Relaying Traffic via a WireGuard Server

This example shows how to configure Streamer and Player to relay encrypted traffic via a regular standalone WireGuard server at gateway.example.com (replace this with your actual WireGuard server domain name or IP address). The Streamer uses two LTE modems while the Player is connected over a wired broadband connection.

All links should be configured as Initiators. This might sound strange but this is required as the Streamer and Player links don’t communicate directly, but instead through the WireGuard server.

Replace

  • WIREGUARD_SERVER_PRIVATE_KEY

  • WIREGUARD_SERVER_PUBLIC_KEY

  • WIREGUARD_STREAMER_LINK_0_PUBLIC_KEY

  • WIREGUARD_STREAMER_LINK_1_PUBLIC_KEY

  • WIREGUARD_PLAYER_LINK_0_PUBLIC_KEY

  • WIREGUARD_PLAYER_LINK_1_PUBLIC_KEY

below with the actual values.

Streamer

Link #0
Mode

Initiator

Bind Addr.

192.168.8.10

Destination Addr.

gateway.example.com

Encryption  Allowed Public Keys

WIREGUARD_SERVER_PUBLIC_KEY

Encryption  Advanced  Internal src.

10.200.0.10

Encryption  Advanced  Internal dst.

10.200.0.30

Link #1
Mode

Initiator

Bind Addr.

192.168.10.10

Destination Addr.

gateway.example.com

Encryption  Allowed Public Keys

WIREGUARD_SERVER_PUBLIC_KEY

Encryption  Advanced  Internal src.

10.200.0.20

Encryption  Advanced  Internal dst.

10.200.0.40

Generate key pairs for each link and copy the public key to your WireGuard server.

This configuration makes the assumption that the Streamer computer is connected to two modems using two different network interfaces. The two network interfaces have the IPs 192.168.8.10 and 192.168.10.10, respectively. They are configured using Linux routing tables to send traffic through the appropriate modem, i.e. the interface with IP 192.168.8.10 sends all traffic through modem with IP 192.168.8.1.

Player

Link #0
Mode

Initiator

Bind Addr.

0.0.0.0

Destination Addr.

gateway.example.com

Encryption  Allowed Public Keys

WIREGUARD_SERVER_PUBLIC_KEY

Encryption  Advanced  Internal src.

10.200.0.30

Encryption  Advanced  Internal dst.

10.200.0.10

Link #1
Mode

Initiator

Bind Addr.

0.0.0.0

Destination Addr.

gateway.example.com

Encryption  Allowed Public Keys

WIREGUARD_SERVER_PUBLIC_KEY

Encryption  Advanced  Internal src.

10.200.0.40

Encryption  Advanced  Internal dst.

10.200.0.20

Generate key pairs for each link and copy the public key to your WireGuard server.

WireGuard Server

Example /etc/wireguard/wg0.conf
[Interface]
Address = 10.200.0.1/24
PrivateKey = WIREGUARD_SERVER_PRIVATE_KEY
ListenPort = 51820

[Peer]
PublicKey = WIREGUARD_STREAMER_LINK_0_PUBLIC_KEY
AllowedIPs = 10.200.0.10/32

[Peer]
PublicKey = WIREGUARD_STREAMER_LINK_1_PUBLIC_KEY
AllowedIPs = 10.200.0.20/32

[Peer]
PublicKey = WIREGUARD_PLAYER_LINK_0_PUBLIC_KEY
AllowedIPs = 10.200.0.30/32

[Peer]
PublicKey = WIREGUARD_PLAYER_LINK_1_PUBLIC_KEY
AllowedIPs = 10.200.0.40/32