Using WireGuard for Site-to-Site VPN

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome back Linux enthusiasts today we have an exciting topic to dive into interconnecting three networks using the powerful wireguard VPN in this video we'll explore the ins and outs of this Innovative technology and show you how to seamlessly Bridge multiple networks for enhanced security and connectivity whether you are an I.T professional a networking Enthusiast or simply curious about their worth of vpns this video is for you wirecard VPN known for its Simplicity speed and security has gained immense popularity in the recent years its sideway design and state-of-the-art encryption protocols make it a game changer in the world of virtual private Networks my name is Philip let's get started [Music] let's imagine we have three nodes spread across different locations for Simplicity they are all connected to 192 168 12 24 Network that we call the public network on top of that each node has standard X private network attached that's not directly connected to the internet Node 1 has standard one private network node 2 has standard 2 and Note 3 has 10.3 Network connected we'll set up a VPN network from the 172.16 range Node 1 will have that one IPA node 2 will have the 2ip and node 3 will have.3ip all coming from the same slash 24. we'll be building three VPN tunnels one between Node 1 and Note 2 a second between Node 1 and node 3 and third between node 3 and node 2. this type of topology is called a mesh it means that every node is interconnected with every other node using point-to-point links what we want to achieve is Network reachability between VMS sitting in the 10.x private Network behind our notes we want the traffic between our private Networks to be tunneled with wireguard vpns over a public network let me show you how fast and easy it is to speed up the configuration I will be doing some tasks on three servers at the same time let's start with updating our packages list with apt update and installing wireguard with opt install wireguard tries to mimic SSH so for every server you need to create public and private keys for that to happen let's go to wireguard configuration directory set umask2077 so our newly created keys will have read write permissions only for the owner then let's generate the keys with the following one liner the WG gen key command creates the private key and prints it to the standard output we'll pipe it to the T command that will store the private key to a file and print it to the screen the WG popkey command accepts the private key and prints the corresponding public key which will redirect to a file OK keys are there similar to SSH the idea in wireguard is to share the public key to the other party so that the other party can use the key to authenticate and encrypt data please mind that unlike other VPN Technologies wireguard is not responsible for distribution of keys like in SSH you need to exchange your public keys out of band next step is to create configuration for our wireguard networking interface in the method that we'll be using the file name will be the interface name in our case the interface that we'll be creating is wg0 first section defines the interface address indicates IP of our wd0 network interface we'll use the 17216-24 network Node 1 will end with DOT 1. node 2 with.2 next configuration parameter is the listen Port it indicates the UDP part that our server will listen on please mind that the wire guard encapsulates IP packets over UDP last parameter is the private key let's load it from the key that we have just created okay our interface section is ready now let's define our peers appears are servers that will have connection to first thing we need to provide is the public key of the remote server we'll add it shortly next is a comma separated list of ips or ranges that the incoming traffic for this peer is allowed and to which outgoing traffic is directed we are on Node 1 and we Define node 2pir in the allowed IPS section I'm providing VPN IP of node 2. if Note 2 sends as a packet it will be decrypted and authenticated and checked if the source IP is in the allowed list if not then the packet will be dropped it also works the other way around if I want to send traffic to node 2 it will be encrypted with nodes to public key this fundamental concept of wireguard operation is called crypto key routing it tightly couples peers identity with allowed IPS of the peer let's add note 3 peer to the configuration and update it allowed IP list now it's time to fill in the blanks let's grab the note to public key and put it in the public key field in the configuration let's do the same for node 3. I'll grab node 3 public key and put it in the public key field of node 3 peer 's how our Node 1 configuration looks like interface section that holds the configuration for wg0 interface our local VPN address server UDP listen port and private key then we have our neighbors public key of our first neighbor along with its VPN address then our second neighbor and its VPN address let's move to node 2. I'll open the W3 interface configuration file let's fix our VPN address private key is okay let's go to peer section our first peer is node 1. so let's grab the node 1's public key and paste it here let's also update the allow IPS by putting a Node 1 VPN address our second peer is node 3 so let's grab node 3 public key and paste it here just to double check node 2 its address and private key not two neighbors are Node 1 and node 3. lastly let's move to node 3 and perform the same steps I'm updating the address with DOT 3. our first neighbor is not one so let's put its IP address and grab node to one public key our second neighbor is not 2 so let's put it address and grab its public key let's just double check we have node 3 in the interface section and two peers now the one and node two so far we've defined our VPN IPS allowed IP lists and exchange keys to establish the connection we need to add an endpoint field to our peers endpoint is an optional field that tests wireguard to which IP address and port to send the packets to for a particular peer it has a very interesting feature endpoint will be automatically updated to the most recent Source IP and Port of correctly authenticated packets this allows the nodes to roam we don't need the static IP address if you are interested in a demo of such setup please let me know down in the comments section in our example we'll use 192 16812 Network as our public network let's add the endpoint IP and Port of node 2 and node 3 so that Node 1 node where to send packets let's move to node 2 and add IP and Port of Node 1 and node 3. finally let's repeat the same exercise on node 3 by adding IP and Port of Node 1 and node 2. theoretically we could add only half of the endpoints and not provide the other half but then the node with the endpoints defined would have to be the ones that initiate the connection not providing an endpoint on one side is a common practice for clients behind a knot that don't have access to the router or firewall to pass traffic such a client initiates a connection and keeps it open so the server knows where to send the data back our scenario assumes all IPS are accessible both ways finally let's start our VPN with WG quickscript it will create and configure wg0 interface assign an IP address and Shrink MTU to accommodate for wireguard envelope let's check if the interface is there I try to Ping node to VPN IP from node 1. works let me try ping in node 3 from Node 1 also works please mind that those three nodes are interconnected in a mesh each node is connected to other two nodes it's not a hub and spoke topology but we are going through different tunnels let's enable wireguard service so that VPN is active upon system startup our nodes have eth0 interface which is the public interface wg0 interface that is our VPN interface but there's yet another interface eth2 that points towards our private Network each node has its own non-overlapping 10 24 Network we'd like those Network to be able to exchange traffic over a secure VPN tunnel let's go to our VMS on the client Network each VM has a default gateway that points towards each respective node let's try to Ping a VM from a different private Network obviously it will not work the traffic will reach the default gateway in our case it's Node 1 and there it will be dropped first thing we need to do is enable pocket forwarding by opening cctl config and uncommenting forwarding for epv4 next let's load the configuration with cctl Dash p I'm returning the Ping test it it still fails let's go to our nodes and check the routing table as you can see Node 1 knows nothing about 10.2 Network on node 2 nor 10.3 Network on Note 3. let's go to our wireguard configuration on Node 1 and add 10.2 Network in the peer section for node 2. it will make wireguard accept traffic coming from 10.2 network from node 2. let's add 10.3 Network that belongs to node 3 to our peer section for note 3. I'm repeating the same steps on node 2 by adding 10.1 Network that belongs to Node 1 in the appear section for Node 1 and adding 10.3 Network that belongs to node 3 to the appear section for note 3. lastly a Note 3 Let's have 10.1 Network to the peer section for Node 1 and 10.2 Network for the pure section for node 2. now let's stop and start our VPN to reread the configuration on Node 1 WG quick script has added routing to 10.2 and 10.3 network via wg0 interface once wireguard gets the traffic it will know where to Route it based on the allowed IPS entries let's double check if all nodes have respective routing table rules to 10. networks added all looks good now the final test I'm re-running the Ping from cl1 VM sitting behind Node 1 to cl2 VM sitting behind node 2. works now a quick speed test with iperf all works great one thing to mention is that client machines do not have internet access for that to work we need to enable not on the servers let's do that quickly by creating a NF tables configuration file I'm creating my not epv4 table with my chain inside chain type will be not and will register on the post routing hook will ask the firewall to perform masquerade for packets going out via eth that is our public interface let's load the configuration with nft--f and check if the configuration has been loaded and test internet access on the client works [Music]
Info
Channel: LinuxCloudHacks
Views: 11,498
Rating: undefined out of 5
Keywords: wireguard, wireguard vpn, vpn, site to site vpn, wireguard setup, wireguard site to site vpn, linux, wireguard vpn server, wireguard vpn setup, mesh, wireguard mesh, wireguard mesh setup, wireguard vpn tunnel, site to site, remote access, site-to-site vpn, wireguard vpn setup ubuntu, connecting 3 networks, connecting 3 sites, site2site vpn, wireguard site2site, how to
Id: BZvDSFwOjh4
Channel Id: undefined
Length: 14min 10sec (850 seconds)
Published: Mon Jun 12 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.