Wireguard+AWS EC2 for a hub-spoke model site to site VPN for networs behind CGNAT

As the IPV4 address space depletes, the NAT44 is not enough. So the carriers and ISPs are resorting to NAT444(CGNAT). Basically pooling together multiple homes into ISP’ private IP space, then NAT via single public IP. Here the traditional forwarding of ports cannot be done as the public IP NAT not happening inside the home’s perimeter network device.

Here the Wireguard’s ease of setup, following a similar methodology to a OpenSSH passwordless key based login. All we need is a pair of private and public key being generated for each site(wireguard terminology peers) .

NOTE:

1. IP range of 10.10.10.0/24 will be used for VPN VLAN, in the below example, you can choose any range.
2. Assumed 192.168.0.0/24 or 192.168.1.0/24 is the IP range in use at the home.

STEP-1 : Generate keys on AWS EC2 (deployed ubuntu AMI)

$ apt install wireguard -y
$ umask 077
$ wg genkey > /etc/wireguard/privatekey
$ wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey

STEP-2 : Generate keys on Home ubuntu PC (Can be linux, windows, android, wireguard supported routers ex.mikrotik)

$ apt install wireguard -y
$ umask 077
$ wg genkey > /etc/wireguard/privatekey
$ wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey

STEP-3 : Create Wireguard interface file in AWS EC2 Ubuntu instance

Content of /etc/wireguard/wg0.conf, modify as per your setup with appropriate keys.
[Interface] 
PrivateKey = <replace-with-privatekey-from-aws-ec2-ubuntu-/etc/wireguard/private-content> 
ListenPort = 13231 
Address = 10.10.10.1 

[Peer] 
#HOME SITE DETAILS 
PublicKey = <replace-with-public-key-from-home-ubuntu-/etc/wireguard/public-content> 
AllowedIPs = 10.10.10.10/32, 192.168.0.0/24, 192.168.1.0/24

STEP-4 : Enable the Wireguard service to start on bootup and start it now

# systemctl enable wg-quick@wg0
# systemctl start wg-quick@wg0

STEP-5 : Create Wireguard interface file in HOME Ubuntu instance

Content of /etc/wireguard/wg0.conf, modify as per your setup with appropriate keys.
[Interface] 
PrivateKey = <replace-with-private-key-from-home-ubuntu-/etc/wireguard/private-content> 
ListenPort = 13231 
Address = 10.10.10.10/32

[Peer] 
#AWS SITE DETAILS
PublicKey = <replace-with-public-key-from-aws-ec2-ubuntu-/etc/wireguard/public-content> 
Endpoint = <replace-with-your-aws-public-ip:13231>
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

STEP-6 : Enable the Wireguard service to start on bootup and start it now

# systemctl enable wg-quick@wg0
# systemctl start wg-quick@wg0

STEP-7 : From Home Ubuntu initiate ping to trigger traffic

$ ping 10.10.10.1