How to configure WireGuard VPN as gateway on Rocky Linux / CentOS 8

How to configure WireGuard VPN as gateway on Rocky Linux / CentOS 8

Example case

Consider the network setup below.

Peer 1 (server) is the central point (server) of the setup, accepting connections from the other peers and also tunnelling traffic from some of them. It has its interface configuration and knows the public keys and IPs of all other peers. Additionally, it knows the local networks for Peer 3, which is a bit special. Peer 2 and 3 can see each other (and the whole VPN IP address space) – reflected by the /24 netmask, while Peer 4 cannot (receives a single-host /32 netmask instead). Tunnelled peers also use the server (peer 1) as DNS resolver to avoid leaking out access information.

[Interface]
Address = 10.0.0.1/24 
ListenPort = 12345
PrivateKey = SERVER_PRIVATE_KEY 
# PublicKey = SERVER_PUBLIC_KEY 
PreUp = iptables -I INPUT -p udp --dport 12345 -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
PostDown = iptables -D INPUT -p udp --dport 12345 -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

# regular PC
[Peer]
PublicKey = PEER1_PUBLIC_KEY
PresharedKey = PEER1_PRESHARED_KEY
AllowedIPs = 10.0.0.2/24

# remote office gateway/router - interconnected resources
[Peer]
PublicKey = PEER2_PUBLIC_KEY
PresharedKey = PEER2_PRESHARED_KEY
AllowedIPs = 10.0.0.3/24, 192.168.200.0/24

# portable device
[Peer]
PublicKey = PEER3_PUBLIC_KEY
PresharedKey = PEER3_PRESHARED_KEY
AllowedIPs = 10.0.0.4/32

Peer 2 is a generic computer (located anywhere), accesses the internet directly (is not tunneled) but also requires access to the server’s internal network resources – its AllowedIPs configuration reflects this.

[Interface]
Address = 10.0.0.2/24
PrivateKey = PEER2_PRIVATE_KEY

[Peer]
Endpoint = 1.2.3.4:12345
PublicKey = PEER2_PUBLIC_KEY
PresharedKey = PEER2_PRESHARED_KEY
AllowedIPs = 10.0.0.0/24, 172.16.0.0/16

Peer 3 is a gateway/router for a remote office. It has access to the server’s own internal network (and shares this with its own internal network).
Additionally, the server (Peer 1) has access to the peer’s own internal network (the AllowedIPs line in the server’s configuration reflects this).
Also, all network traffic from this whole local network is tunneled through the WireGuard VPN. While its public IP address is known, that is irrelevant as no other peers initiate connections to this peer directly.

[Interface]
Address = 10.0.0.3/24
PrivateKey = PEER3_PRIVATE_KEY
DNS = 10.0.0.1, 1.2.3.4

[Peer]
Endpoint = 1.2.3.4:12345
PublicKey = PEER3_PUBLIC_KEY
PresharedKey = PEER3_PRESHARED_KEY
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1

Peer 4 is a portable device which doesn’t have access to any of the internal resources but needs to have all its traffic tunneled through the VPN.

[Interface]
Address = 10.0.0.4/24
PrivateKey = PEER4_PRIVATE_KEY
DNS = 10.0.0.1, 1.2.3.4

[Peer]
Endpoint = 1.2.3.4:12345
PublicKey = PEER4_PUBLIC_KEY
PresharedKey = PEER4_PRESHARED_KEY
AllowedIPs = 0.0.0.0/0, ::/0

 

Leave a Reply