How to Configure WireGuard Mesh VPN?

Published on: February 1, 2024

9 min read

A mesh network is a kind of network topology where the infrastructure nodes establish direct, dynamic, and non-hierarchical connections with as many other nodes as possible and collaborate with each other. A mesh network is established to effectively direct data between devices and clients. It helps organizations establish a uniform and uninterrupted connection throughout a physical area.A mesh network enables inter-device communication over a Virtual Private Network (VPN) without relying on a central server.

WireGuard is a revolutionary VPN (Virtual Private Network) program developed to be operated practically anywhere and to be cross-platform. When compared to other VPN software, WireGuard is characterized by its superior speed, enhanced security, and streamlined simplicity.

This tutorial demonstrates the use of WireGuard to establish a private mesh network, enabling the creation of a secure and exclusive connection across various servers and instances.

To be able to follow this WireGuard mesh VPN configuration tutorial, you must have 4 Ubuntu 22.04 Linux servers with a static public IP address and accessible UDP/51820 from the Internet. We will use the following names and IP addresses for VPN nodes:

Name	Public IP	Allowed IPs
Node1	11.11.11.1	10.0.1.1
Node2	11.11.11.2	10.0.2.1
Node3	11.11.11.3	10.0.3.1
Node4	11.11.11.4	10.0.4.1

Table 1. *IP Address Settings for WireGuard Mesh Sample *

Figure 1. WireGuard Mesh VPN Topology

You may configure WireGuard Mesh VPN by following the next main steps:

Installing WireGuard on Ubuntu servers
Generating Private and Public Keys Manually
Enabling VPN Nodes to Access the LANs Through Other VPN Nodes
Generating WireGuard Configuration Files Manually
Starting WireGuard Server and Enabling it at Boot
Verifying the Mesh VPN Connectivity

WARNING

Privileged access to your Linux system as root or via the sudo command.

All below-given commands are to be executed with root privileges, either directly as a root user or by using the sudo command.

Get Started with Zenarmor Today For Free

1. Installing WireGuard on Ubuntu servers

Ubuntu 22.04 Linux servers will be configured as a WireGuard VPN node. You may easily install WireGuard on all Ubuntu VPN nodes by following the next steps:

Make sure your Ubuntu nodes are up to date by running the following command:
```
sudo apt update && sudo apt upgrade -y
```
Install WireGuard itself and all of its dependencies by running the following command:
```
sudo apt install wireguard wireguard-tools
```

After you've installed WireGuard, follow the steps below to further configure your server.

1. Generating Private and Public Keys Manually

One of the main pros of the WireGuard is that it is based on state-of-the-art cryptographic primitives. It allows you to create a secure VPN tunnel by encrypting your connection using a pair of cryptographic keys. Each peer must have their own private and public keys to ensure secure communication both ways. To use WireGuard, each node must generate its own key pair and then exchange public keys.

Note that on WireGuard VPN, the private key never leaves its node. The significance lies in the fact that the private key has the only capability to possibly assume the identity of that node during the negotiation of a WireGuard session. Consequently, only that specific node has the ability to encode packets originating from itself or decode packets intended for itself. It is crucial to keep that in mind: WireGuard node connections are encrypted from end to end, following the principle of zero trust network access (ZTNA).

You may follow the next steps to generate private and public key pairs for all mesh VPN nodes:

Run the following command on the Ubuntu server to generate a public/private key pair for node#1.

wg genkey | sudo tee /etc/wireguard/node1_private.key | wg pubkey | sudo tee /etc/wireguard/node1_public.key

Run the following command to generate a public/private key pair for node#2.

wg genkey | sudo tee /etc/wireguard/node2_private.key | wg pubkey | sudo tee /etc/wireguard/node2_public.key

Run the following command to generate a public/private key pair for node#3.

wg genkey | sudo tee /etc/wireguard/node3_private.key | wg pubkey | sudo tee /etc/wireguard/node3_public.key

Run the following command to generate a public/private key pair for node#3.
```
wg genkey | sudo tee /etc/wireguard/node3_private.key | wg pubkey | sudo tee /etc/wireguard/node3_public.key
```
This will save both private and public keys to the /etc/wireguard directory.

warning

The private key should never be shared with anyone and should always be kept secure.

tip

Please note down the key pairs that will be used for updating the WireGuard configuration file in the following steps.

2. Enabling VPN Nodes to Access the LANs Through Other VPN Nodes

You may want to give access to each site's network/LAN for all VPN nodes through the WireGuard. For these purposes, you may need to configure the firewall rules, including IP forwarding and NAT.

In order for the VPN server to route packets between VPN nodes and the LAN, you must enable IP forwarding on all of the WireGuard nodes. You can follow the given instructions outlined below to enable IP forwarding on all of your nodes:

Open the system variables file for edit.
```
sudo nano /etc/sysctl.conf
```
Add or uncomment the following line by removing the # at the beginning of the line.
```
net.ipv4.ip_forward=1
```
Save the file and exit the editor.

Open /etc/ufw/sysctl.conf and uncomment these lines:

net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

Apply the changes with the below command. The -p option will load sysctl settings from /etc/sysctl.conf file. This command will keep our changes after a system restart.
```
sudo sysctl -p
```

3. Generating WireGuard Configuration Files Manually

Let's start to configure the WireGuard by creating a new configuration file called wg0.conf in the /etc/wireguard folder on each node.

You may create WireGuard configuration files for each node by following the next steps:

Open wg0.conf file using an editor.
```
sudo nano /etc/wireguard/wg0.conf
```
Add the following directives to the configuration file. The configuration below will make your WireGuard server accept connections to 51820 and allow a node with the public key corresponding to the private key we generated above.
```
# Name: Node1
[Interface]
PrivateKey = (contents-of-node1-privatekey)
Address = (Node1-VPN-IP )
ListenPort = 51820
[Peer]
# Node2
PublicKey = (contents-of-node2-publickey)
Endpoint = (Node2-Public-IP:51820)
AllowedIPs = (Node2-VPN-IP), (Node2-LAN-Network-IP)
PersistentKeepalive = 25

[Peer]
# Node3
PublicKey = (contents-of-node3-publickey)
Endpoint = (Node3-Public-IP:51820)
AllowedIPs = (Node3-VPN-IP), (Node3-LAN-Network-IP)
PersistentKeepalive = 25

[Peer]
# Node4
PublicKey = (contents-of-node4-publickey)
Endpoint = (Node4-Public-IP:51820)
AllowedIPs = (Node4-VPN-IP), (Node4-LAN-Network-IP)
PersistentKeepalive = 25
```
tip
Explanation of the settings in the WireGuard configuration file are given below:
- PrivateKey: The private key of VPN node, which can be found in the /etc/wireguard/node#n_private.key file generated before.
- Address: defines the private IPv4 and IPv6 addresses for the WireGuard node. Each peer in the VPN network should have a unique IP address.
- ListenPort: specifies which port WireGuard will use for incoming connections. can be freely selected from the high port range. If no port is specified, it is 51820/UDP by default.
- PublicKey : The public key of the corresponding VPN peer node, which can be found in the /etc/wireguard/node#n_public.key file generated before.
- Endpoint: The public/WAN IP address and port number of the corresponding VPN peer node.
- AllowedIPs: Network and IP addresses that will be accessible or routed by the corresponding VPN peer node. You can set IP address ranges in the list, separated by a comma.
- PersistentKeepalive: Send an authenticated empty packet to the peer every 25 seconds to keep the connection alive. If PersistentKeepalive isn't enabled, the VPN nodes might not be able to ping each other.
Save and close the file.
Repeat steps 1-3 on all VPN nodes, replacing the Name, PrivateKey, PublicKey, Endpoint and AllowedIPs with the correct values for each node.

After completing the above steps, you should have WireGuard VPN configuration files on all VPN nodes similar to the below sample files. Do not use the private and public keys given in the next sample configuration files; use your own pairs generated above in the first section.

The WireGuard VPN configuration file generated for Node1 looks like this:

[Interface]
# Name: NODE1
Address = 10.0.1.1
PrivateKey = KHpX3JsGa1EQSqWzy32SatTMwiJTckFIqmIK+e+T/FQ=
ListenPort = 51820

[Peer]
# Name: NODE2
PublicKey = /X6VZ7MuwRQ6psUlT7e6lW0cYOahm2C24vDk005RrxU=
Endpoint = 11.11.11.2:51820
AllowedIPs = 10.0.2.1

[Peer]
# Name: NODE3
PublicKey = rnQGHyCFrRg+JDwZ+tJYo99KhKhO7o8RZ2aN/wpfPi8=
Endpoint = 11.11.11.3:51820
AllowedIPs = 10.0.3.1

[Peer]
# Name: NODE4
PublicKey = a+ITWT2UudgU4riPqtOoyQF/UfNiSVaw0SLjDsQ74nY=
Endpoint = 11.11.11.4:51820
AllowedIPs = 10.0.4.1

The WireGuard VPN configuration file generated for Node2 looks like this:

[Interface]
# Name: NODE2
Address = 10.0.2.1
PrivateKey = GAT/al+KhZwSVw95XxAuOZ+ezs5qtgJgMpp3i0TNP0Y=
ListenPort = 51820

[Peer]
# Name: NODE1
PublicKey = aFg3Jx1uTXZQlnrNrOyN5PAobcmmEX359d1nfOpOnQM=
Endpoint = 11.11.11.1:51820
AllowedIPs = 10.0.1.1

[Peer]
# Name: NODE3
PublicKey = rnQGHyCFrRg+JDwZ+tJYo99KhKhO7o8RZ2aN/wpfPi8=
Endpoint = 11.11.11.3:51820
AllowedIPs = 10.0.3.1

[Peer]
# Name: NODE4
PublicKey = a+ITWT2UudgU4riPqtOoyQF/UfNiSVaw0SLjDsQ74nY=
Endpoint = 11.11.11.4:51820
AllowedIPs = 10.0.4.1

The WireGuard VPN configuration file generated for Node3 looks like this:

[Interface]
# Name: NODE3
Address = 10.0.3.1
PrivateKey = sLXHpUKvNIbZRqVeIMKb3gW+tK9NK0ECIbJPGCulN3w=
ListenPort = 51820

[Peer]
# Name: NODE1
PublicKey = aFg3Jx1uTXZQlnrNrOyN5PAobcmmEX359d1nfOpOnQM=
Endpoint = 11.11.11.1:51820
AllowedIPs = 10.0.1.1

[Peer]
# Name: NODE2
PublicKey = /X6VZ7MuwRQ6psUlT7e6lW0cYOahm2C24vDk005RrxU=
Endpoint = 11.11.11.2:51820
AllowedIPs = 10.0.2.1
 
[Peer]
# Name: NODE4
PublicKey = a+ITWT2UudgU4riPqtOoyQF/UfNiSVaw0SLjDsQ74nY=
Endpoint = 11.11.11.4:51820
AllowedIPs = 10.0.4.1

The WireGuard VPN configuration file generated for Node4 looks like this:

[Interface]
# Name: NODE4
Address = 10.0.4.1
PrivateKey = EJYvbLKcWqxzcQD1EESkZbdhjCS3R/A2RCFxh0CBjHE=
ListenPort = 51820
 
[Peer]
# Name: NODE1
PublicKey = aFg3Jx1uTXZQlnrNrOyN5PAobcmmEX359d1nfOpOnQM=
Endpoint = 11.11.11.1:51820
AllowedIPs = 10.0.1.1

[Peer]
# Name: NODE2
PublicKey = /X6VZ7MuwRQ6psUlT7e6lW0cYOahm2C24vDk005RrxU=
Endpoint = 11.11.11.2:51820
AllowedIPs = 10.0.2.1

[Peer]
# Name: NODE3
PublicKey = rnQGHyCFrRg+JDwZ+tJYo99KhKhO7o8RZ2aN/wpfPi8=
Endpoint = 11.11.11.3:51820
AllowedIPs = 10.0.3.1

4. Starting WireGuard Server and Enabling it at Boot

We're ready to start the server now that we've completed the configuration. WireGuard has a handy wrapper called wg-quick that can be used to start new interfaces without having to go into the configuration details.

You should start the WireGuard service on all VPN nodes. To start the WireGuard service and bring the WireGuard interface (wg0) up, run the following command on the server:

5. Verifying the Mesh VPN Connectivity

You can run the next command on each VPN node to verify the WireGuard interface state:

ip a show wg0

You should see the output similar to the below for Node1:

6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.1.1/24 scope global wg0
valid_lft forever preferred_lft forever

You may try to access all other nodes from each VPN node by running the ping command. Each VPN peer responds to the ping command of the other peer, indicating that the VPN connection is active.

For our example, run the next commands on Node1. Then you should access to all VPN peers:

ping 10.0.2.1
64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=1.87 ms
64 bytes from 10.0.2.1: icmp_seq=2 ttl=64 time=0.992 ms
64 bytes from 10.0.2.1: icmp_seq=3 ttl=64 time=1.37 ms
64 bytes from 10.0.2.1: icmp_seq=4 ttl=64 time=1.21 ms
64 bytes from 10.0.2.1: icmp_seq=5 ttl=64 time=1.57 ms
64 bytes from 10.0.2.1: icmp_seq=6 ttl=64 time=1.43 ms
--- 10.0.2.1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5008ms
rtt min/avg/max/mdev = 0.992/1.577/1.873/0.607 ms

ping 10.0.3.1
64 bytes from 10.0.3.1: icmp_seq=1 ttl=64 time=1.87 ms
64 bytes from 10.0.3.1: icmp_seq=2 ttl=64 time=0.992 ms
64 bytes from 10.0.3.1: icmp_seq=3 ttl=64 time=1.37 ms
64 bytes from 10.0.3.1: icmp_seq=4 ttl=64 time=1.21 ms
64 bytes from 10.0.3.1: icmp_seq=5 ttl=64 time=1.57 ms
64 bytes from 10.0.3.1: icmp_seq=6 ttl=64 time=1.43 ms
--- 10.0.3.1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5008ms
rtt min/avg/max/mdev = 0.992/1.577/1.873/0.607 ms

ping 10.0.4.1
64 bytes from 10.0.4.1: icmp_seq=1 ttl=64 time=1.87 ms
64 bytes from 10.0.4.1: icmp_seq=2 ttl=64 time=0.992 ms
64 bytes from 10.0.4.1: icmp_seq=3 ttl=64 time=1.37 ms
64 bytes from 10.0.4.1: icmp_seq=4 ttl=64 time=1.21 ms
64 bytes from 10.0.4.1: icmp_seq=5 ttl=64 time=1.57 ms
64 bytes from 10.0.4.1: icmp_seq=6 ttl=64 time=1.43 ms
--- 10.0.4.1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5008ms
rtt min/avg/max/mdev = 0.992/1.577/1.873/0.607 ms

Generating Key Pairs and WireGuard Configuration Files Automatically

Configuring a significant number of nodes in a WireGuard mesh network manually is a time-consuming task. To add a new node to the mesh VPN network, the administrator would need to change the O(n2) node settings every time a new client is added.

Multiple WireGuard mesh tools exist to enable the automated creation of WireGuard settings for seamless management of your mesh networks. The most common WireGuard mesh tools are given below:

Tailscale
Headscale
Netmaker
Wesher
Netbird
wgmesh
wiresmith

In this tutorial, we will use a python script named WireGuard Mesh Configurator, wgmesh, to produce the configuration files for our nodes.

You may follow the next steps on one of your VPN nodes or local Linux machine to generate WireGurad mesh configuration files automatically:

Install git, python3-pip, and python3 packages by running next command:
```
apt install git python3-pip python3 libncurses-dev -y
```
Clone the GitHub repository of the WireGuard Mesh Configurator, wgmesh, by running next command:
```
git clone https://github.com/k4yt3x/wg-meshconf
```
Run the next commands to enter your directory and install the required packages for wgmesh:
```
cd wg-meshconf
pip install 'wg-meshconf@git+https://github.com/k4yt3x/wg-meshconf.git'
```
Run the next command to start a new database file since you first need to add the peers' information to the database. By default, the database file is named database.csv. You can also specify the file's name via -d.:
```
wg-meshconf init
```
You need to add all VPN peers to the database. Type the following command for each VPN peer that you want to add:
```
wg-meshconf addpeer NAME --address VPN_IP_ADDRESS --address LAN_IP_ADDRESS --endpoint PUBLIC_IP_ADDRESS
```
This command will generate new private key automatically if unspecified and set ListenPort defaults to 51820.
tip
You may use wg-meshconf addpeer -h to view more details.
Repeat this step for all VPN peers in your mesh network. For our example, we run the next commands:
```
wg-meshconf addpeer NODE1 --address 10.0.1.1 --endpoint 11.11.11.1
wg-meshconf addpeer NODE2 --address 10.0.2.1 --endpoint 11.11.11.2
wg-meshconf addpeer NODE3 --address 10.0.3.1 --endpoint 11.11.11.3
wg-meshconf addpeer NODE4 --address 10.0.4.1 --endpoint 11.11.11.4
```

Run the following command to make sure your peers have been added correctly.

wg-meshconf showpeers

You should see a table similar to the below:


----------------------------------------------------------------------------------------------

-- NAME -- ADDRESS -- LISTENPORT -- PRIVATEKEY -- ENDPOINT --

----------------------------------------------------------------------------------------------

-- NODE1 -- 10.0.1.1 -- 51820 -- KHpX3JsGa1EQSqWzy32SatTMwiJTckFIqmIK+e+T/FQ= -- 11.11.11.1 --

----------------------------------------------------------------------------------------------

-- NODE2 -- 10.0.2.1 -- 51820 -- GAT/al+KhZwSVw95XxAuOZ+ezs5qtgJgMpp3i0TNP0Y= -- 11.11.11.2 --

----------------------------------------------------------------------------------------------

-- NODE3 -- 10.0.3.1 -- 51820 -- sLXHpUKvNIbZRqVeIMKb3gW+tK9NK0ECIbJPGCulN3w= -- 11.11.11.3 --

----------------------------------------------------------------------------------------------

-- NODE4 -- 10.0.4.1 -- 51820 -- EJYvbLKcWqxzcQD1EESkZbdhjCS3R/A2RCFxh0CBjHE= -- 11.11.11.4 --

----------------------------------------------------------------------------------------------

To generate the WireGuard mesh VPN configuration files for all peers, run the next command. To export settings for a specific peer, just include the name of the peer. The configuration files will be named according to the names of the peers. By default, all configuration files are automatically saved in a subfolder called "output".
```
wg-meshconf genconfig
```
You may view the WireGuard configuration files by using cat command. For our example, we can view Node1 configuration file by running next command:
```
cat output/Node1.conf
```
Transfer the generated WireGuard configuration files to each VPN node using any preferred technique, such as SFTP. Ensure that the configuration is saved in /etc/wireguard/wg0.conf in order to use the wg-quick function for expedited setup.
Connect to each node.
Start WireGuard service and test VPN connections as described in the previous section.

You have successfully established a mesh network using WireGuard, enabling your nodes to securely and privately interact with each other. Due to the absence of a central server, the network will remain operational even if one of the peers fails.

What is Hub and Spoke Architecture?

The hub and spoke topology is a network configuration in which a central device, referred to as the hub, is interconnected with several other devices, referred to as the spokes, for the purpose of exchanging and communicating data. This system offers a straightforward and efficient method for directing and overseeing data on a network, with the exception that the hub represents a single point of failure. The central hub acts as an intermediary for all communication, facilitating the configuration of security settings and the monitoring of traffic. The hub and spoke architecture is well recognized for its straightforwardness, capacity to handle growth, and improved security features, making it a useful option for enterprises.

Typically, VPN users, including WireGuard users, establish a "hub and spoke" structure, in which each client device (such as a desktop PC) connects to a central "concentrator" or VPN gateway.

Setting up WireGuard is simplified by ensuring that every node inside the network has the essential information of the public key, public IP address, and port number of each desired node for direct connection. To achieve complete connectivity across 10 nodes, each node must be aware of 9 peer nodes, resulting in 90 distinct tunnel endpoints. A hub-and-spoke network consists of a single central hub node and 9 peripheral nodes connected by spokes, resulting in a much simpler structure. The hub node often has a fixed IP address and a firewall opening, facilitating its discoverability for all users. Subsequently, it can receive inbound connections from nodes located at different IP addresses, regardless of whether those nodes are also situated behind a firewall, following the conventional approach used by client-server Internet protocols.

What are the Disadvantages of Hub and Spoke Architecture?

The hub-and-spoke model is effective, however, it does have some disadvantages. Primarily, the majority of contemporary organizations do not own a certain location they want to identify as a central hub. They own several offices, various geographies, multiple cloud data centers, and Virtual Private Clouds (VPCs), among other things. Hub and spoke VPN design doesn't allow your nodes to communicate with each other. Typically, in conventional VPN configurations, corporations establish a solitary VPN concentrator and thereafter establish additional tunnels (often using IPsec) connecting other sites. Remote users are directed to the VPN concentrator at one location, from which their traffic is then routed to its ultimate destination at another location.

Scaling is challenging with this conventional hub-and-spoke VPN configuration. Initially, it should be noted that distant users may or may not be in close proximity to the VPN concentrator. In the event that they are far away, they will experience significant delays while establishing a connection to it. Furthermore, the desired data center may not be in close proximity to the VPN concentrator. In such cases, there will be a significant increase in latency. Consider this scenario: a worker in New York attempting to establish a connection with a server in New York, using the company's VPN concentrator located in their head office in California.

How does WireGuard solve the problem of Hub and Spoke Architecture?

WireGuard has distinct characteristics and a collection of highly lightweight tunnels. The WireGuard tunnels are light enough to enable the establishment of a multi-hub configuration with little difficulty. WireGuard mesh VPN allows for direct connections between all nodes, enabling each node to connect to every other node. Every node is connected to every node in WireGuard mesh VPN network efficiently and reliably.

However, it is essential that each data center be equipped with a static IP address, an open firewall port, and a specific set of WireGuard keys. Upon adding a new user, it will be necessary to disseminate the new key to all five servers. Upon the addition of a new server, it will be necessary to disseminate its key to each user. However, it requires around five times the amount of effort compared to a single hub, which is not a significant amount of labor.

Mesh vs Hub-and-Spoke

A mesh network, or fully connected network, is a network in which every node is directly connected to every other node. Mesh topology guarantees efficient and unobstructed channels of communication among all parties involved. However, it becomes complicated and hard to administer when the number of nodes rises owing to the number of connections.

In comparison, a hub-and-spoke network is simpler since each spoke connects directly only to the hub. The process of centralization might optimize the coordination of activities, but it engenders a dependence on the central hub. Centralized control is more suitable when there is a need for centralized control; however, a fully connected network is preferable when direct contact among all parties is essential.

How to Configure WireGuard Mesh VPN? - zenarmor.com (2024)

1. Installing WireGuard on Ubuntu servers​

1. Generating Private and Public Keys Manually​

2. Enabling VPN Nodes to Access the LANs Through Other VPN Nodes​

3. Generating WireGuard Configuration Files Manually​

4. Starting WireGuard Server and Enabling it at Boot​

5. Verifying the Mesh VPN Connectivity​

Generating Key Pairs and WireGuard Configuration Files Automatically​

What is Hub and Spoke Architecture?​

What are the Disadvantages of Hub and Spoke Architecture?​

How does WireGuard solve the problem of Hub and Spoke Architecture?​

Mesh vs Hub-and-Spoke​