Site-to-Site VPN (Reverse)

Configuration

• Site A (server)

[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 65531

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 192.168.1.0/24,172.16.157.0/24

Address is the ip address that will be assigned to the server wg interface

Peer refers to the client that connects to the server

AllowedIPs is a list of subnets that the peer exposes for the server. For each of these a new route will be created on the server (unless Table = off is set under Interface). With this configuration, Site A can ping devices on Site B's subnets: 192.168.1.0/24 and 172.16.157.0/24

$ wg-quick up ./wg0.conf 
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 192.168.1.0/24 dev wg0
[#] ip -4 route add 172.16.157.0/24 dev wg0

WARNING

if the server already has routes for the specified subnets, the wireguard routes will take precedence

• Site B (client)

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/32

[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 10.0.0.1/32
Endpoint = REMOTE_IP_ADDRESS:65531
PersistentKeepalive = 25

AllowedIPs is set to the server ip as the server should not expose any subnet to the client.

IP Forwarding and NAT

For Site A to reach Site B's subnets, the Site B host should have IP Forwarding enabled and should be able to route traffic from the wireguard interface to the one (or many) that connects to the specified subnets.

To enable IP Forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

To route the traffic from the wireguard interface to the specified subnets, NAT forwarding can be enabled:

Add:

iptables -t nat -A POSTROUTING -j MASQUERADE

Delete:

iptables -t nat -D POSTROUTING -j MASQUERADE

It can also be set in the wireguard configuration file under Interface:

PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE