Setting up multiple connections (peer) to Wireguard server

WireGuard is a communications protocol and free open source software that implements encrypted VPNs and has been designed with ease of use, high performance, and low attack surface in mind.

Install Wireguard on each machine (see one of the previous articles)

On each machine, you need to generate a pair of keys (from the root user): public and private

$ sudo su
# cd /etc/wireguard
# wg genkey | tee privatekey | wg pubkey > publickey

We configure the config of the machine, which will be in the role of the Wireguard server

Editing the configuration file wg0.conf

$ sudo nano /etc/wireguard/wg0.conf

[Interface]
Address = 172.16.0.1/24
SaveConfig = false
ListenPort = 51820
PrivateKey = %Private key Server%
# Правила для iptables и маршрутизации
PostUp = iptables -I FORWARD -i %i -j ACCEPT
PostUp = iptables -I FORWARD -o %i -j ACCEPT
PostUp = ip route add 192.168.1.0/24 via 172.16.0.2 dev %i
PostUp = ip route add 192.168.2.0/24 via 172.16.0.3 dev %i
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = ip route delete 192.168.1.0/24 via 172.16.0.2 dev %i
PostDown = ip route delete 192.168.2.0/24 via 172.16.0.3 dev %i
Table = off

[Peer]
# Client 1
PublicKey = %Publick key Client 1%
AllowedIPs = 172.16.0.2/32,192.168.1.0/24
#AllowedIPs = 0.0.0.0/0

[Peer]
# Client 2
PublicKey = %Publick key Client 2%
AllowedIPs = 172.16.0.3/32,192.168.2.0/24

In the case of multiple peers, the AllowedIPs parameter must contain the IP-address of the wireguard client (peer) with a mask of 32, and the allowed networks (192.168.x.0/24) must not intersect. Otherwise it won’t work.

Setting up the config for Client 1

Editing the configuration file wg0.conf

$ sudo nano /etc/wireguard/wg0.conf

[Interface]
Address = 172.16.0.2/24
SaveConfig = false
PrivateKey = %Private key Client 1%
# Правила для iptables и маршрутизации
PostUp = iptables -I FORWARD -i %i -j ACCEPT;
PostUp = iptables -I FORWARD -o %i -j ACCEPT;
PostUp = ip route add 192.168.1.0/24 via 172.16.0.1 dev %i;
PostDown = iptables -D FORWARD -i %i -j ACCEPT;
PostDown = iptables -D FORWARD -o %i -j ACCEPT;
PostDown = ip route delete 192.168.1.0/24 via 172.16.0.1 dev %i;
Table = off

[Peer]
PublicKey = %Public key Server%
AllowedIPs = 0.0.0.0/0
Endpoint = %ip_server%:51820
PersistentKeepalive = 25

Configuring the config for Client 2

Editing the configuration file wg0.conf

$ sudo nano /etc/wireguard/wg0.conf

[Interface]
Address = 172.16.0.3/24
SaveConfig = false
PrivateKey = %Private key Client 3%
# Правила для iptables и маршрутизации
PostUp = iptables -I FORWARD -i %i -j ACCEPT;
PostUp = iptables -I FORWARD -o %i -j ACCEPT;
PostUp = ip route add 192.168.2.0/24 via 172.16.0.1 dev %i;
PostDown = iptables -D FORWARD -i %i -j ACCEPT;
PostDown = iptables -D FORWARD -o %i -j ACCEPT;
PostDown = ip route delete 192.168.2.0/24 via 172.16.0.1 dev %i;
Table = off

[Peer]
PublicKey = %Public key Server%
AllowedIPs = 0.0.0.0/0
Endpoint = %ip_server%:51820
PersistentKeepalive = 25

Checking client connection to Wireguard server

First, we raise the wg0 interface, first on the Wireguard server, and then on all clients

$ sudo wg-quick up wg0

Then we look at the connections on the Wireguard server

interface: wg0
  public key: %Public key Server%
  private key: (hidden)
  listening port: 51820

peer: %Publick key Client 1%
  endpoint: %ip-client1:port%
  allowed ips: 172.16.0.2/32, 192.168.1.0/24
  latest handshake: 1 minute, 12 seconds ago
  transfer: 156.40 MiB received, 387.80 MiB sent

peer: %Publick key Client 2%
  endpoint: %ip-client2:port%
  allowed ips: 172.16.0.3/32, 192.168.2.0/24
  latest handshake: 1 minute, 52 seconds ago
  transfer: 6.10 KiB received, 1.87 KiB sent

If there is a line in the peer endpoint with an ip-address, then the connection between the client and the server is established.

Sidebar