Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

WireGuard VPN peer-to-site

Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.

To help understand the WireGuard concepts, we will show some practical setups that hopefully match many scenarios out there.

This is probably the most common setup for a VPN: connecting a single system to a remote site, and getting access to the remote network “as if you were there”.

Where to place the remote WireGuard endpoint in the network will vary a lot depending on the topology. It can be in a firewall box, the router itself, or some random system in the middle of the network.

Here we will cover a simpler case more resembling what a home network could be like:

               public internet
     
                xxxxxx      ppp0 ┌────────┐
 ┌────┐         xx   xxxx      ──┤ router │
 │    ├─ppp0  xxx      xx        └───┬────┘
 │    │       xx        x            │         home 10.10.10.0/24
 │    │        xxx    xxx            └───┬─────────┬─────────┐
 └────┘          xxxxx                   │         │         │
                                       ┌─┴─┐     ┌─┴─┐     ┌─┴─┐
                                       │   │     │   │     │   │
                                       │pi4│     │NAS│     │...│
                                       │   │     │   │     │   │
                                       └───┘     └───┘     └───┘

This diagram represents a typical simple home network setup. You have a router/modem, usually provided by the ISP (Internet Service Provider), and some internal devices like a Raspberry PI perhaps, a NAS (Network Attached Storage), and some other device.

There are basically two approaches that can be taken here: install WireGuard on the router, or on another system in the home network.

Note that in this scenario the “fixed” side, the home network, normally won’t have a WireGuard Endpoint configured, as the peer is typically “on the road” and will have a dynamic IP address.

This page was last modified a month ago. Help improve this document in the forum.