This article will show you how to set up a Hub and Spoke WireGuard VPN (Virtual Private Network) with end-to-end encryption (E2EE ). With a normal hub-and-spoke configuration, the connection between the hub and each spoke is encrypted, but the connections between the spokes are not — the hub decrypts and then re-encrypts WireGuard traffic as it forwards it from spoke to spoke.
That’s fine if you trust the hub; but if you want a true zero-trust network architecture (ZTNA ), you don’t trust the hub. Instead, you create a separate, end-to-end encrypted WireGuard tunnel between each pair of spokes, tunneling through the WireGuard connection between the hub and the spokes.
In this example, we want Endpoint A, behind a NAT (Network Address Translation) router in Site A, to be able to access a private web app hosted by Endpoint B behind another NAT router in Site B. To do so, we first set up Endpoint A to connect over one WireGuard tunnel to Host C in a third site, Site C, with a public IP address of 192.0.2.3; and do the same for Endpoint B.
Within this first WireGuard VPN , Endpoint A has an IP address of 10.0.0.1, Endpoint B has an IP address of 10.0.0.2, and Host C has an IP address of 10.0.0.3. Through this VPN , Endpoint A can use 10.0.0.2 to connect to Endpoint B, and Endpoint B can respond to Endpoint A at 10.0.0.1.