WireGuard VPN¶
Hub2 uses UniFi WireGuard site-to-site VPN to connect to the homelabs.
Overview¶
| Property | Value |
|---|---|
| Location | hub2 (OVH Dedicated Server) |
| UK Interface | wg-uk |
| FR Interface | wg-fr |
| UK Hub2 IP | REDACTED_IP |
| FR Hub2 IP | REDACTED_IP |
Architecture¶
┌─────────────────────────┐
│ hub2 (OVH Dedicated) │
│ 51.68.235.106 │
│ │
│ wg-uk: REDACTED_IP │
│ wg-fr: REDACTED_IP │
└───────────┬─────────────┘
│
┌──────────────────────┼──────────────────────┐
│ WireGuard │ WireGuard │
▼ │ ▼
┌─────────────────┐ │ ┌─────────────────┐
│ uk-ucg │ │ │ fr-dnr-ucg │
│ REDACTED_IP │ │ │ REDACTED_IP │
└────────┬────────┘ │ └────────┬────────┘
│ │ │
┌────────┴────────┐ │ ┌────────┴────────┐
│ UK LAN │ │ │ FR LAN │
│ px1: REDACTED_IP │ │ │ px5: REDACTED_IP │
│ px2: REDACTED_IP │ │ │ │
│ px3: REDACTED_IP │ │ │ │
└─────────────────┘ │ └─────────────────┘
WireGuard Interfaces¶
Hub2 has two WireGuard interfaces configured:
wg-uk (UK Homelab)¶
| Property | Value |
|---|---|
| Hub2 IP | REDACTED_IP |
| Peer | uk-ucg (UniFi Cloud Gateway) |
| Routed Subnet | REDACTED_SUBNET |
wg-fr (FR Homelab)¶
| Property | Value |
|---|---|
| Hub2 IP | REDACTED_IP |
| Peer | fr-dnr-ucg (UniFi Cloud Gateway) |
| Routed Subnet | REDACTED_SUBNET |
Connectivity Check¶
Check WireGuard status¶
# Show all WireGuard interfaces
sudo wg show
# Show specific interface
sudo wg show wg-uk
sudo wg show wg-fr
Test connectivity¶
# Test UK homelab
ping REDACTED_IP # UK UCG
ping REDACTED_IP # px1
# Test FR homelab
ping REDACTED_IP # FR UCG
ping REDACTED_IP # px5
SSH Access¶
From hub2, you can SSH directly to homelab devices via WireGuard:
# Proxmox nodes
ssh root@REDACTED_IP # px1
ssh root@REDACTED_IP # px2
ssh root@REDACTED_IP # px3
ssh root@REDACTED_IP # px5
# UniFi gateways (if SSH enabled)
ssh root@REDACTED_IP # uk-ucg
ssh root@REDACTED_IP # fr-dnr-ucg
Configuration¶
WireGuard is configured via systemd-networkd on hub2. Configuration files are in /etc/systemd/network/.
View configuration¶
# List network files
ls /etc/systemd/network/
# View WireGuard config
cat /etc/systemd/network/wg-uk.netdev
cat /etc/systemd/network/wg-uk.network
Restart WireGuard¶
sudo systemctl restart systemd-networkd
WireGuard Advantages¶
| Feature | Benefit |
|---|---|
| Simplicity | Simple kernel module, minimal config |
| No Dependencies | Built into Linux kernel |
| Static Config | No control plane or authentication service |
| Low Maintenance | Minimal updates needed |
| Native UniFi | Built-in support on UCG devices |
Troubleshooting¶
WireGuard interface not up¶
# Check interface status
ip link show wg-uk
ip link show wg-fr
# Check for errors
journalctl -u systemd-networkd -n 50
No handshake with peer¶
# Check WireGuard status
sudo wg show wg-uk
# If "latest handshake" is missing, check:
# 1. Firewall rules on both ends
# 2. Public key configuration
# 3. Endpoint reachability
Cannot reach homelab devices¶
# Check routing table
ip route | grep -E "10.44|10.35"
# Expected output:
# REDACTED_SUBNET dev wg-uk proto static
# REDACTED_SUBNET dev wg-fr proto static
Related Documentation¶
- hub2 - Central hub services
- Network Layout - Overall network architecture
- GMC - GMC relay uses WireGuard for backend connectivity