Home Transparent site-to-site Routing with Wireguard
Post
Cancel

Transparent site-to-site Routing with Wireguard

Sometimes someone needs to link a few networks together, that were behind a CGNAT. And sometimes I make the terrible mistake of saying that something is definitely possible. This article is mostly intended for myself to document what I did.

Client Device

The setup had to have support for external devices like Smartphones and Laptops. These were just added as normal wireguard clients.

Site Bridge

Every Site gets a device that acts as a wireguard client and routes the vpn traffic for any device in the network. For this setup I used a few spare Raspberry PI 3/4. The subnets of the other sites were then added as static routes to the site’s router, so that the specific “bridge” could route traffic over wireguard.

  • Set PersistentKeepalive = 10 in the Wireguard config
  • Set net.ipv4.ip_forward=1 in /etc/sysctl.conf
  • Create script in /usr/bin/route_config.sh:
1
2
3
4
5
#!/bin/bash
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -A FORWARD -o wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o REPLACE_WITH_YOUR_IF_NAME -j MASQUERADE
  • Make script executable
1
sudo chmod +x /usr/bin/route_config.sh
  • Create service in /etc/systemd/system/route_config.service:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[Unit]
Description=Enable wireguard network forwarding

Wants=network.target
After=syslog.target network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/route_config.sh
Restart=no
KillMode=process

[Install]
WantedBy=multi-user.target
  • Start the Service
1
sudo systemctl enable route_config

Reboot for good measure

Central Router

The central router can be any computer with a static public IP. For this I used a cheap VPS by ovhcloud. Install wireguard as usual and add clients as needed. Don’t forget to set PersistentKeepalive to a useful value. Every Site-Bridge should have allowed IPs set to a Wireguard-Network internal IP and the local range it is responsible for.

This post is licensed under CC BY 4.0 by the author.