Menu
Article How To

Wireguard Mesh Private Network Setup

Ariq Naufal

Ariq Naufal

• 3 min read

Private Network Plan

VPS Location Internal IP Private Key Public Key
VPS1 DE 192.168.1.1 <save_this> <save_this>
VPS2 NL 192.168.1.2 <save_this> <save_this>
VPS3 US 192.168.1.3 <save_this> <save_this>
VPS4 JP 192.168.1.4 <save_this> <save_this>

I have multiple chickens around the world, Germany (DE), Netherland (NL), Atlanta (US), Japan (JP).

Install Wireguard

I want to make all of them connected in a private network with software called Wireguard. First thing to do is, install wireguard on each VPS.

sudo apt update
sudo apt install wireguard -y

On each VPS, generate private key and public key and save it to the private network plan.

wg genkey | tee privatekey | wg pubkey > publickey
VPS Location Internal IP Private Key Public Key
VPS1 DE 192.168.1.1 <save_this> <save_this>
VPS2 NL 192.168.1.2 <save_this> <save_this>
VPS3 US 192.168.1.3 <save_this> <save_this>
VPS4 JP 192.168.1.4 <save_this> <save_this>

To check what's private key and public key code, you can try

cat /etc/wireguard/private.key
cat /etc/wireguard/public.key

Configure Wireguard

Start configure wireguard by create wg0.conf in /etc/wireguard

nano /etc/wireguard/wg0.conf

Take a look on this wg0.conf template. This is wg0.conf in VPS1.

The [Interface] part is configured on each VPS, and you can copy-paste the [Peer] part to VPS 2, VPS3, VPS4.

[Interface]
PrivateKey = <VPS1_PRIVATE_KEY>
Address = 192.168.1.1/24
ListenPort = 51820

[Peer]
PublicKey = <VPS2_PUBLIC_KEY>
Endpoint = <VPS2_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.2/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS3_PUBLIC_KEY>
Endpoint = <VPS3_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.3/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS4_PUBLIC_KEY>
Endpoint = <VPS4_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.4/32
PersistentKeepalive = 25

In VPS2 /etc/wireguard/wg0.conf, the [Interface] part is VPS2's private key while the [Peer] rest is VPS1, VPS3, VPS4 Endpoint and Public Key.

[Interface]
PrivateKey = <VPS2_PRIVATE_KEY>
Address = 192.168.1.2/24
ListenPort = 51820

[Peer]
PublicKey = <VPS1_PUBLIC_KEY>
Endpoint = <VPS1_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.1/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS3_PUBLIC_KEY>
Endpoint = <VPS3_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.3/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS4_PUBLIC_KEY>
Endpoint = <VPS4_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.4/32
PersistentKeepalive = 25

In VPS3 /etc/wireguard/wg0.conf, the [Interface] part is VPS3's private key while the [Peer] rest is VPS1, VPS2, VPS4 Endpoint and Public Key.

[Interface]
PrivateKey = <VPS3_PRIVATE_KEY>
Address = 192.168.1.3/24
ListenPort = 51820

[Peer]
PublicKey = <VPS1_PUBLIC_KEY>
Endpoint = <VPS1_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.1/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS2_PUBLIC_KEY>
Endpoint = <VPS2_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.2/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS4_PUBLIC_KEY>
Endpoint = <VPS4_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.4/32
PersistentKeepalive = 25

In VPS4 /etc/wireguard/wg0.conf, the [Interface] part is VPS3's private key while the [Peer] rest is VPS1, VPS2, VPS3 Endpoint and Public Key.

[Interface]
PrivateKey = <VPS4_PRIVATE_KEY>
Address = 192.168.1.4/24
ListenPort = 51820

[Peer]
PublicKey = <VPS1_PUBLIC_KEY>
Endpoint = <VPS1_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.1/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS2_PUBLIC_KEY>
Endpoint = <VPS2_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.2/32
PersistentKeepalive = 25

[Peer]
PublicKey = <VPS3_PUBLIC_KEY>
Endpoint = <VPS3_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.3/32
PersistentKeepalive = 25

Enable IP Forwarding

IP forwarding is needed in WireGuard for routing network traffic between different networks. Each VPS needed to enable IP forwarding to make sure Wireguard can forward packet from one network interface to another.

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Start, Enable and Verify

On each VPS, you can start wireguard and enable it

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Ping each peer in VPS1-4

ping 192.168.1.1
ping 192.168.1.2
ping 192.168.1.3
ping 192.168.1.4

Verify connection with wg command:

root@dev1:~# wg
interface: wg0
  public key: XhKt0cj8i08RH6(hidden)1RlanzvPpLUbF2tEuGi42Y=
  private key: (hidden)
  listening port: 51820

peer: b8Z4BW7(hidden)mewbixy9BBUiFCfXT5bAOJOGegCk=
  endpoint: <VPS2_PUBLIC_KEY>:51820
  allowed ips: 192.168.1.2/32
  latest handshake: 32 seconds ago
  transfer: 771.45 KiB received, 511.61 KiB sent
  persistent keepalive: every 25 seconds

peer: rxrjgABUZL5Run(hidden)3DOwYk28L0jeoNyWFc=
  endpoint: <VPS4_PUBLIC_KEY>:51820
  allowed ips: 192.168.1.4/32
  latest handshake: 1 minute, 47 seconds ago
  transfer: 1.25 MiB received, 452.12 KiB sent
  persistent keepalive: every 25 seconds

peer: w8leUHPQwxt6u(hidden)2eNVqBZSledcCwzTZ+g7VU=
  endpoint: <VPS3_PUBLIC_KEY>:51820
  allowed ips: 192.168.1.3/32
  latest handshake: 2 minutes, 2 seconds ago
  transfer: 2.10 MiB received, 1.28 MiB sent
  persistent keepalive: every 25 seconds

Congrats, now you have full mesh private network connectivity with Wireguard.

You can also setup this quickly by add each VPS in Private Network connectivity with Tailscale, its free~

Share

Topics

100DaysToOffload: 100 Linux: 43 SysAdmin Life: 23 Windows: 10 Journal: 9 NGINX: 8 Firewall: 8 VPS: 7 Fail2Ban: 7 Random: 6 Troubleshoot: 6 MySQL: 5 Review VPS: 5 Tailscale: 4 Scholarship: 4 Review: 4 Duolingo: 4 GCP: 4 NAT VPS: 4 Plex: 4 Changelog: 3 Self Hosted: 3 NanoKVM: 3 How To: 3 JuaraGCP: 3 LEMP Stack: 3 Prometheus: 2 DevOps: 2 Wordpress: 2 Google Cloud: 2 Intro: 1 Benchmark: 1 Movies: 1 Grafana: 1 Back End Developer: 1 Cloudflare: 1 Apache: 1 Telegram: 1 Notes: 1 FreeVPS: 1 Ghost: 1 Load Test: 1 Security: 1 Backup: 1 Black Friday: 1 Wireguard: 1 Private Network: 1