WireGuard VPN peer-to-site

To help understand the WireGuard concepts, we will show some practical setups that hopefully match many scenarios out there.

This is probably the most common setup for a VPN: connecting a single system to a remote site, and getting access to the remote network “as if you were there”.

Where to place the remote WireGuard endpoint in the network will vary a lot depending on the topology. It can be in a firewall box, the router itself, or some random system in the middle of the network.

Here we will cover a simpler case more resembling what a home network could be like:

        flowchart LR
    subgraph home["home — 10.10.10.0/24"]
        pi4["pi4"]
        nas["NAS"]
        Y["Y"]
        dots["..."]
    end
    router["router"] --- pi4 & nas & Y & dots
    host["host"] -- |ppp0| --> internet(("public internet"))
    internet -- |ppp0| --> router
    style router fill:#FFE0B2
    style host fill:#E1BEE7
    style internet fill:#C8E6C9
    style home fill:#FFF9C4
    

This diagram represents a typical simple home network setup. You have a router/modem, usually provided by the ISP (Internet Service Provider), and some internal devices like a Raspberry PI perhaps, a NAS (Network Attached Storage), and some other device.

There are basically two approaches that can be taken here: install WireGuard on the router, or on another system in the home network.

Note that in this scenario the “fixed” side, the home network, normally won’t have a WireGuard Endpoint configured, as the peer is typically “on the road” and will have a dynamic IP address.

• Peer-to-site (on router)
• Peer-to-site (inside device)