-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwireguard_site-to-site_NAT_1.3
75 lines (63 loc) · 3.58 KB
/
wireguard_site-to-site_NAT_1.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
### Tested on VyOS 1.3.0-epa1 ###
# Wireguard VPN Site-to-site behind NAT
# Dynamic routing via BGP
# Wireguard example Site-to-site VyOS-R333 behind NAT, VyOS-R222 with public IP (172.22.222.222):
# 10.1.0.0/30 && 2001:23::/64- wireguard link between VyOS-R333 and VyOS-R222
# 172.24.24.0/24 && 2001:222::/64 - LAN on VyOS-R333 (dum3 interface)
# 172.22.22.0/24 && 2001:333::/64 - LAN on VyOS-R222 (dum2 interface)
############################################
# VyOS-R222 (Public IP: 172.22.222.222)
# First. Generate keypair & copy public key:
vyos@VyOS-R333:~$ generate wireguard default-keypair
vyos@VyOS-R333:~$ show wireguard keypairs pubkey default
x1PNLX7xgqtVcRx5Iq8RQBcRIktX6ZnK1nv84Ornlls=
# Create wg interface with addresses:
set interfaces wireguard wg01 address '10.1.0.2/30'
set interfaces wireguard wg01 address '2001:23::2/64'
set interfaces wireguard wg01 description 'VPN-to-wg333'
# Create wireguard config:
set interfaces wireguard wg01 peer to-wg333 allowed-ips '172.24.24.0/24'
set interfaces wireguard wg01 peer to-wg333 allowed-ips '10.1.0.0/30'
set interfaces wireguard wg01 peer to-wg333 allowed-ips '2001:23::/64'
set interfaces wireguard wg01 peer to-wg333 allowed-ips '2001:333::/64'
set interfaces wireguard wg01 peer to-wg333 pubkey 'PfsgJyFxikSG/nl+sJYIYBl1xK0ejS1CpUFyBsxtJFM='
set interfaces wireguard wg01 port '51820'
# Set remote site static routes via wg:
set protocols static route 172.24.24.0/24 next-hop 10.1.0.1 next-hop-interface wg01
set protocols static route6 2001:333::/64 next-hop 2001:23::3 interface wg01
############################################
# VyOS-R333 (Behind NAT)
# First. Generate keypair & copy public key:
vyos@VyOS-R333:~$ generate wireguard default-keypair
vyos@VyOS-R333:~$ show wireguard keypairs pubkey default
PfsgJyFxikSG/nl+sJYIYBl1xK0ejS1CpUFyBsxtJFM=
# Create wg interface with addresses:
set interfaces wireguard wg01 address '10.1.0.1/30'
set interfaces wireguard wg01 address '2001:23::3/64'
set interfaces wireguard wg01 description 'VPN-to-wg222'
# Create wireguard config:
set interfaces wireguard wg01 peer to-wg222 allowed-ips '172.22.22.0/24'
set interfaces wireguard wg01 peer to-wg222 allowed-ips '10.1.0.0/30'
set interfaces wireguard wg01 peer to-wg222 allowed-ips '2001:23::/64'
set interfaces wireguard wg01 peer to-wg222 allowed-ips '2001:222::/64'
set interfaces wireguard wg01 peer to-wg222 address '172.22.222.222'
set interfaces wireguard wg01 peer to-wg222 port '51820'
set interfaces wireguard wg01 peer to-wg222 pubkey 'x1PNLX7xgqtVcRx5Iq8RQBcRIktX6ZnK1nv84Ornlls='
set interfaces wireguard wg01 port '51820'
# Set remote site static routes via wg:
set protocols static route 172.22.22.0/24 next-hop 10.1.0.2 next-hop-interface wg01
set protocols static route6 2001:222::/64 next-hop 2001:23::2 interface wg01
############################################
#### Dynamic routing (via BGP) ####
# VyOS-R222
set protocols bgp 65000 address-family ipv4-unicast network 172.22.22.0/24
set protocols bgp 65000 neighbor 10.1.0.1 address-family ipv4-unicast nexthop-self
set protocols bgp 65000 neighbor 10.1.0.1 remote-as '65000'
set protocols bgp 65000 address-family ipv6-unicast network 2001:222::/64
set protocols bgp 65000 neighbor 10.1.0.1 address-family ipv6-unicast
# VyOS-R333
set protocols bgp 65000 address-family ipv4-unicast network 172.24.24.0/24
set protocols bgp 65000 neighbor 10.1.0.2 address-family ipv4-unicast nexthop-self
set protocols bgp 65000 neighbor 10.1.0.2 remote-as '65000'
set protocols bgp 65000 address-family ipv6-unicast network 2001:333::/64
set protocols bgp 65000 neighbor 10.1.0.2 address-family ipv6-unicast