VyOS - Site-to-Site VPN Using Wireguard and OSPF

• 7/9/2023
• 8-minute read

Connecting two sites securely and efficiently is essential for many businesses and individuals.

In this post, we’ll explore how to achieve seamless connectivity between two locations using the powerful combination of WireGuard, a modern and high-performance VPN protocol, and VyOS, a robust and versatile network operating system.

Whether you’re looking to enhance communication between remote offices, create a secure link between your data center and a cloud-based infrastructure, or simply want to connect two geographically separated sites, this guide will walk you through the process, ensuring a reliable and secure connection every step of the way.

To illustrate this process, I will use my own use case as an example. I manage equipment hosted in a colocation data center, which I affectionately refer to as my ‘colo-lab’, and I also maintain a ‘home-lab’.

Previously, I relied on GRE over IPsec for connectivity between the two sites, but I’ve recently migrated these over to WireGuard.

WireGuard boasts a slew of compelling advantages over traditional IPsec, including speed, security, and a refreshingly straightforward setup. Its minimalist design significantly simplifies the configuration process, especially when compared to the complexity of GRE over IPsec.

Throughout this post, I’ll walk you through the precise steps I took to configure two VyOS routers to seamlessly integrate with WireGuard while enabling efficient route distribution through OSPF. By the end, you’ll be equipped with the knowledge to configure your own WireGuard based site-to-site VPN.

Topology

Colo Lab

• WireGuard Interface IP: 10.254.2.0/31
• Internal Networks:
  • 10.254.112.0/24
  • 10.254.113.0/24
  • 10.254.114.0/24
• Internal Network Aggregate: 10.254.112.0/21
• Public IP: Refered to as ${COLO_LAB_PUBLIC_IP}

Home Lab

• WireGuard Interface IP: 10.254.2.1/31
• Internal Networks:
  • 10.254.88.0/24
  • 10.254.89.0/24
  • 10.254.90.0/24
• Internal Network Aggregate: 10.254.88.0/21
• Public IP: None (It’s behind CGNAT)

Generate Keypairs

First things first, let’s generate keypairs for both routers. Make note of these, and keep them safe.

First the cololab router:

mhamzahkhan@cololab-gw:~$ generate pki wireguard key-pair
Private key: <- OMITTED - USE YOUR OWN ONE - I will refer to this as ${COLOLAB_PRIVATE_KEY} ->
Public key: <- OMITTED - USE YOUR OWN ONE - I will refer to this as ${COLOLAB_PUBLIC_KEY} ->

Then the homelab router:

mhamzahkhan@homelab-gw:~$ generate pki wireguard key-pair
Private key: <- OMITTED - USE YOUR OWN ONE - I will refer to this as ${HOMELAB_PRIVATE_KEY} ->
Public key: <- OMITTED - USE YOUR OWN ONE - I will refer to this as ${HOMELAB_PUBLIC_KEY} ->

Configure WireGuard Interfaces

Next, let’s set up the WireGuard interfaces.

For these interfaces, I’ve chosen a private /31 range, which gives us precisely two IP addresses, perfect for a point-to-point link. In my example, we’ll use 10.254.2.0/31 and 10.254.2.1/31.

Colo Lab Router Configuration

Please note that because my home lab’s internet connection is behind CGNAT, I haven’t specified the peer address on the Colo Lab router. This means that the connection will be initiated from the home-lab side. If you have a static IP address (or dynamic IP address that doesn’t change much), it would be a good idea to specify the peer address so the connection can be initiated from either side.

mhamzahkhan@cololab-gw:~$ configure
[edit]
set interfaces wireguard wg0 address '10.254.2.0/31'
set interfaces wireguard wg0 description 'Connection to Home-Lab'
set interfaces wireguard wg0 ip adjust-mss '1380'
set interfaces wireguard wg0 mtu '1420'
set interfaces wireguard wg0 peer home-lab allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer home-lab persistent-keepalive '10'
set interfaces wireguard wg0 peer home-lab public-key '${HOMELAB_PUBLIC_KEY}'
set interfaces wireguard wg0 port '51820'
set interfaces wireguard wg0 private-key '${COLOLAB_PRIVATE_KEY}'

Home Lab Router Configuration

mhamzahkhan@homelab-gw:~$ configure
[edit]
set interfaces wireguard wg0 address '10.254.2.1/31'
set interfaces wireguard wg0 description 'Connection to Colo-Lab'
set interfaces wireguard wg0 ip adjust-mss '1380'
set interfaces wireguard wg0 mtu '1420'
set interfaces wireguard wg0 peer colo-lab address '${COLO_LAB_PUBLIC_IP}'
set interfaces wireguard wg0 peer colo-lab allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer colo-lab persistent-keepalive '10'
set interfaces wireguard wg0 peer colo-lab port '51820'
set interfaces wireguard wg0 peer colo-lab public-key '${COLOLAB_PUBLIC_KEY}'
set interfaces wireguard wg0 port '51820'
set interfaces wireguard wg0 private-key '${HOMELAB_PRIVATE_KEY}'

Test WireGuard connection

At this point, both routers should be able to ping each other via the VPN link:

mhamzahkhan@cololab-gw:~$ ping 10.254.2.1 count 4
PING 10.254.2.1 (10.254.2.1) 56(84) bytes of data.
64 bytes from 10.254.2.1: icmp_seq=1 ttl=64 time=0.339 ms
64 bytes from 10.254.2.1: icmp_seq=2 ttl=64 time=0.382 ms
64 bytes from 10.254.2.1: icmp_seq=3 ttl=64 time=0.344 ms
64 bytes from 10.254.2.1: icmp_seq=4 ttl=64 time=0.347 ms

--- 10.254.2.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3106ms
rtt min/avg/max/mdev = 0.339/0.353/0.382/0.017 ms

mhamzahkhan@homelab-gw:~$ ping 10.254.2.0 count 4
PING 10.254.2.0 (10.254.2.0) 56(84) bytes of data.
64 bytes from 10.254.2.0: icmp_seq=1 ttl=64 time=0.290 ms
64 bytes from 10.254.2.0: icmp_seq=2 ttl=64 time=0.227 ms
64 bytes from 10.254.2.0: icmp_seq=3 ttl=64 time=0.404 ms
64 bytes from 10.254.2.0: icmp_seq=4 ttl=64 time=0.380 ms

--- 10.254.2.0 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3078ms
rtt min/avg/max/mdev = 0.227/0.325/0.404/0.070 ms

To gauge the bandwidth between our networks, we can use iPerf3.

First start start iPerf3 in server mode on either side of the VPN. I’m running it on the colo lab router:

mhamzahkhan@cololab-gw:~$ iperf3 -s
-----------------------------------------------------------
Server listening on 5201 (test #1)
-----------------------------------------------------------

Next, start iPerf3 on the home lab router. Let’s start with an upload bandwidth test from the home-lab router to the colo-lab router:

mhamzahkhan@homelab-gw:~$ iperf3 -c 10.254.2.0
Connecting to host 10.254.2.0, port 5201
[  5] local 10.254.2.1 port 33008 connected to 10.254.2.0 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  20.8 MBytes   174 Mbits/sec   99    207 KBytes
[  5]   1.00-2.00   sec  20.7 MBytes   174 Mbits/sec    0    269 KBytes
[  5]   2.00-3.00   sec  19.8 MBytes   166 Mbits/sec  131    194 KBytes
[  5]   3.00-4.00   sec  22.1 MBytes   185 Mbits/sec    0    263 KBytes
[  5]   4.00-5.00   sec  17.3 MBytes   145 Mbits/sec  195   18.7 KBytes
[  5]   5.00-6.00   sec  16.4 MBytes   137 Mbits/sec   63    224 KBytes
[  5]   6.00-7.00   sec  19.9 MBytes   167 Mbits/sec   95    168 KBytes
[  5]   7.00-8.00   sec  11.3 MBytes  95.2 Mbits/sec  123    123 KBytes
[  5]   8.00-9.00   sec  18.9 MBytes   158 Mbits/sec    0    202 KBytes
[  5]   9.00-10.00  sec  20.2 MBytes   169 Mbits/sec   35    207 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   187 MBytes   157 Mbits/sec  741             sender
[  5]   0.00-10.01  sec   186 MBytes   156 Mbits/sec                  receiver

iperf Done.

I’m not sure why there are retransmissions. I still need to investigate that, but it’s maxing out my home connection upload.

Now, let’s reverse the test, with the colo-lab router sending data to the home-lab router. Use the -R flag for this:

mhamzahkhan@homelab-gw:~$ iperf3 -c 10.254.2.0 -R
Connecting to host 10.254.2.0, port 5201
Reverse mode, remote host 10.254.2.0 is sending
[  5] local 10.254.2.1 port 52016 connected to 10.254.2.0 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  14.8 MBytes   124 Mbits/sec
[  5]   1.00-2.00   sec  17.4 MBytes   145 Mbits/sec
[  5]   2.00-3.00   sec  17.6 MBytes   148 Mbits/sec
[  5]   3.00-4.00   sec  15.5 MBytes   130 Mbits/sec
[  5]   4.00-5.00   sec  16.3 MBytes   137 Mbits/sec
[  5]   5.00-6.00   sec  12.2 MBytes   102 Mbits/sec
[  5]   6.00-7.00   sec  9.33 MBytes  78.3 Mbits/sec
[  5]   7.00-8.00   sec  7.86 MBytes  65.9 Mbits/sec
[  5]   8.00-9.00   sec  14.7 MBytes   124 Mbits/sec
[  5]   9.00-10.00  sec  15.3 MBytes   128 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.01  sec   142 MBytes   119 Mbits/sec  282             sender
[  5]   0.00-10.00  sec   141 MBytes   118 Mbits/sec                  receiver

iperf Done.

Some tuning may be needed, but for now, these numbers should suffice.

Configure OSPF

Now, let’s dive into OSPF configuration. Note that I use OSPF route summarization, which means we summarize individual subnets on each side into a single summary route, simplifying the routing table.

Colo Lab Router

set protocols ospf area 0.0.0.0 network '10.254.2.0/31'
set protocols ospf area 0.0.0.1 network '10.254.112.0/24'
set protocols ospf area 0.0.0.1 network '10.254.113.0/24'
set protocols ospf area 0.0.0.1 network '10.254.114.0/24'
set protocols ospf area 0.0.0.1 range 10.254.112.0/21
set protocols ospf interface eth0 passive
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id '10.254.2.0'

Home Lab Router

set protocols ospf area 0.0.0.0 network '10.254.2.0/31'
set protocols ospf area 0.0.0.1 network '10.254.88.0/24'
set protocols ospf area 0.0.0.1 network '10.254.89.0/24'
set protocols ospf area 0.0.0.1 network '10.254.90.0/24'
set protocols ospf area 0.0.0.1 range 10.254.88.0/21
set protocols ospf interface eth0 passive
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id '10.254.2.1'

And magically your routes should be in your routing table!

Colo Lab Router

mhamzahkhan@cololab-gw:~$ show ip route 10.254.88.0
Routing entry for 10.254.88.0/21
  Known via "ospf", distance 110, metric 2, best
  Last update 11:58:19 ago
  * 10.254.2.1, via wg0, weight 1

Home Lab Router

mhamzahkhan@homelab-gw:~$ show ip route 10.254.88.0
Routing entry for 10.254.112.0/21
  Known via "ospf", distance 110, metric 2, best
  Last update 12:00:02 ago
  * 10.254.2.0, via wg0, weight 1

Conclusion

With the successful implementation of WireGuard VPN and OSPF routing, your two sites can now seamlessly communicate, marking a significant step in enhancing your network capabilities. While this guide has laid a solid foundation for your site-to-site VPN, there’s more to explore and build upon in future configurations.

In my next post, we will discuss configuring a VyOS-based WireGuard VPN for road-warrior style clients. This will enable secure remote access to your network, allowing you to connect from virtually anywhere with an internet connection. I will guide you through the setups, ensuring you have the tools to establish a secure and efficient network for remote users.

Stay tuned for this next installment, where we continue to harness the power of WireGuard and VyOS to expand the horizons of your network. Elevate your connectivity and security to new heights, and don’t miss out on future updates and valuable networking insights—subscribe and stay connected!

Posts in this series

• VyOS as a Reverse Proxy Load Balancer
• VyOS - WireGuard Based Road Warrior VPN Configuration
• VyOS - Site-to-Site VPN Using Wireguard and OSPF

Related Posts

• VyOS - WireGuard based Road Warrior VPN Configuration
• Captive DNS using Vyos
• VyOS as a Reverse Proxy Load Balancer