Sometimes someone needs to link a few networks together, that were behind a CGNAT. And sometimes I make the terrible mistake of saying that something is definitely possible. This article is mostly intended for myself to document what I did.
Client Device
The setup had to have support for external devices like Smartphones and Laptops. These were just added as normal wireguard clients.
Site Bridge
Every Site gets a device that acts as a wireguard client and routes the vpn traffic for any device in the network. For this setup I used a few spare Raspberry PI 3/4. The subnets of the other sites were then added as static routes to the site’s router, so that the specific “bridge” could route traffic over wireguard.
- Set
PersistentKeepalive = 10in the Wireguard config - Set
net.ipv4.ip_forward=1in/etc/sysctl.conf - Create script in
/usr/bin/route_config.sh:
1
2
3
4
5
#!/bin/bash
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -A FORWARD -o wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o REPLACE_WITH_YOUR_IF_NAME -j MASQUERADE
- Make script executable
1
sudo chmod +x /usr/bin/route_config.sh
- Create service in
/etc/systemd/system/route_config.service:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[Unit]
Description=Enable wireguard network forwarding
Wants=network.target
After=syslog.target network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/route_config.sh
Restart=no
KillMode=process
[Install]
WantedBy=multi-user.target
- Start the Service
1
sudo systemctl enable route_config
Reboot for good measure
Central Router
The central router can be any computer with a static public IP. For this I used a cheap VPS by ovhcloud. Install wireguard as usual and add clients as needed. Don’t forget to set PersistentKeepalive to a useful value. Every Site-Bridge should have allowed IPs set to a Wireguard-Network internal IP and the local range it is responsible for.