Secure Site-to-Site VPN with WireGuard on VyOS 1.5 for Inter-Site Connectivity
Connecting multiple office sites or datacenters securely and efficiently is a critical challenge for modern businesses. Traditional VPN solutions like IPsec or OpenVPN can be complex to configure and maintain, especially in multi-site environments. WireGuard offers a lightweight, fast alternative that's easier to set up. VyOS 1.5 fully supports WireGuard, making it an excellent choice for organizations looking to interconnect multiple datacenters or sites. In this guide, we'll show you how to set up a site-to-site WireGuard tunnel on VyOS 1.5. We'll cover routing, firewall configuration, and best practices. By the end, your sites will be securely connected over the internet with traffic routed effectively between LANs.
Prerequisites
Before starting, make sure you have the following:
- VyOS 1.5 installed on each edge router acting as a VPN endpoint
- Public IP addresses on each site/server
- Administrative access to configure firewall rules on VyOS
- Basic knowledge of routing and Linux networking concepts
Network Topology
We will assume the following network layout:
| Site | LAN Subnet | WireGuard Tunnel IP | Public IP |
|---|---|---|---|
| Site A | 10.10.1.0/24 | 10.200.1.1 | 198.51.100.1 |
| Site B | 10.10.2.0/24 | 10.200.1.2 | 203.0.113.2 |
ASCII Diagram
| 10.10.1.0/24 | | 10.200.1.1 <--> 10.200.1.2 | | 10.10.2.0/24 |
| Site A LAN | WireGuard Tunnel | Site B LAN |
------------------- ------------------------- -------------------
| VyOS Router A |-----------| UDP Port 51820 |-----| VyOS Router B |
| Public IP: | | Public IP: |
| 198.51.100.1 | | 203.0.113.2 |
------------------- -------------------
This diagram shows the logical connectivity: the WireGuard tunnel securely links the two site LANs, allowing traffic to route between them over the internet.
Step 1: Generate WireGuard Keys
WireGuard uses public-private key pairs for authentication. Generate keys on each VyOS endpoint:
lachlanr@ams-01:~$ generate pki wireguard key-pair
Private key: UBpynSyGezhb9pp3Bddk/g/gdl3SM+oai02HeQ5a11E=
Public key: a/oSvpcQ3BFzmtavPT+D8Rukdc7L+eYLig3zr0wnMGU=
This command outputs a private key and a public key. Save both securely. The private key remains on the local router, while the public key is shared with the remote peer.
Please do not use these exact keys and use the ones provided by the output when commands are run.
Step 2: Configure WireGuard Interfaces
On Site A, create a WireGuard interface wg0 with the local tunnel IP and listen port:
set interfaces wireguard wg0 address '10.200.1.1/24'
set interfaces wireguard wg0 listen-port '51820'
set interfaces wireguard wg0 private-key '<Site A Private Key>'
Add Site B as a peer:
set interfaces wireguard wg0 peer office-b allowed-ips '10.10.2.0/24'
set interfaces wireguard wg0 peer office-b address '203.0.113.2'
set interfaces wireguard wg0 peer office-b port '51820'
set interfaces wireguard wg0 peer office-b public-key 'a/oSvpcQ3BFzmtavPT+D8Rukdc7L+eYLig3zr0wnMGU='
Repeat the configuration on Site B, swapping the local and remote addresses and keys.
Step 3: Configure Static Routes
Ensure traffic destined for the remote LAN is routed through the WireGuard interface.
- On Site A:
set protocols static route 10.10.2.0/24 next-hop 10.200.1.2
- On Site B:
set protocols static route 10.10.1.0/24 next-hop 10.200.1.1
ASCII Diagram: Traffic Flow
Site A LAN 10.10.1.0/24
|
|---[WireGuard wg0 10.200.1.1]---> Tunnel ---> [wg0 10.200.1.2]---|
|
Site B LAN 10.10.2.0/24
This ensures that LAN-to-LAN traffic traverses the tunnel rather than the public internet directly.
Step 4: Configure Firewall Rules (Optional, based on configuration)
WireGuard requires UDP traffic to traverse your firewall. On each site:
- Allow UDP traffic on the WireGuard port from the remote site's public IP
- Permit traffic between LANs across the WireGuard interface
Example for Site A:
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 protocol udp
set firewall name WAN_LOCAL rule 10 destination port 51820
set firewall name WAN_LOCAL rule 10 source address 203.0.113.2
Apply the firewall rules to the WAN interface:
set interfaces ethernet eth0 firewall in name WAN_LOCAL
Step 5: Verify the tunnel is up
Check the status of the WireGuard interface:
show interfaces wireguard
Test connectivity by pinging hosts on the remote LAN:
ping 10.10.2.1
If pings fail:
- Verify that public keys and tunnel IPs are correct
- Check firewall rules to ensure UDP traffic is allowed
- Ensure static routes are pointing to the WireGuard interface
You can also configure PMTU (Path MTU Discovery), which will determine the correct MSS to clamp at.
set interfaces wireguard wg0 ip adjust-mss 'clamp-mss-to-pmtu'
Optional: adjust MTU/MSS if experiencing fragmentation:
set interfaces wireguard wg0 mtu 1420
Step 6: Security Best Practices
- Optionally enable a pre-shared key for additional security (covered in a later post)
- Restrict
allowed-ipsstrictly to the required subnets - Monitor the tunnel regularly to ensure connectivity and performance (tools such as tcpdump)
Conclusion
WireGuard on VyOS 1.5 provides a lightweight, high-performance VPN solution for inter-site and inter-datacenter connectivity. Following this tutorial, your sites are now connected securely, with traffic efficiently routed between LANs.
WireGuard’s simplicity, combined with VyOS’s robust routing capabilities, ensures a secure and maintainable network architecture suitable for modern multi-site organizations.
Previous article
Building a Flexible Router/VPN Backbone with VyOS, From Scratch to VPS Edition
Read more
