WireGuard site2site VPN

WireGuard(WG) aims to provide a VPN that is both simple and highly effective.
Also to make a really good alternative technology to the existing like IPsec or OpenVPN.

WG is a free and open-source software application and communication protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations.

I tried WG in a complex high availability datacenter setup and replaced a couple of existing OpenVPN connections with wireguard.
The result was performant and simple at once.

Setup

We have two sites, one with a static ISP address(zeta) and the other with a dynamic one. The goal is to connect the both sides over the WG.

Installation

Debian:

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable

apt update
apt install wireguard-dkms wireguard-tools

OpenSUSE:

zypper addrepo -f obs://network:vpn:wireguard wireguard
zypper ref
zypper install wireguard-kmp-default wireguard-tools

Currently WG is not within the kernel and there are no official packages available. So you can build an own version or just trust to other third party sources with pre build versions and install it from there. WG-project promises to get the official kernel support in the near future. But for now, this is how it is.

Configuration

On Zeta site:

wg genkey > wgprivate_zeta.key
chmod 700 wgprivate_zeta.key
wg pubkey < wgprivate_zeta.key

On Gamma site:

wg genkey > wgprivate_gamma.key
chmod 700 wgprivate_gamma.key
wg pubkey < wgprivate_gamma.key

On Zeta site:

ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.0.3 dev wg0
wg set wg0 private-key ./wgprivate_zeta.key
ip link set wg0 up
wg set wg0 peer g5k9FzKAmhzwt2HLZ2+1rbGGyvqtHPbG6RK1vkn1KgU=  allowed-ips 0.0.0.0/0 persistent-keepalive 25

On Gamma site:

ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.0.4 dev wg0
wg set wg0 private-key ./wgprivate_gamma.key
ip link set wg0 up
wg set wg0 peer v2m8GnJAmhzjq2HUZ2+1dyWUyvqtHPbG6RK1vkn1KgU=  allowed-ips 0.0.0.0/0 persistent-keepalive 25 endpoint 89.1.240.150:56922

Routing

You have also to set required routes on Gamma site to reach Zeta site:

ip r r 10.0.0.3 dev wg0

The same also on the Zeta site to reach Gamma site.

The allowed-ips part can contain host or network restrictions.
Use the wg command to call the actual status of your WG configurations and connections.

Conclusion

WG is a pretty solid alternative to OpenVPN, simple in use and for sure easy to configure as described in this post.

Also the network performance is a bit better than through OpenVPN. Which was tested during dozen transfer-cases of a binary file[90MB].

Measured transfer Times: