🔑CyberSecurity | Configuring an overlay Wireguard 🗑️

Ronald BartelsRonald Bartels
2 min read

Wireguard allows the creation of a quick overlay network in a basic hub and spoke configuration. Will setup a basic 3 node hub and spoke overlay.

Alpha - Server

Bravo - Client

Charlie - Hub

Install the wireguard software on the server, client and hub. The Windows software can be download from here and the linux software is available via apt. On debian buster you need to load wireguard from back-ports.

You need to enable IP forwarding on both Linux and Windows. On Windows go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. If not already there, create a new REG_DWORD value named IPEnableRouter. Set IPEnableRouter to 1 and reboot.

On linux add this file /etc/sysctl.d/10-custom-kernel-bbr.conf and reboot.

net.ipv4.ip_forward = 1
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

You can check that forwarding is enabled by using sudo sysctl net.ipv4.ip_forward and verifying that the result returns a 1.

Next you need to create the keys on the hub which is a Linux Debian deployment.

$ wg genkey > endpoint-a.key
$ wg pubkey < endpoint-a.key > endpoint-a.pub
$ wg genkey > endpoint-b.key
$ wg pubkey < endpoint-b.key > endpoint-b.pub
$ wg genkey > endpoint-c.key
$ wg pubkey < endpoint-c.key > endpoint-c.puby

There are now private and public keys you can use in the configuration files.

Configuration for hub Charlie:

# /etc/wireguard/wg0.conf

# local settings for Charlie
[Interface]
PrivateKey = Charlie private key
Address = 100.64.0.254/32
ListenPort = 51820

# remote settings for Aplha
[Peer]
PublicKey = Alpha public key
AllowedIPs = 100.64.0.1/32,192.168.1.0/24

# remote settings for Bravo
[Peer]
PublicKey = Bravo public key
AllowedIPs = 100.64.0.2/32,192.168.4.0/24

Configuration for server Alpha which has a local subnet of 192.168.1.0/24:

# /etc/wireguard/wg0.conf

# local settings for Alpha
[Interface]
PrivateKey = Alpha private key
Address = 100.64.0.1/32

# remote settings for Charlie
[Peer]
PublicKey = Charlie public key
EndPoint = Charlie:51820
AllowedIPs = 100.64.0.0/24,192.168.4.0/24

Configuration for client Bravo which has a local subnet of 192.168.4.0/24:

# /etc/wireguard/wg0.conf

# local settings for Bravo
[Interface]
PrivateKey = Bravo private key
Address = 100.64.0.2/32

# remote settings for Charlie
[Peer]
PublicKey = Charlie public key
Endpoint = Charlie:51820
AllowedIPs = 100.64.0.0/24,192.168.1.0/24

Ensure all services are activated on the various nodes and thats it.

sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service

Note: When configuring a server on OpenWRT the subnet on the server address needs to be /24 and not /32.

* Ronald works connecting Internet inhabiting things at Fusion Broadband.

0
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Hub and spokewireguardvpnOpenWRT

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa