How to configure a WireGuard client to interact with two distinct servers?

I want an unmanned WireGuard client to work with redundant WireGuard servers.

Physical:

  • I have a master database server in a VPS of provider A in the USA.
  • I have continuous replication running to a slave server in a VPS of provider B in Europe.
  • I have a backup database server, also running as a replication slave, on a WiFi LAN in my home office.

Network:

  • The master database server in the USA runs a WireGuard server as 10.20.20.1.
  • The slave database server in Europe runs a WireGuard server as 10.20.10.1.

The backup database in my home office is successfully configured to interact with either the master or slave remote WireGuard servers individually.

To connect via USA I need someone at home to do:

suda wg-quick down wgEUR; suda wg-quick up wgUSA;

To connect via Europe I need someone at home to do:

suda wg-quick down wgUSA; suda wg-quick up wgEUR;

However!!

The point is to be able SSH into the home office machine, from where ever I am in the world, via either one of the WireGuard servers; if one goes down the other is still
available.

How can I configure routing in the home office WireGuard client to permit simultaneous access from both remote WireGuard server’s subnets?


Settings

Europe (37.xxx.xxx.139:34567):
wg0.conf

[Interface]
Address = 10.20.10.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0  -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0  -j MASQUERAD
ListenPort = 34567
PrivateKey = MNf4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxiVg=

[Peer]
PublicKey = durAZO/EtWQnqwnbadbadbadzDa9+klqUmqCT6VplWc=
AllowedIPs = 10.20.10.16/32

USA (185.xxx.xxx.36:34567):
wg0.conf

[Interface]
Address = 10.20.20.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERAD
ListenPort = 34567
PrivateKey = EGdxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp2Q=

[Peer]
PublicKey = durAZO/EtWQnbadbadbadMkTzDa9+klqUmqCT6VplWc=
AllowedIPs = 10.20.20.16/32

Client wgEUR.conf:

[Interface]
### PrivateKey_of_the_Client
PrivateKey = EBmxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxaXlE=
### IP VPN for the Client
Address = 10.20.10.16/24
### DNS Server
DNS = 8.8.8.8, 8.8.4.4

[Peer]
###Public of the WireGuard VPN Server
PublicKey = pTm/tJwOWJ3QRwEcbadbadbadWx/BbCthbFa52M2uVE=

### IP and Port of the WireGuard VPN Server
##### Syntax: IP_of_the_server:Port
Endpoint = 37.xxx.xxx.139:34567

### Allow all traffic
AllowedIPs = 0.0.0.0/0

Client wgUSA.conf:

[Interface]
### PrivateKey_of_the_Client
PrivateKey = EBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXlE=
### IP VPN for the Client
Address = 10.20.20.16/24
### DNS Server
DNS = 8.8.8.8, 8.8.4.4

[Peer]
###Public of the WireGuard VPN Server
PublicKey = f/H+1b/jkkXvbhYPEbadbadbadkKMBMgEW1IvmOeCEE=

### IP and Port of the WireGuard VPN Server
##### Syntax: IP_of_the_server:Port
Endpoint = 185.xxx.xxx.36:34567

### Allow all traffic
AllowedIPs = 0.0.0.0/0

Asked By: Martin Bramwell

||

This VPN is to access private resources, not a way to access Internet anonymously. So split tunneling should be used.

Just replace on the client side:

AllowedIPs = 0.0.0.0/0

by only the needed resource: the server running the database.

For client’s wgEUR.conf:

AllowedIPs = 10.20.10.1/32

For client’s wgUSA.conf:

AllowedIPs = 10.20.20.1/32

Now the two tunnels can be up at the same time: wg-quick won’t hijack routing (which happens with the default Table = auto setting and presented with AllowedIPs having 0.0.0.0/0 or ::/0) and the two tunnels won’t conflict with each other. The client’s usual Internet access won’t go through tunnels, and that’s certainly an improvement: why would a database server provide such service?

Answered By: A.B
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.