How to Set Up WireGuard VPN Relay

This quick tutorial is going to show you how to set up VPN relay between two servers so that when VPN users connect to server A, they will get the public IP address of server B.

Why Set Up VPN Relay?

Suppose there are two servers: server A and server B.

• You have a good connection to server A. Latency is very low and no packet is dropped.
• You have a bad connection to server B. Latency is high and there’s packets being dropped.
• The connection between server A and server B is good.

Naturally, you want to install VPN on server A. But what if you want the Internet to see your traffic coming from server B’s IP address? That where VPN relay comes in.

I won’t go step by step. Just tell you the general steps and key points.

Step 1: Set Up WireGuard VPN between the Client computer and server A

• Set Up Your Own WireGuard VPN Server on Ubuntu 22.04/20.04/18.04

Step 2: Set Up WireGuard VPN Between Server A and Server B

• Server A acts as the VPN client.
• Server B acts as the VPN server.

You can use the tutorial linked in step 1. The only exception is that you should create a new WireGuard config file on server A. There will be two WireGuard config files on server A. One is for connection from client computers. The other is for connection to server B (vpn-relay.conf).

sudo nano /etc/wireguard/vpn-relay.conf

Add the following lines. You need to change the private key and public key as appropriate. Also, change 12.34.56.78 with server B’s public IP address.

[Interface]
Address = 10.10.10.200/32
PrivateKey = 7UKv5aEX2pVRA4Ncig81fSflaSSFRcoJOm75T9Ia4yM=
#Policy routing. Be sure to exclude port 22.
Table = 1234
PostUp = ip rule add dport 25-20480 table 1234;
PreDown = ip rule delete dport 25-20480 table 1234;

[Peer]
#Server B
PublicKey = ahUcxMSfNRYI0Kf9VFtVDB9TWoxX5cxi4thqHmz1NRI=
AllowedIPs = 0.0.0.0/0
Endpoint = 12.34.56.78:51820
PersistentKeepalive = 25

In the above configuration, we used policy routing, so most traffic from server A will be passed to server B, except SSH traffic. You need to exclude the SSH port, so you will still be able to log into server A via SSH.

To start this WireGuard interface, run

sudo systemctl restart wg-quick@vpn-relay

Once this step is completed, run the following command on server A to check the public IP address.

curl -4 https://icanhazip.com

If WireGuard is configured correctly, you should see the public IP address of server B from the command output.

Step 3: Configure Firewall to Link Them Together

Now we need to configure the firewall on server A to forward traffic from VPN clients to server B.

Open the UFW config file.

sudo nano /etc/ufw/before.rules

You probably already have the following lines at the end of this file.

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o enp3s0 -j MASQUERADE

# End each table with the 'COMMIT' line or these rules won't be processed
COMMIT

Change it to:

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -d 0.0.0.0/0 -o vpn-relay -j MASQUERADE

# End each table with the 'COMMIT' line or these rules won't be processed
COMMIT

Save and close the file. Then restart UFW.

sudo systemctl restart ufw

Now VPN traffic from the client will be redirected to server B. VPN clients will get server B’s public IP address.

That’s it!