跳轉到

Mesh config

Configure A Mesh

A typical path for wireguard config is /etc/wireguard/wg0.conf which corresponds to the systemd service [email protected].

Here is an example of a mesh network, composed of 3 nodes.

Add PersistentKeepalive = 25 to keep the connection alive. The tunnel will go down after a period of inactivity.

Node 1

[Interface]
PrivateKey  = <PRIVATE_KEY_1>
Address     = 10.0.0.1/32
ListenPort  = <PORT_1>
#SaveConfig = true
PostUp      = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown    = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Node 2
[Peer]
PublicKey   = <PUBLIC_KEY_2>
Endpoint    = <EXTERNAL_IP_2>:<PORT_2>
AllowedIPs  = 10.0.0.2/32
PersistentKeepalive = 25

# Node 3
[Peer]
PublicKey   = <PUBLIC_KEY_3>
Endpoint    = <EXTERNAL_IP_3>:<PORT_3>
AllowedIPs  = 10.0.0.3/32
PersistentKeepalive = 25

Node 2

[Interface]
PrivateKey  = <PRIVATE_KEY_2>
Address     = 10.0.0.2/32
ListenPort  = <PORT_2>
PostUp      = iptables -I FORWARD -i wg0 -j ACCEPT; iptables -I FORWARD -o wg0 -j ACCEPT; iptables -I INPUT -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown    = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -D INPUT -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Node 1
[Peer]
PublicKey   = <PUBLIC_KEY_1>
Endpoint    = <EXTERNAL_IP_1>:<PORT_1>
AllowedIPs  = 10.0.0.1/32
PersistentKeepalive = 25

# Node 3
[Peer]
PublicKey   = <PUBLIC_KEY_3>
Endpoint    = <EXTERNAL_IP_3>:<PORT_3>
AllowedIPs  = 10.0.0.3/32
PersistentKeepalive = 25

Node 3

[Interface]
PrivateKey  = <PRIVATE_KEY_3> 
Address     = 10.0.0.3/32
ListenPort  = <PORT_3>
PostUp      = iptables -I FORWARD -i wg0 -j ACCEPT; iptables -I FORWARD -o wg0 -j ACCEPT; iptables -I INPUT -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown    = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -D INPUT -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Node 1
[Peer]
PublicKey   = <PUBLIC_KEY_1>
Endpoint    = <EXTERNAL_IP_1>:<PORT_1>
AllowedIPs  = 10.0.0.1/32
PersistentKeepalive = 25

# Node 2
[Peer]
PublicKey   = <PUBLIC_KEY_2>
Endpoint    = <EXTERNAL_IP_2>:<PORT_2>
AllowedIPs  = 10.0.0.2/32
PersistentKeepalive = 25