[Solved] Wireguard as a VPN "server"

I literally set this up yesterday to see how easy it could be:

  1. IPs are managed by the kernels on either side. Therefore, you must use the correct CIDR prefix on the interfaces on both ends. (e.g. for a 2-peer configuration, you must use at least a /31 or /30 at the router-side of your traffic, the "client-end" can use the other available /32 in that subnet).
  2. I found a need to setup a different zone. The rules are different between networks, etc.; but this is solely your choice, considering the trust of the network on the "far end."
  • VERY IMPORTANT - to use the connection as a VPN Internet connection, the CLIENT must allow IPs 0.0.0.0/0 or the following two routes combined (in order to override the since default 0/0): 0.0.0.0/1 and 128.0.0.0/1. For this reason alone, you may wish to use a different firewall zone.
  • Once configured, they behave like a unicast IP tunnel
  • If your remote end is the server, ensure you set up IP forwarding and masquerade
  • The LEDE device is already a router, so you would setup everything as a normal 2nd WAN
  • On LEDE, you would add the interface to a Firewall Zone, add masquerading, etc.
  • On a road warrior setup, you configure the peer in LEDE not to have an endpoint IP, with the LEDE having no endpoint IP, your client device can dynamically connect to your LEDE router as it roams. See: https://www.wireguard.com/#built-in-roaming

Hope this helps.

5 Likes