In this article, I will talk about accessing the internal network (LAN) of first home from the second and vice versa as if they were connected to each other (even if they are continents apart in the real physical world). We are going to assume that you have Ubiquiti edgerouters on both sides. The general principle will still apply if you can use Wireguard with other routers/gateways.
Site to Site VPN
This weekend I spent a bit of time connecting my home in which I live to the one in which my parents live. This was simply to help them out in a few things which they would not be able to do so otherwise. At the end of this exercise, I could ping/ssh/connect to any machine on their network and they could do the same to mine. So what did I need for this?
- Both networks to be in non-colliding network segments
- A static public IP address on each router (mine and theirs)
- Home gateway routers that can run Wireguard (e.g. Ubiquiti Edgerouters)
- Admin access to the two routers
- Some comfort with working on the command line
The basic idea is as follows:
- Create a
wireguard interface on each router
- Assign an IP address to each router's wireguard interface (should be on the same subnet)
- Ask each interface to listen on a port (it's always UDP)
- Create a public and private key for each interface (on each router)
- For each router add the other one as a "peer" with the public key of the other router
- Set the allowed IP values (to create the correct entry in the router's routing table)
- Choose one router as the "client" and connect to the other router
- Configure each router's firewall to allow packets on the listening port
You can follow the instructions at the Wireguard installation page to install the wireguard software on your routers. In the notes below, commands for the first router will be in this colour. Commands for the second router will be in this colour. If the commands are to be carried out in both routers, they shall be this colour.
If you have an edgerouter, ssh into the router.
First we create the public and private keys. We do the following on each router.
wg genkey > wg0-private.key
wg pubkey < wg0-private.key > wg0-public.key
Note down the public keys. They will be used quite soon below.
Next we setup the interface on the first (my) router
set interfaces wireguard wg0 address 10.100.100.1/24
set interfaces wireguard wg0 description "site to site vpn interface"
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 private-key /config/auth/wg0-private.key
set interfaces wireguard wg0 route-allowed-ips true
The setup for the second (parent's) router is the same except that the address will change. I chose 10.100.100.2/24
Next we add the first router as a peer to the second and the second router
as a peer to the first. Let's first do it for the first router. The first
router uses the network 192.168.0.1 to 192.168.0.255 i.e. 192.168.0.0/24
for the LAN. The second router must use a non-colliding network as
mentioned before. In case it does not, you have admin access, go change
it. For my parents, the router uses the network 192.168.1.1 to
192.168.1.255 i.e. 192.168.1.0/24 for their LAN
set interfaces wireguard wg0 peer public-key-of-second-router
set interfaces wireguard wg0 peer public-key-of-second-router description "parent's home router"
set interfaces wireguard wg0 peer public-key-of-second-router description allowed-ips 10.100.100.2/32, 192.168.1.0/24
set interfaces wireguard wg0 peer public-key-of-second-router description persistent-keepalive 30
For my parents (the second router), I configure it as follows
set interfaces wireguard wg0 peer public-key-of-first-router
set interfaces wireguard wg0 peer public-key-of-first-router description "parent's home router"
set interfaces wireguard wg0 peer public-key-of-first-router description allowed-ips 10.100.100.1/32, 192.168.0.0/24
set interfaces wireguard wg0 peer public-key-of-first-router description persistent-keepalive 30
The next next thing is make one of the routers as a "client" to the other
router. I choose the first router (the one with wg0 as 10.100.100.1) as
the client to the second router. I do it as follows.
set interfaces wireguard wg0 peer public-key-of-second-router endpoint public-static.ipadress-of.second-router:51820
The final thing is to configure the firewall on each router to allow
incoming packets on port 51820.
set firewall name WAN_LOCAL rule 21 action accept
set firewall name WAN_LOCAL rule 21 action description "accept packets for wg0 - site to site VPN"
set firewall name WAN_LOCAL rule 21 action destination port 51820
set firewall name WAN_LOCAL rule 21 action log disable
set firewall name WAN_LOCAL rule 21 action protocol udp
You can check and then commit the changes using the following commands.
show interfaces wireguard wg0
show firewall name WAN_LOCAL
At this point, after a few seconds, the VPN tunnel should be up and running
automatically. You can check by going to the first router and trying to
ping the second router and it's network.
Repeat the exercise on the second router.
You should also be able to ping the other computers or devices on the network viz. printers.
How does this work?
The two wireguard interfaces on each router create a tunnel (a virtual point to point link) to each other using the information provided. In our case, the wireguard software on the first router uses the endpoint information along with the public key of the second router to connect to it.
Additionally, each router uses the allowed-ips parameter set in the peer section to automatically create routing table entries on the router. For example, in the first router, two entries are created. The first entry says that for 10.100.100.2, the default interface is wg0. The second entry says that for 192.168.1.0/24, the default interface is wg0.
When a person in the first network operating a terminal at IP address 192.168.0.5 pings 192.168.1.1, the destination IP address being a foreign one, gets automatically forwarded to the first network's router. The router looks at the destination address (192.168.1.1), determines that it should go out on wg0 and hands it to the wireguard software. Wireguard ensures that it gets sent to 10.100.100.2 (since this is a point to point tunnel link from wg0 of the first router). The packet emerges from the tunnel at the second router. At the second router (10.100.100.2), the router receives that ping packet, opens it and notices that its come from the 192.168.0.0/24 network from the peer associated with that network. So it accepts it and forwards it to the 192.168.1.1 interface on the router. The router replies to the ping. Now this reply is destined to 192.168.0.5. The router realizes that this packet is not meant for its own LAN and looks up its forwarding table. It finds that packets for 192.168.0.0/24 network must go out on wg0 interface. The wireguard software takes this reply packet and sends it across the tunnel to 10.100.100.1 i.e. the first router. The first router now opens the packet, sees that its meant for 192.168.0.5 and sends it along to that machine who then sees the ping reply on his/her terminal.
We have ignored here how the wireguard software works. Suffice to say, it involves encrypting the packet and encapsulating it. The full details are quite technical but unnecessary for this article. The first reference link will take you there in case you are interested. Hope this helps you help out your parents when you cannot be around.