Site to Site VPN Using Wireguard on EdgeRouter.

Project description

The customer, an auto parts supplier, wanted to connect three of their sites together so they could use a Windows desktop client to access their SAP Business One application. One location was the main office with administrative functions, another was a retail outlet and the third was a factory where some of the parts were manufactured. The SAP application server was located at the main office. Each location had a local Internet link, workstations and Yealink IP phones. There was also one Yealink handset at the MD’s residence that they wanted to use to make calls to any of the company locations. The MD also required remote access to the SAP application remotely during off-hours.

Our Solution

We chose to use Wireguard VPN was chosen for its lightweight and cryptographically modern design with good support for roaming clients and connections using dynamic IP addresses.

We obtained three EdgeRouter 4 (ER-4) units, one for each location, installed and configured the Wireguard VPN package in a full mesh configuration. Unique pre-shared keys were used for each client for additional security.

We configured a single peer per interface, disabled route-allowed-ips and configured allowed-ips to 0.0.0.0/0

The OSPF routing protocol was enabled on each Wireguard interface connecting to an office location to advertise routes to connected routers. A third Wireguard interface was configured on the Main Office EdgeRouter for remote access to company resources from the MD’s laptop. The Wireguard interface was configured with a single peer corresponding to the MD’s Wireguard public key.

The Wireguard package for Windows was installed on the laptop and configured with the Main Office router’s public IP and wg2 public key.

We deployed an OpenVPN server instance on the EdgeRouter located at the Main Office. The OVPN instance was configured with TLS Authentication and a client certificate and key were generated for the Yealink handset at the MD’s residence. The OpenVPN server was configured to push routes corresponding to each office location’s IP phone subnet/VLAN.

Project Outcomes

• Connectivity was established between the three office location using a modern, secure and stateless VPN protocol. Office locations with dynamic public IP addresses could reconnect seamlessly whenever the public IP changed.
• Users at the three locations could access the SAP application server using a desktop client and work in real-time.
• Company staff could use IP phones to communicate across office locations and no longer needed to use cell phones to communicate.
• The MD could now access the application server at any time during off-hours to view the day’s activities and could call any office location from the IP handset at their residence.