How do you connect two networks using Wireguard?

Networking & Firewalls
1

I have done a number of searches, but I can’t seem to figure out what I’m missing. Here is the setup:

Work Network (10.1.1.1/24)

  • Work RPi running pivpn using wireguard
  • Work Server running Debian Stable
  • Work Desktop running Debian Stable

Home Network (192.168.10.1/24)

  • Home RPi running PiHole as DNS server and DHCP server; also running pivpn
  • Home Desktop running Fedora 38
  • Home Laptop running Fedora 38
  • Home Server running Fedora 38

Currently, I have the Home Desktop and Laptop connecting to the Work Network using client configs provided by the Work RPi pivpn software. I also have the Home RPi able to connect to the Work Network using a client config provided by the Work RPi pivpn software.

What I would like is for none of the computers on the home network or any of the computers on work network to need vpn config files. For example:

If Home Desktop (192.168.10.60) wants to bring up a web app hosted on the Work Server (10.1.1.252) on port 8000 that it would just connect through the wireguard connection that the Home RPi has established with the Work RPi. I am using just a Netgate consumer router on the home network as the device that is connected to the cable modem. It seems like this should be possible. If I’m requesting a 10.1.1.1/24 address that it would use the Home RPi connect to the Work RPi without the need to have a client vpn running on the Home Desktop.

How do I make that happen?

2

Conceptually, what you want is a usually referred to as a site-to-site VPN. I cannot go into all the details of how to set it up, but I’m sure there are videos on this topic on YouTube if you search “Wireguard site-to-site VPN setup”.

The general requirements and steps for a NAT-free setup are:

  • Both sides of the VPN (home network and work network) need to have different address ranges.
  • You will need a Wireguard tunnel with two peers (the two Raspis) with an address range different from both LANs.
  • In the [Peer] section of each configuration, the AllowedIPs list should include the respective other peer’s tunnel address and the address range of the network that is behind it.
  • The routers on both networks need static routes to the respective other’s network with the local tunnel peer set as the gateway. Not all consumer routers may support this.
  • The Raspis need to have forwarding enabled (e.g., see here for Linux instructions).

Make sure you put some firewall rules in place. This would likely be easier / more comfortable if the VPN client were to run directly on the router/firewall device.

These steps apply to both IPv4 and IPv6 but with IPv4 there is a greater chance of address overlap because many consumer routers tend to use the same 192.168.0.0/24, 192.168.1.0/24 and 192.168.178.0/24 address ranges.

2 Likes