API tools faq
paste
Guest User

Untitled

a guest
Jan 18th, 2019
78
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.95 KB | None | 0 0
raw download clone embed print report
  1. # WireGuard Site-to-Site
  2.  
  3. *Accessing a subnet that is behind a WireGuard client using a site-to-site setup*
  4.  
  5. #### Problem Summary
  6.  
  7. We want to access a local subnet remotely, but it is behind a NAT firewall and we can't setup port forwarding. Outgoing connections work, but all incoming connections get DROPPED by the ISP's routing policy.
  8.  
  9. #### Solution Summary
  10.  
  11. We'll create a site-to-site connection with **WireGuard** allowing us to access the local subnet on a remote device (smartphone, in this example) by connecting through a cloud server in the middle.
  12.  
  13. ## Working Example
  14.  
  15. First let's define our three hosts. They all have **WireGuard** installed.
  16.  
  17. ```A``` the Linux machine on the *local subnet*, **behind the NAT/firewall**
  18. ```B``` the Linux cloud server (*VPS, like an Amazon EC2 instance*)
  19. ```C``` a third **WireGuard** client; a smartphone in this example
  20.  
  21. #### Host 'A'
  22.  
  23. The Host A's ```/etc/wireguard/wg0-client.conf```:
  24.  
  25. ```conf
  26. [Interface]
  27. Address = 10.200.200.5/24
  28. PrivateKey = <HOST 'A' PRIVATE-KEY>
  29. ListenPort = 27836 # optional; will be randomly assigned otherwise
  30. DNS = 1.1.1.1 # or your own DNS server if you're running one
  31.  
  32. [Peer]
  33. PublicKey = <PUBLIC KEY OF HOST 'B'>
  34. Endpoint = host-b-fqdn.tld:51820
  35. AllowedIPs = 0.0.0.0/0, ::/0
  36.  
  37. PersistentKeepalive = 25 # to keep connections alive across NAT
  38. ```
  39.  
  40. Here's what we need to add to Host A's ```iptables``` rules, *expressed as the commands you would use to ADD them*:
  41.  
  42. ```
  43. # iptables -A FORWARD -i wg0-client -j ACCEPT
  44. # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  45. ```
  46.  
  47. #### Host 'B'
  48.  
  49. Host B's ```/etc/wireguard/wg0.conf```:
  50.  
  51. ```conf
  52. [Interface]
  53. Address = 10.200.200.1/24
  54. PrivateKey = <HOST 'B' PRIVATE KEY>
  55. ListenPort = 51820
  56.  
  57. PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
  58. PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
  59.  
  60.  
  61. # This is the peer that is on the private subnet that we want to access.
  62. #
  63. # Notice the AllowedIPs... without this part, WireGuard will drop the
  64. # packets destined for the HOST 'A' subnet. AllowedIPs is acting like
  65. # a routing table and ACL here.
  66.  
  67. [Peer]
  68. PublicKey = <HOST 'A' PUBLIC KEY>
  69. AllowedIPs = 10.200.200.5/32, 100.10.202.0/24
  70.  
  71. # The smartphone
  72. [Peer]
  73. PublicKey = <HOST 'C' PUBLIC KEY>
  74. AllowedIPs = 10.200.200.3/32
  75.  
  76. # An additional peer...
  77. [Peer]
  78. PublicKey = <Additional peer pubkey>
  79. AllowedIPs = 10.200.200.4/32
  80. ```
  81.  
  82. #### Host C
  83.  
  84. Host C's configuration file:
  85.  
  86. ```conf
  87. [Interface]
  88. PrivateKey = <HOST 'C' PRIVATE KEY>
  89. Address = 10.200.200.3/24
  90. DNS = 1.1.1.1
  91.  
  92.  
  93. [Peer]
  94. PublicKey = <HOST 'B' PUBLIC KEY>
  95. AllowedIPs = 0.0.0.0/0
  96. Endpoint = host-b-fqdn.tld:51820
  97. PersistentKeepalive = 25
  98. ```
  99.  
  100. **You're finished.**
  101. Make sure **WireGuard** is running on both HOSTS A and B, and then on the smartphone (HOST C), after connecting to HOST B with **WireGuard** you should be able to ping ```100.10.202.1```.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!