This article will show you how to set up a Hub and Spoke WireGuard VPN  (Virtual Private Network) with end-to-end encryption (E2EE ). With a normal hu

WireGuard End-to-End Encrypted Hub-and-Spoke

submited by
Style Pass
2022-06-23 09:30:08

This article will show you how to set up a Hub and Spoke WireGuard VPN (Virtual Private Network) with end-to-end encryption (E2EE ). With a normal hub-and-spoke configuration, the connection between the hub and each spoke is encrypted, but the connections between the spokes are not — the hub decrypts and then re-encrypts WireGuard traffic as it forwards it from spoke to spoke.

That’s fine if you trust the hub; but if you want a true zero-trust network architecture (ZTNA ), you don’t trust the hub. Instead, you create a separate, end-to-end encrypted WireGuard tunnel between each pair of spokes, tunneling through the WireGuard connection between the hub and the spokes.

In this example, we want Endpoint A, behind a NAT (Network Address Translation) router in Site A, to be able to access a private web app hosted by Endpoint B behind another NAT router in Site B. To do so, we first set up Endpoint A to connect over one WireGuard tunnel to Host C in a third site, Site C, with a public IP address of 192.0.2.3; and do the same for Endpoint B.

Within this first WireGuard VPN , Endpoint A has an IP address of 10.0.0.1, Endpoint B has an IP address of 10.0.0.2, and Host C has an IP address of 10.0.0.3. Through this VPN , Endpoint A can use 10.0.0.2 to connect to Endpoint B, and Endpoint B can respond to Endpoint A at 10.0.0.1.

Leave a Comment