WireGuard Site-to-Site VPN Setup

This DIY guide explains wireguard site to site with a practical setup path, validation steps, and the details needed to build it safely.

Introduction

If you manage multiple office locations or data centers, securely connecting these networks is crucial. A site-to-site VPN allows you to link two or more separate networks over the internet as if they were part of the same local network. This setup enables seamless communication between devices across sites without exposing sensitive traffic to the public internet.

WireGuard is a modern VPN protocol that simplifies this process with a lightweight, high-performance design. Unlike traditional VPNs, WireGuard uses cutting-edge cryptography and runs efficiently inside the Linux kernel, offering fast and secure connections with minimal configuration overhead.

This guide walks you through setting up a WireGuard site-to-site VPN between two Linux gateways. You’ll learn what components are involved, how to configure the VPN step-by-step, validate your setup, and harden it against common pitfalls.

What You Are Building

In a WireGuard site-to-site VPN, each site has a gateway device (usually a Linux server or router) running WireGuard. These gateways establish an encrypted tunnel over the internet, allowing traffic from one local network to reach the other securely.

For example, suppose you have:

• Site A with local network 10.10.1.0/24
• Site B with local network 10.10.2.0/24

Each site’s WireGuard gateway will have:

• A public IP address reachable over the internet
• A WireGuard interface with a private IP in a dedicated VPN subnet (e.g., 10.10.10.1/24 and 10.10.10.2/24)

Traffic destined for the remote LAN is routed through the WireGuard tunnel, encrypted end-to-end, and decrypted at the other site.

This setup is ideal for:

• Organizations with multiple offices needing secure inter-site communication
• Remote data centers requiring private connectivity
• Home labs or small businesses wanting to link networks securely without complex IPsec setups

Prerequisites

Before starting, ensure you have:

• Two Linux-based gateway machines (Ubuntu, Debian, Fedora, etc.) with public IPs
• Root or sudo access on both gateways
• Basic networking knowledge (IP addressing, routing)
• UDP port 51820 open on firewalls for WireGuard traffic (default port)
• WireGuard installed on both machines (wireguard-tools package)

You will also need to decide on:

• VPN subnet for WireGuard interfaces (e.g., 10.10.10.0/24)
• LAN subnets at each site (e.g., 10.10.1.0/24 and 10.10.2.0/24)

Step-by-Step Setup

1. Install WireGuard

On both gateways, install WireGuard tools:

sudo apt update
sudo apt install wireguard

2. Generate Key Pairs

Each gateway needs a private and public key pair for authentication.

wg genkey | tee privatekey | wg pubkey > publickey

Save the output securely.

3. Configure WireGuard Interfaces

Create /etc/wireguard/wg0.conf on each gateway.

Site A (10.10.10.1/24) example:

[Interface]
Address = 10.10.10.1/24
PrivateKey = <Site A private key>
ListenPort = 51820

[Peer]
PublicKey = <Site B public key>
AllowedIPs = 10.10.2.0/24
Endpoint = <Site B public IP>:51820
PersistentKeepalive = 25

Site B (10.10.10.2/24) example:

[Interface]
Address = 10.10.10.2/24
PrivateKey = <Site B private key>
ListenPort = 51820

[Peer]
PublicKey = <Site A public key>
AllowedIPs = 10.10.1.0/24
Endpoint = <Site A public IP>:51820
PersistentKeepalive = 25

4. Enable IP Forwarding

On both gateways, enable packet forwarding so traffic can route between LAN and VPN:

sudo sysctl -w net.ipv4.ip_forward=1

Make it persistent by editing /etc/sysctl.conf:

net.ipv4.ip_forward=1

5. Configure Routing

Add routes on each gateway to send traffic destined for the remote LAN over the WireGuard interface.

Example on Site A:

sudo ip route add 10.10.2.0/24 dev wg0

And on Site B:

sudo ip route add 10.10.1.0/24 dev wg0

6. Start WireGuard

Bring up the WireGuard interface:

sudo wg-quick up wg0

Enable on boot:

sudo systemctl enable wg-quick@wg0

Configuration Details

WireGuard’s configuration revolves around a few key concepts:

• Interface: Defines the local WireGuard endpoint, including its private key, IP address, and listening port.
• Peer: Represents the remote WireGuard endpoint, identified by its public key and allowed IP ranges.
• AllowedIPs: Specifies which IPs are routed through the tunnel for that peer.
• Endpoint: The remote peer’s public IP and UDP port.
• PersistentKeepalive: A setting to keep NAT mappings alive, useful when peers are behind NAT.

WireGuard uses Curve25519 for key exchange, ChaCha20-Poly1305 for encryption, and BLAKE2s for hashing, ensuring modern, secure cryptography.

The VPN operates over UDP, which is connectionless but fast. WireGuard handles packet ordering, loss recovery, and roaming internally.

Validation and Testing

After starting WireGuard on both gateways, verify the tunnel:

1. Check interface status:

sudo wg show

Look for handshake timestamps and data transfer statistics.

2. Ping remote VPN IP:

From Site A:

ping 10.10.10.2

From Site B:

ping 10.10.10.1

3. Ping remote LAN IP:

From a device on Site A’s LAN, ping a device on Site B’s LAN (e.g., ping 10.10.2.10).

4. Check routing and firewall rules:

Ensure no firewall blocks UDP 51820 or forwarding between interfaces.

Common Mistakes

• Incorrect keys or swapped keys: Ensure each peer’s public key matches the other’s private key.
• Firewall blocking UDP 51820: Open this port on both gateways.
• Forgetting IP forwarding: Without it, traffic won’t route between LAN and VPN.
• Mismatched AllowedIPs: AllowedIPs must cover the remote LAN subnet, not just the VPN IP.
• No PersistentKeepalive behind NAT: Set PersistentKeepalive=25 to maintain the tunnel.

Hardening Tips

• Use strong firewall rules to limit WireGuard traffic to known IPs.
• Regularly rotate keys and update configurations.
• Monitor WireGuard status and logs for anomalies.
• Backup configuration files securely.
• Use systemd or other init systems to ensure WireGuard starts on boot.
• Consider running WireGuard in kernel space for best performance.

Related Reading

Related protocol articles:

• IKEv2/IPsec Protocol Deep Dive
• What Is a Mesh VPN
• WireGuard Cryptography Explained

Troubleshooting articles:

• Fix VPN DNS Leaks
• Slow VPN Speed Fix

Foundational article:

• AES vs ChaCha20: Which Encryption Is Better for VPNs

Conclusion

Setting up a WireGuard site-to-site VPN connects two networks securely and efficiently. With its modern cryptography and simple configuration, WireGuard offers a lightweight alternative to traditional VPNs like IPsec. By following this guide, you can build a robust encrypted tunnel between your sites, enabling seamless communication and enhancing your network security.

For deeper understanding of WireGuard’s cryptography and protocol, see wireguard-cryptography. For troubleshooting common issues like DNS leaks or slow speeds, check fix-vpn-dns-leak and slow-vpn-speed-fix. To understand alternative VPN protocols, explore ikev2-ipsec-explained and mesh-vpn-explained. For foundational encryption concepts, see aes-vs-chacha20.

References

• RFC 4301: Security Architecture for IP
• RFC 7296: Internet Key Exchange Protocol Version 2
• RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3
• RFC 8439: ChaCha20 and Poly1305 for IETF Protocols
• NIST SP 800-207: Zero Trust Architecture
• WireGuard Protocol Overview