Wow! Just what I was looking for! I really like the way you explain all the steps. You make it so much simpler and easier to understand than all the Web pages and guides I've found online. Thank you!
thanks a lot for great video, was very helpful this scenario can work for point to multipoint vpn instead of site-to-site I mean hub-and-spoke scenario instead of full mesh
Hi. Please check my video on hub and spoke ruclips.net/video/_CbFG_4BInk/видео.htmlsi=U550GwDCt8zSfMZ9 If you want to interconnect two or more sites in a hub and spoke it's better to have separate WG tunnels (as it's much easier to route the traffic).
great video!! one question, why interface address is 172.16.1.x/24 while to allow this interface we use 172.16.1.x/32 in allowed ips? can't we use /32 for interface address
Thanks! To your question - you still need an entry in the routing table that will send traffic via WG0 interface. In other words standard routing rules apply. If you look at the routing table you have an entry: 172.16.0.0/24 dev wg0 scope link Basically it tells that 172.16.0.0/24 network is reachable via wg0 (wireguard interface). So when you send traffic, first it will lookup the kernel routing table, then "enter" WG interface and then Wireguard Cryptokey Routing Table is used to figure out which encryption key to use and which peer to send the traffic etc. BTW as far as /32 on the main interface. The most common way to setup wireguard is to use PTP links. That is: # tunnel.conf [Interface] PrivateKey = ListenPort = [Peer] PublicKey = PresharedKey = Endpoint = AllowedIPs = 0.0.0.0/0,::/0 $ ip link add dev type wireguard $ wg setconf tunnel.conf $ ip addr add fe80::/64 dev $ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev $ ip link set up $ ip link set dev mtu 1420 (or 1440)
1st, thank you for this to-the-point-entertainment-free informative video! In my setup, i have two remote private networks (one of them is behind a CGNAT). I followed your video and one wg node is able to ping the other wg node via the private network IP address. however I am not able to ping any other devices on the remote private network, only the wg node itself. I did add a routing rule on both network gateways (both Unifi USG) so as to route traffic to the remote private network through the local wg node. When I do a traceroute, i see that the first hop indeed lands on the local wg node, but appears to stop there. Any tips would be greatly appreciated.
Hi! Are you using wg-quick script to bring up wireguard? If yes then it will automatically update your routing table (just add the private network of the remote end in the allowedIPs section). Also make sure the ip forwarding is enabled. Can you tell me if your servers on the private network have the wireguard node set as the default gateway?
@@LinuxCloudHacks i do use wg-quick to bring up wg (i see the route table updated), the private network of the remote end is already in the allowedIPs section and ip forwarding is enabled (I followed your video to the T, except for the masquerading). on the router (Unifi USG) I've set a static route so that traffic destined for the remote private network will be sent to the local wireguard node. Is this what you meant by default gateway?
Hi, 1) Just for a test - can you go to a LAN device and add a static route that points to the remote LAN via the WireGuard node and on the remote site also pick a LAN device and add static route that points to the other LAN via the WireGuard node? Then try ping/traceroute just between those 2 LAN devices. 2) I assume you include whole subnet in AllowedIPs, like 192.168.10.0/24 3) There is no firewall or nat setup on the WG nodes, correct?
Can you make a video where only 2 VPS servers running in different public IP's interconnect? Like VPS with providerX and VPS with provider Y. But I want both to be Site to Site connected and use resources from priv network 10.3.0.0./24 and 10.2.0.0./24 but there is no public IP which is the same range of IP so 2 different Static IPv4
Hi, in the "EndPoint = xxx" you can specify any public IP:port or hostname:port. Those don't have to be in the same networking segment (as long as they have network reachability).
Hi! I'm glad you liked the video. I'm using Alacritty as the terminal emulator, TMUX as the terminal multiplexer with some key re-maping, some Powerline fonts and various flavors of VIM (still haven't found the perfect one). If you are interested then I can make a video how to wire it up together and what it can do.
Could you please clarify which current protocol you are referring to? Are you asking about how WireGuard compares to other protocols like OpenVPN or IPsec, or about its compatibility with existing setups?
Hi Nikto :) Thanks for the comment. I'll create a video about a road-warrior setup for Windows, MacOS, etc. and may include some of this concepts. As far as NAT goes it's good if you connect to your network but for site-to-site a route only approach is cleaner. Professionals even don't use private IPs on VPNs but route only public IPs etc.
This is pure gold I can't believe this is free :D
Glad you've liked it!
This video is phenomenal and exactly what I was looking for. Thank you for putting so much work into it
Glad you liked it! I'm also planning to do some more advanced Wireguard video with BGP (Bird2).
Following your instructions I finally managed to set VPN connection between two linux servers. Keep up the good work!
Great to hear! If you have any questions or ideas feel free to reach out!
Wow! Just what I was looking for!
I really like the way you explain all the steps.
You make it so much simpler and easier to understand than all the Web pages and guides I've found online.
Thank you!
Thanks! Glad you liked it. Let me know if you have any questions or if you'd like to me cover any VPN topic.
Just discovered ur channel and already watched half of ur videos !! Keep it coming dude
Welcome aboard! Glad you like the videos!
Really well explained, with clear examples and a lot of thought behind it! This video was really awesome. Hoping a comment helps spread the love :)
Thanks! Glad you like it. Stay tuned for more interesting content!
Great video and explain, subscribed 🤝
Welcome aboard!
Thank you so much for the video, It helped to solve my wireguard VPN problem.
Great to hear! Thanks!
The best explanation ever!
Glad you liked it!
Awesome!:) Thank you. I will try too do the same but with docker:)
Have fun! If any issues please let me know.
@@LinuxCloudHacks :) Thank you. Everything works as expected even "bugs" (ping not responding) :)
So well done!
Thanks!
thanks a lot for great video, was very helpful
this scenario can work for point to multipoint vpn instead of site-to-site
I mean hub-and-spoke scenario instead of full mesh
Glad it helped!
@@LinuxCloudHacks yes, was very very helpful,
would you please tell me this scenario works as a hub-and-spoke topology?
Hi. Please check my video on hub and spoke ruclips.net/video/_CbFG_4BInk/видео.htmlsi=U550GwDCt8zSfMZ9
If you want to interconnect two or more sites in a hub and spoke it's better to have separate WG tunnels (as it's much easier to route the traffic).
@@LinuxCloudHacks thanks a lot, let me check your video firstly and back to u
@@LinuxCloudHacks separate WG tunnel means the current video?
Great video! Subscribed
Awesome, thank you!
Thank you very much
You are welcome! I'm preparing a Wireguard tutorial for Hub and Spoke topology with dynamic routing via OSPF. It will be released soon. Stay tuned!
great video!! one question, why interface address is 172.16.1.x/24 while to allow this interface we use 172.16.1.x/32 in allowed ips? can't we use /32 for interface address
Thanks! To your question - you still need an entry in the routing table that will send traffic via WG0 interface. In other words standard routing rules apply. If you look at the routing table you have an entry:
172.16.0.0/24 dev wg0 scope link
Basically it tells that 172.16.0.0/24 network is reachable via wg0 (wireguard interface).
So when you send traffic, first it will lookup the kernel routing table, then
"enter" WG interface and then Wireguard Cryptokey Routing Table is used to figure out which encryption key to use and which peer to send the traffic etc.
BTW as far as /32 on the main interface. The most common way to setup wireguard is to use PTP links. That is:
# tunnel.conf
[Interface]
PrivateKey =
ListenPort =
[Peer]
PublicKey =
PresharedKey =
Endpoint =
AllowedIPs = 0.0.0.0/0,::/0
$ ip link add dev type wireguard
$ wg setconf tunnel.conf
$ ip addr add fe80::/64 dev
$ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev
$ ip link set up
$ ip link set dev mtu 1420 (or 1440)
@@LinuxCloudHacks thanks for explaining!!
1st, thank you for this to-the-point-entertainment-free informative video!
In my setup, i have two remote private networks (one of them is behind a CGNAT). I followed your video and one wg node is able to ping the other wg node via the private network IP address. however I am not able to ping any other devices on the remote private network, only the wg node itself.
I did add a routing rule on both network gateways (both Unifi USG) so as to route traffic to the remote private network through the local wg node. When I do a traceroute, i see that the first hop indeed lands on the local wg node, but appears to stop there.
Any tips would be greatly appreciated.
Hi! Are you using wg-quick script to bring up wireguard? If yes then it will automatically update your routing table (just add the private network of the remote end in the allowedIPs section). Also make sure the ip forwarding is enabled. Can you tell me if your servers on the private network have the wireguard node set as the default gateway?
@@LinuxCloudHacks i do use wg-quick to bring up wg (i see the route table updated), the private network of the remote end is already in the allowedIPs section and ip forwarding is enabled (I followed your video to the T, except for the masquerading). on the router (Unifi USG) I've set a static route so that traffic destined for the remote private network will be sent to the local wireguard node. Is this what you meant by default gateway?
@LinuxCloudHacks i'd love to hear your thoughts, thanks :)
Hi,
1) Just for a test - can you go to a LAN device and add a static route that points to the remote LAN via the WireGuard node and on the remote site also pick a LAN device and add static route that points to the other LAN via the WireGuard node? Then try ping/traceroute just between those 2 LAN devices.
2) I assume you include whole subnet in AllowedIPs, like 192.168.10.0/24
3) There is no firewall or nat setup on the WG nodes, correct?
Please make a video of HUB and SPOKE wireguard vpn with dualstack (ipv4 and ipv6). Thanks for your hard work.
Great idea for a movie. Thanks for the tip. I will definitely do it.
After setting this up, let's say I'm in node 1 and I want my traffic to exit from node 2. Later to exit from node 3. How to do this?
Hi! You need exit node to the Internet with load balancing across multiple exit nodes? Or you want to connect to specific network via two paths?
Can you make a video where only 2 VPS servers running in different public IP's interconnect? Like VPS with providerX and VPS with provider Y. But I want both to be Site to Site connected and use resources from priv network 10.3.0.0./24 and 10.2.0.0./24 but there is no public IP which is the same range of IP so 2 different Static IPv4
Hi, in the "EndPoint = xxx" you can specify any public IP:port or hostname:port. Those don't have to be in the same networking segment (as long as they have network reachability).
hi my friend
that was perfect
Please explain how to create a wireguard tunnel between two servers on Docker
thanks
Thanks! Let me see what I can do!
What is the name of amazing ssh editor you are using. Love the video.
Hi! I'm glad you liked the video. I'm using Alacritty as the terminal emulator, TMUX as the terminal multiplexer with some key re-maping, some Powerline fonts and various flavors of VIM (still haven't found the perfect one). If you are interested then I can make a video how to wire it up together and what it can do.
@@LinuxCloudHackscould you make a video on that please?
Will do!
What about the current protocol?
Could you please clarify which current protocol you are referring to? Are you asking about how WireGuard compares to other protocols like OpenVPN or IPsec, or about its compatibility with existing setups?
@@LinuxCloudHacks IPv6
Where is Kilsswitch, where is Nat Rules, where is Bypass ISP firewall rules 😂😂😊
Hi Nikto :) Thanks for the comment. I'll create a video about a road-warrior setup for Windows, MacOS, etc. and may include some of this concepts. As far as NAT goes it's good if you connect to your network but for site-to-site a route only approach is cleaner. Professionals even don't use private IPs on VPNs but route only public IPs etc.