How to set up a WireGuard Site to Site VPN Between 2 EdgeRouters

Background

I’ve recently started college and I’m living in one of the dorms on campus. They provide 1 Ethernet jack per person per room. I have multiple wired devices, so at the very least I needed a switch, but I also wanted all the devices to be able to talk to everything back on my home network. 

The best way to do this is with a site to site VPN. This lets devices on each end of the VPN tunnel communicate with each other as if they were directly on the same network. 

My router of choice at home is an EdgeRouter Lite from Ubiquiti Networks. Originally I was going to use a Cisco Meraki MX64 firewall (get one for free here) at my dorm as my router, but the functionality is somewhat limited for my uses and I prefer the EdgeRouters, so I got a cheap EdgeRouter X off of eBay (college budget life) and went to work.

My original plan was to use OpenVPN because I’m familiar with it, but upon testing, I found the performance to be seriously lacking (up to about 7mbps). My dorm has 100/100 and home has 130/35, so that wasn’t going to cut it. 

Plan B was IPSEC. Both EdgeRouters have hardware offloading for the encryption used in typical IPSEC configurations, so this seemed like a good high performance option. My next roadblock though was that I can’t port forward anything from my dorm, which made it difficult or impossible to establish an IPSEC tunnel. (may be possible but my Googling couldn’t find a way)

Finally, Plan C was to use WireGuard. I had made a post on Reddit with my IPSEC woes and it was suggested that I tried out WireGuard. WireGuard is a new type of VPN that aims to be fast, lightweight, and easy to set up (if you’re not me apparently), all while being highly secure. The details on how to set it up in on my hardware though were somewhat lacking, and it took quite a few hours to get it actually functional. My goal here today is to help someone else set up something similar without all the headache I went through, so without further delay, here’s how I did it.


My Setup

Here’s a quick and basic diagram of my setup, made using Creately.


My Process

1. Install vyatta-wireguard on both routers. Find the download URL for your router and copy and paste it on line 3.

ssh <router ip>
sudo apt-get install wget (alternatively, use curl)
wget <download url, ex: https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20180925-1/wireguard-e100-0.0.20180925-1.deb>
sudo dpkg -i <file name, ex: wireguard-e100-0.0.20180925-1.deb>

2. Generate public and private keys on each router. Copy and paste the output into a text file for convenience. Top line of output is the private key, the bottom line is the public key.

wg genkey | tee /dev/tty | wg pubkey

3. Configure the home router. I used 10.100.100.1 for the wireguard tunnel IP so that I could set up the allowed IPs as 10.0.0.0/8. It wouldn’t allow me to use 0.0.0.0/0 like I wanted, so this works out too since both subnets are on 10.x.x.x and 10.0.0.0/8 allows everything in that range. 

configure
set interfaces wireguard wg0 address 10.100.100.1/24 
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key <private key from this router from before>

4. Configure the remote/dorm router. I used 10.100.100.2 for the wireguard tunnel IP on this one.

configure
set interfaces wireguard wg0 address 10.100.100.2/24 
set interfaces wireguard wg0 listen-port 51820 
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key <private key from this router from before>

5. Set up the other router (peer) on each router. Skip line 2 on the side with port forwarding (only useful on the side that can reach out to the other side with port forwarding), or run it on both sides if there is. Must be run on at least one side. Line 3 keeps the connection active so it works without port forwarding and doesn’t disconnect after a short while of no traffic.

set interfaces wireguard wg0 peer <other router's public key> allowed-ips 10.0.0.0/8
set interfaces wireguard wg0 peer <other router's public key> endpoint <public IP or domain name:port>
set interfaces wireguard wg0 peer <other router's public key> persistent-keepalive 15 

6. Commit and save the changes on each router (otherwise they won’t take affect and be lost), then exit from configuration mode.

commit
save
exit

7.  Go to the home router web UI, then Firewall/NAT -> Firewall Policies -> WAN_Local. Edit the ruleset configuration and add a new rule. 

  • Basic – Description: Allow WireGuard
  • Basic – Action: Allow
  • Basic – Protocol – UDP
  • Source – Port: 51820
  • Destination – Port: 51820

8. Theoretically, if everything worked, you should be able to see if there’s a connection.

sudo wg
Home Router:
interface: wg0
  public key: W6ap<home pubkey>
  private key: (hidden)
  listening port: 51820

peer: O8lz<dorm/remote pubkey>
  endpoint: 128.x.x.x:51820
  allowed ips: 10.0.0.0/8
  transfer: 453.80 MiB received, 116.24 MiB sent
  persistent keepalive: every 15 seconds
Dorm/Remote Router:
interface: wg0
  public key: O8lz<<dorm/remote pubkey>
  private key: (hidden)
  listening port: 51820

peer: W6ap<home pubkey>
  endpoint: 69.x.x.x:51820
  allowed ips: 10.0.0.0/8
  latest handshake: 29 seconds ago
  transfer: 120.42 MiB received, 453.46 MiB sent
  persistent keepalive: every 15 seconds

9. You should also see a new wg0 interface in the dashboard, possibly with traffic going over it already. 

10. Try pinging a device on the other end, from either end. If it comes back with a response, you should be all done!

hbh7@PC-at-dorm:~$ ping 10.20.31.101
PING 10.20.31.101 (10.20.31.101) 56(84) bytes of data.
64 bytes from 10.20.31.101: icmp_seq=1 ttl=62 time=16.7 ms
64 bytes from 10.20.31.101: icmp_seq=2 ttl=62 time=16.3 ms
64 bytes from 10.20.31.101: icmp_seq=3 ttl=62 time=15.9 ms
64 bytes from 10.20.31.101: icmp_seq=4 ttl=62 time=20.3 ms
^C
--- 10.20.31.101 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 15.960/17.343/20.318/1.746 ms

Assuming all went well, that should be it. Leave a comment below if anything is unclear, if you get stuck somewhere, or if something isn’t working right. Enjoy!


Helpful links I used

WIREGUARD ON EDGEOS FOR A FASTER HOME VPN
WireGuard VPN using an EdgeRouter X
Release: WireGuard for EdgeRouter
vyatta-wireguard
Site to Site VPN on a restricted network

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: