Wireguard Mesh Private Network Setup
Private Network Plan
| VPS | Location | Internal IP | Private Key | Public Key |
|---|---|---|---|---|
| VPS1 | DE | 192.168.1.1 | <save_this> |
<save_this> |
| VPS2 | NL | 192.168.1.2 | <save_this> |
<save_this> |
| VPS3 | US | 192.168.1.3 | <save_this> |
<save_this> |
| VPS4 | JP | 192.168.1.4 | <save_this> |
<save_this> |
I have multiple chickens around the world, Germany (DE), Netherland (NL), Atlanta (US), Japan (JP).
Install Wireguard
I want to make all of them connected in a private network with software called Wireguard. First thing to do is, install wireguard on each VPS.
sudo apt update
sudo apt install wireguard -yOn each VPS, generate private key and public key and save it to the private network plan.
wg genkey | tee privatekey | wg pubkey > publickey| VPS | Location | Internal IP | Private Key | Public Key |
|---|---|---|---|---|
| VPS1 | DE | 192.168.1.1 | <save_this> |
<save_this> |
| VPS2 | NL | 192.168.1.2 | <save_this> |
<save_this> |
| VPS3 | US | 192.168.1.3 | <save_this> |
<save_this> |
| VPS4 | JP | 192.168.1.4 | <save_this> |
<save_this> |
To check what's private key and public key code, you can try
cat /etc/wireguard/private.key
cat /etc/wireguard/public.keyConfigure Wireguard
Start configure wireguard by create wg0.conf in /etc/wireguard
nano /etc/wireguard/wg0.confTake a look on this wg0.conf template. This is wg0.conf in VPS1.
The [Interface] part is configured on each VPS, and you can copy-paste the [Peer] part to VPS 2, VPS3, VPS4.
[Interface]
PrivateKey = <VPS1_PRIVATE_KEY>
Address = 192.168.1.1/24
ListenPort = 51820
[Peer]
PublicKey = <VPS2_PUBLIC_KEY>
Endpoint = <VPS2_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.2/32
PersistentKeepalive = 25
[Peer]
PublicKey = <VPS3_PUBLIC_KEY>
Endpoint = <VPS3_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.3/32
PersistentKeepalive = 25
[Peer]
PublicKey = <VPS4_PUBLIC_KEY>
Endpoint = <VPS4_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.4/32
PersistentKeepalive = 25In VPS2 /etc/wireguard/wg0.conf, the [Interface] part is VPS2's private key while the [Peer] rest is VPS1, VPS3, VPS4 Endpoint and Public Key.
[Interface]
PrivateKey = <VPS2_PRIVATE_KEY>
Address = 192.168.1.2/24
ListenPort = 51820
[Peer]
PublicKey = <VPS1_PUBLIC_KEY>
Endpoint = <VPS1_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.1/32
PersistentKeepalive = 25
[Peer]
PublicKey = <VPS3_PUBLIC_KEY>
Endpoint = <VPS3_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.3/32
PersistentKeepalive = 25
[Peer]
PublicKey = <VPS4_PUBLIC_KEY>
Endpoint = <VPS4_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.4/32
PersistentKeepalive = 25In VPS3 /etc/wireguard/wg0.conf, the [Interface] part is VPS3's private key while the [Peer] rest is VPS1, VPS2, VPS4 Endpoint and Public Key.
[Interface]
PrivateKey = <VPS3_PRIVATE_KEY>
Address = 192.168.1.3/24
ListenPort = 51820
[Peer]
PublicKey = <VPS1_PUBLIC_KEY>
Endpoint = <VPS1_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.1/32
PersistentKeepalive = 25
[Peer]
PublicKey = <VPS2_PUBLIC_KEY>
Endpoint = <VPS2_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.2/32
PersistentKeepalive = 25
[Peer]
PublicKey = <VPS4_PUBLIC_KEY>
Endpoint = <VPS4_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.4/32
PersistentKeepalive = 25In VPS4 /etc/wireguard/wg0.conf, the [Interface] part is VPS3's private key while the [Peer] rest is VPS1, VPS2, VPS3 Endpoint and Public Key.
[Interface]
PrivateKey = <VPS4_PRIVATE_KEY>
Address = 192.168.1.4/24
ListenPort = 51820
[Peer]
PublicKey = <VPS1_PUBLIC_KEY>
Endpoint = <VPS1_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.1/32
PersistentKeepalive = 25
[Peer]
PublicKey = <VPS2_PUBLIC_KEY>
Endpoint = <VPS2_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.2/32
PersistentKeepalive = 25
[Peer]
PublicKey = <VPS3_PUBLIC_KEY>
Endpoint = <VPS3_PUBLIC_IP>:51820
AllowedIPs = 192.168.1.3/32
PersistentKeepalive = 25Enable IP Forwarding
IP forwarding is needed in WireGuard for routing network traffic between different networks. Each VPS needed to enable IP forwarding to make sure Wireguard can forward packet from one network interface to another.
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -pStart, Enable and Verify
On each VPS, you can start wireguard and enable it
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0Ping each peer in VPS1-4
ping 192.168.1.1
ping 192.168.1.2
ping 192.168.1.3
ping 192.168.1.4Verify connection with wg command:
root@dev1:~# wg
interface: wg0
public key: XhKt0cj8i08RH6(hidden)1RlanzvPpLUbF2tEuGi42Y=
private key: (hidden)
listening port: 51820
peer: b8Z4BW7(hidden)mewbixy9BBUiFCfXT5bAOJOGegCk=
endpoint: <VPS2_PUBLIC_KEY>:51820
allowed ips: 192.168.1.2/32
latest handshake: 32 seconds ago
transfer: 771.45 KiB received, 511.61 KiB sent
persistent keepalive: every 25 seconds
peer: rxrjgABUZL5Run(hidden)3DOwYk28L0jeoNyWFc=
endpoint: <VPS4_PUBLIC_KEY>:51820
allowed ips: 192.168.1.4/32
latest handshake: 1 minute, 47 seconds ago
transfer: 1.25 MiB received, 452.12 KiB sent
persistent keepalive: every 25 seconds
peer: w8leUHPQwxt6u(hidden)2eNVqBZSledcCwzTZ+g7VU=
endpoint: <VPS3_PUBLIC_KEY>:51820
allowed ips: 192.168.1.3/32
latest handshake: 2 minutes, 2 seconds ago
transfer: 2.10 MiB received, 1.28 MiB sent
persistent keepalive: every 25 seconds
Congrats, now you have full mesh private network connectivity with Wireguard.
You can also setup this quickly by add each VPS in Private Network connectivity with Tailscale, its free~