One of the main considerations when choosing a WireGuard implementation layoutis whether to use one tunnel with many peers, or one tunnel per peer.
Routing to WireGuard Peers¶
WireGuard uses what it calls “Cryptokey Routing” to map traffic inside WireGuardto a specific peer which is then encrypted using the public key for that peer.In practice, this means that when multiple peers are defined on a WireGuardinstance, it must have all networks which will be routed to each peer defined onthe peer. This can make managing networks and routes cumbersome.
When there is only one peer on a wireguard interface, it can instead assume thatthe one peer is the correct destination for all traffic which crosses theinterface (e.g. Allowed IPs set to 0.0.0.0/0
or ::/0
). And in thatcase, a routing protocol such as BGP or OSPF can manage the operating systemrouting to the neighbor instead of static routes.
Design Style¶
WireGuard does not have a concept of “Client” and “Server” per se, but dependingon the configuration the firewall can behave in a manner similar to a “Client”(initiates locally, remote never initiates) or “server” (never initates, remotesalways initiate).
Technically every WireGuard tunnel is a peer to peer connection, but there arethree main ways a WireGuard tunnel can be configured depending on whether or nota peer endpoint is known or defined:
Site-to-Site (peer endpoint filled in on both sides)
Remote Access “Server” (endpoint only filled in on remote peers)
Remote Access “Client” (endpoint only filled in locally, not on the “server”peer)
Any of those roles can technically be configured no matter how the peer endpointsettings are defined, but not defining an endpoint on one side or the otherlimits the capacity in which a peer can operate.
Typically, a tunnel is defined with a known peer IP address or hostname for theendpoint, which could take advantage of Dynamic DNS for dynamic peers. This isthe most secure method as it locks the tunnel down to specific known peers, butthat is not always practical.
In the case of remote access style setups, the peer endpoint address istypically unknown and can change at any time. In this case, the peer endpointcan be left blank and WireGuard will accept connections from any remote address,validating the key instead.
Note
WireGuard supports roaming automatically, and can detect when a peer haschanged IP addresses. WireGuard will recognize that authenticated data iscoming from a new address and update itself accordingly.