How do I realize Site to Site?

Eldiabolo18 · March 9, 2025, 7:18pm

Hi everyone,

I only ever use wireguard for client to site connection. I have the following setup:

I have my place with all my stuff, homelab, desktop, etc

AND

My parents place which has my Odroid HC2 as offsite backup, a Raspi3 with docker and a few other devices.

Plan: I want to have a site to site vpn. I want a bidirectional VPN tunnel.

I have local subnets 192.168.16.0/24 and 192.168.8.0/24 .

Can i connect Wireguard servers to each other? Or do i have to run both client and Server on both sites?
How do I restrict it so, that from one direction I can reach the whole subnet, but in the other direction only a few addresses are allowed?
The wg client/server would not run on the router. So I assume I’d have to add a static route on the router?

Cheers and thanks!

xX_1M_E_K_1Xx · March 9, 2025, 7:18pm

I’ve found this article to be well written

izuannazrin · March 9, 2025, 7:18pm

You don’t need both side to be ‘servers’ for site-to-site VPN (fact: WireGuard is a peer-to-peer protocol, not server-client protocol). I think your current connection is good.

The only thing you need to make it site-to-site is to put subnet A in B’s AllowedIPs, and vice versa. And if you’re running WireGuard not on your router, add the other subnet to point to your WireGuard machine in your router’s static route, as you mentioned. (e.g. 192.168.8.0/24 via <Odroid_ip>)

And if you want to restrict only few addresses, replace AllowedIPs to the IP,… that you allow… (e.g. replace AllowedIPs = 192.168.8.0/24 to AllowedIPs = 192.168.8.4/32,192.168.8.5/32)

skunk_claudio · March 9, 2025, 7:18pm

the topic is well explained here:

HarvsG · March 9, 2025, 7:18pm

If both sites have static IPs/DDNS then easy, just set them up as peers.

AllowedIPs is the magic wireguard config code that will do all the routing for you.

AllowedIPs=192.168.8.0/24

redalert_pt · March 9, 2025, 7:18pm

Feel free: