820
PrivateKey = $(cat gate.key)
[Peer] # Client A
PublicKey = $(cat clientA.pub)
PresharedKey = $(cat gate-clientA.psk)
AllowedIPs = 10.1.0.2/32
[Peer] # Client B
PublicKey = $(cat clientA.pub)
PresharedKey = $(cat gate-clientB.psk)
AllowedIPs = 10.1.0.3/32
EOF
root@gate:/etc/wireguard# umask 0077; cat <<EOF > wg1.conf
[Interface]
Address = 10.1.1.1
ListenPort = 51821
PrivateKey = $(cat gate.key)
[Peer] # site router
PublicKey = $(cat site.pub)
PresharedKey = $(cat gate-site.psk)
AllowedIPs = 10.1.1.2/32, 10.2.0.0/24
EOF
- on site router
1
2
3
4
5
6
7
8
9
10
11
12
13
root@site:/etc/wireguard# export GATE_EXT_IP='GATE_EXT_IP'
root@clientB:/etc/wireguard# umask 0077; cat <<EOF > wg1.conf
[Interface]
Address = 10.1.1.2
PrivateKey = $(cat site.key)
[Peer]
PublicKey = $(cat gate.pub)
PresharedKey = $(cat gate-site.psk)
Endpoint = $GATE_EXT_IP:51821
AllowedIPs = 10.1.1.1/32
PersistentKeepalive = 25
EOF
Start tunnels
- on gate
1
2
3
root@gate:/etc/wireguard# iptables -F
root@gate:/etc/wireguard# wg-quick up wg0
root@gate:/etc/wireguard# wg-quick up wg1
- on client A
1
root@clientA:/etc/wireguard# wq-quick up wg0
- on client B
1
root@clientB:/etc/wireguard# wq-quick up wg0
- on site router
1
root@site:/etc/wireguard# wq-quick up wg1
Configure routing
- on gate
1
2
3
4
root@gate:~# sed -i 's/^.*net.ipv4.ip_forward=.*$/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
root@gate:~# iptables -A FORWARD -i wg0 -o wg1 -j ACCEPT
root@gate:~# iptables -A FORWARD -i wg1 -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
root@gate:~# iptables -t nat -A POSTROUTING -o wg1 -j MASQUERADE
- on site router
1
2
3
4
5
root@site:~# export IF_INT='IF_INT'
root@site:~# sed -i 's/^.*net.ipv4.ip_forward=.*$/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
root@site:~# iptables -A FORWARD -i wg1 -o $IF_INT -j ACCEPT
root@site:~# iptables -A FORWARD -i $IF_INT -o wg1 -m state --state ESTABLISHED,RELATED -j ACCEPT
root@site:~# iptables -t nat -A POSTROUTING -o $IF_INT -j MASQUERADE
Make routing persistent
- install
iptables-persistence - on gate and site
1
2
root@gate:~# mkdir -vp /etc/iptables
root@gate:~# iptables-save > /etc/iptables/rules.v4
- add as cronjob with
crontab -e
1
@reboot iptables < /etc/iptables/rules.v4