Using WireGuard for VLAN

WireGuard is currently the most modern, fastest, and easiest-to-configure VPN protocol available.

Although WireGuard operates on a “Peer-to-Peer” architecture without strict “server” and “client” roles, for the sake of simplicity for beginners, we will divide the two servers into Server A (as the Main Node) and Server B (as the Connecting Node).

Our goal is to build a virtual local area network (VLAN) with the subnet 10.0.0.x, allowing both servers to communicate with each other via internal IP addresses.

---

📌 Prerequisites

1. Server A: Suppose its real public IP is 198.51.100.1 (please replace this with your actual IP during setup). We will assign it the VPN internal IP 10.0.0.1.
2. Server B: Does not require a static public IP. We will assign it the VPN internal IP 10.0.0.2.
3. Both servers require root or sudo privileges.

---

Step 1: Install WireGuard on Both Servers

Depending on your Linux distribution, execute the following commands on both servers to install WireGuard:

Ubuntu / Debian Systems:

sudo apt update
sudo apt install wireguard -y

CentOS / RHEL 8 or 9 Systems:

sudo dnf install epel-release -y
sudo dnf install wireguard-tools -y

---

Step 2: Generate Key Pairs on Both Servers

WireGuard’s authentication is similar to SSH keys. Each machine requires a Private Key and a Public Key.

Execute the following commands on both Server A and Server B:

# Enter the wireguard directory
cd /etc/wireguard/

# Generate private and public keys (Note: Requires root privileges. If you encounter errors, use `sudo su` to switch to root first)
sudo sh -c 'wg genkey | tee privatekey | wg pubkey > publickey'
sudo chmod 600 privatekey

Once generated, you can use the cat command to view their values:

cat privatekey
cat publickey

🚨 Important Note: Please copy the public and private keys of both machines into your notepad. Clearly label which keys belong to Server A and which to Server B. Do not mix them up during configuration!

---

Step 3: Configure Server A (Main Node)

Create the configuration file on Server A:

sudo nano /etc/wireguard/wg0.conf

(If you are unfamiliar with nano, you can use vim. In nano, paste the content, press Ctrl+O to save, Enter to confirm, and Ctrl+X to exit.)

Paste the following content, replacing the <...> placeholders with your actual values:

[Interface]
# Insert [Server A's Private Key]
PrivateKey = <Server A's Private Key>
# The internal IP assigned to Server A
Address = 10.0.0.1/24
# Listening port, default is 51820
ListenPort = 51820

[Peer]
# Insert [Server B's Public Key]
PublicKey = <Server B's Public Key>
# The internal IP that Server B is allowed to use (Note the /32, which means only this specific IP is allowed)
AllowedIPs = 10.0.0.2/32

---

Step 4: Configure Server B (Connecting Node)

Create the configuration file on Server B:

sudo nano /etc/wireguard/wg0.conf

Paste the following content, replacing the <...> placeholders:

[Interface]
# Insert [Server B's Private Key]
PrivateKey = <Server B's Private Key>
# The internal IP assigned to Server B
Address = 10.0.0.2/24

[Peer]
# Insert [Server A's Public Key]
PublicKey = <Server A's Public Key>
# Insert Server A's [Real Public IP] and port
Endpoint = <Server A's Real Public IP>:51820
# Routing settings, allowing access to Server A's internal IP through this tunnel
AllowedIPs = 10.0.0.1/32
# Keep the connection alive to prevent NAT routers from dropping it (sends a heartbeat packet every 25 seconds)
PersistentKeepalive = 25

---

Step 5: Open Firewall Ports on Server A

WireGuard uses the UDP protocol on port 51820. You must allow this port through Server A’s firewall.

• For Ubuntu (UFW Firewall):

  sudo ufw allow 51820/udp

• For CentOS (Firewalld):

  sudo firewall-cmd --add-port=51820/udp --permanent
  sudo firewall-cmd --reload

• 🚨 Special Note for Cloud Servers: If your server is hosted on a cloud platform like Aliyun, Tencent Cloud, or AWS, you must go to the “Security Group” or “Firewall” settings in your cloud console and manually add a rule: Allow UDP protocol, port 51820, source address 0.0.0.0/0.

---

Step 6: Start WireGuard!

Execute the following commands on both servers to start WireGuard and enable it to run on boot:

# Start WireGuard
sudo wg-quick up wg0

# Enable automatic startup on boot
sudo systemctl enable wg-quick@wg0

You can check the running status by entering sudo wg. If the connection is successful, you should see latest handshake: x seconds ago in the status information, along with a small amount of data transfer.

---

Step 7: Test the Internal Network Connection

Now, your two machines are connected via WireGuard!

Test the connection from Server A to Server B:

ping 10.0.0.2

Test the connection from Server B to Server A:

ping 10.0.0.1

If both pings are successful (data is returned), congratulations! You have successfully set up a secure internal network between two Linux servers using WireGuard. From now on, if you have services like databases on these servers, you can directly access them using the 10.0.0.x internal IP addresses, and all data will be automatically and robustly encrypted during transmission.

---

💡 Troubleshooting Common Issues (If Ping Fails)

1. Check the Keys: 90% of beginner mistakes are caused by mixing up the public and private keys, or using the keys from the same machine. Remember: Put your own private key in [Interface], and the other party’s public key in [Peer].
2. Check Security Groups / Firewalls: Ensure that port 51820 for UDP (not TCP) is fully allowed in Server A’s security group settings in the cloud console.
3. Check Logs: Enter sudo wg. If the latest handshake does not appear, it means the network is disconnected or the keys are incorrect. If it’s a network issue, thoroughly check the firewall settings from the previous step.