Wireguard VPN optimization Q

dcalanchini · January 6, 2023, 8:33pm

Scenario:
1 HQ/HUB, 4 Spoke offices using 4 wire Wireguard tunnels. Remote sites do not need to talk to each other

Q: Right now I have it setup with 4 Wireguard Interfaces, each listening on a different port, a /30 bound to that interface and then 1 peer on each interface. Basically it is just like setting up a site2site 4 times. It looks like it would also be possible to create a single Interface and then have 4 peers on that one interface to create the 4 tunnels. The question is…is my way a bad way to do it and why? Should I change it to 1 interface and 4 peers?

anav · January 6, 2023, 9:31pm

I would do it one interface four sites… Assuming all mikrotik devices of course.
Use the allowed peers for subnet access
Use firewall rules for refining access…

THE ONE CAVEAT is that SEPARATE WG interfaces are MANDATORY if you have duplicate peers.
Hence, if two of the peers had the same subnet that needed to be visited, then you would need two interfaces.
Likewise if you had local hub users using the internet of more than one peer ( allowed IPs twice of 0.0.0.0/0) then you would need two interfaces.

MAIN ROUTER
IP - 10.10.10.1/24 interface=WG0 network=10.10.10.0
Peer1 Allowed IPs - 10.10.10.2/32, Any remote subnets coming from peer, Any remote destination subnets local users are going to
Peer2 Allowed Ips - 10.10.10.3/32 Any remote subnets coming from peer, Any remote destination subnets local users are going to
Peer3 Allowed IPs - 10.10**.10.4/32,** Any remote subnets coming from peer, Any remote destination subnets local users are going to
Peer4 Allowed IPs - 10.10.10.5/32, Any remote subnets coming from peer, Any remote destination subnets local users are going to

Firewall rules.
add chain=forward action=accept in=interface=WG0 out-interface-list=LAN ( most broad all incoming subnets/users have access to all local HUB subnets)
OR
add chain=forward action=accept in-interface=WG0 src-address=SUBNET_PEERA dst-address=SUBNET_LOCAL1
add chain=forward action=acccept in-interface=WG0 src-address=SUBNET_PEERB dst-address=SUBNET_LOCAL2
etc. In other words whatever makes sense and since you provided no requirements cannot help further…

Note: If you want any traffic originating from hub to reach the peer you will need something like
add chain=forward action=accept src-address=local_subnet out-interface=WG0

ROUTES
Will need routes to ensure
a. return traffic from remote Peers gets directed back into the tunnel
OR
b. originating traffic from local users going to peer subnets enters the tunnel.

ex.
add dst-address=remotesubnet interface=WG0 table=main.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Peer1 for example
IP - 10.10.10.2/24 interface=WG1 network=10.10.10.0
PeerHub Allowed IPs 10.10.10.1/32 { normally 10.10.10.0/24 } , Any remote subnets coming from Hub, Any remote destination subnets

Firewall rules…
TO allow local subnets to enter tunnel
add action=accept chain=forward src-address=localsubnet out-interface=WG1
OR
TO allow remote subnets to exit tunnel
add action=accept chain=forward in-interface=WG1 dst-address=localsubnet ( any incoming user can access that local subnet perhaps too broad )
add action=accept chain=forward in-interface=WG1 dst-address=localsubnet src-address=remotesubnet { better focused }

Routes.
Required for any remote subnet return traffic or any local traffic origination traffic.
add dst-address=remotesubnet gwy=WG1 table=main

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

The above assumes the admin will solely be on the HUB and does not require the ability to config any router from any device or from a road warrior setup.

holvoetn · January 7, 2023, 2:05pm

My 0.02€ …

If it works there is no NEED to change it.
4 separate WG interfaces or 4 different peers, doesn’t make any functional difference once everything is set up and working.

Since the 4 remote offices do not need to speak to each other, it might conceptually be even more logical to use 4 interfaces instead of 4 peers.
From a security point of view it will be easier / better to manage.
But that’s how my mind is wired

anav · January 7, 2023, 3:03pm

Poppycock, there is no substantial risk on users getting to a wrong subnet either way!! One has to set up allowed peers, firewall rules and routes all incorrectly for there to be any risk, for any method utilized.
I prefer opening up less ports on any router as a better security approach so that is how my mind is wired LOL.
Hoelve you eat to much swiss cheese ( full of holes )