{"id":1279,"date":"2025-02-25T14:26:35","date_gmt":"2025-02-25T13:26:35","guid":{"rendered":"https:\/\/www.cipv6.de\/worp\/?p=1279"},"modified":"2025-02-25T14:32:13","modified_gmt":"2025-02-25T13:32:13","slug":"secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp","status":"publish","type":"post","link":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/","title":{"rendered":"Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP"},"content":{"rendered":"\n<p><strong><a href=\"https:\/\/frrouting.org\">Free Range Routing (FRR)<\/a><\/strong>&nbsp;is a powerful, open-source routing software suite that provides implementations of various routing protocols, including <a href=\"https:\/\/en.wikipedia.org\/wiki\/Border_Gateway_Protocol\">BGP<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Open_Shortest_Path_First\">OSPF<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/IS-IS\">IS-IS<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Routing_Information_Protocol\">RIP<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Protocol-Independent_Multicast\">PIM<\/a>, and more. <br>It\u2019s designed to run on Linux and Unix-like systems, making it a flexible solution for a wide range of network setups\u2014from small labs to large-scale data centers.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69ec2143381a5\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"ez-toc-cssicon\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69ec2143381a5\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#Why_FRR\" >Why FRR?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#A_Brief_History\" >A Brief History<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#Demo_Lab_Overview\" >Demo Lab Overview<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#%F0%9F%8C%90_Topology\" >\ud83c\udf10 Topology<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#Objectives\" >Objectives<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#Firewall_Considerations\" >Firewall Considerations<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#Why_Use_WireGuard\" >Why Use WireGuard?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#WireGuard_Setup\" >WireGuard Setup<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#%F0%9F%93%A6_Prerequisites\" >\ud83d\udce6 Prerequisites<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#%F0%9F%94%91_Key_Generation\" >\ud83d\udd11 Key Generation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#%E2%9A%99%EF%B8%8F_Hub_Configuration_etcwireguardwg0conf\" >\u2699\ufe0f Hub Configuration (\/etc\/wireguard\/wg0.conf)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#%E2%9A%99%EF%B8%8F_Spoke_Configuration_etcwireguardwg0conf\" >\u2699\ufe0f Spoke Configuration (\/etc\/wireguard\/wg0.conf)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#%F0%9F%9A%80_Start_WireGuard\" >\ud83d\ude80 Start WireGuard<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#%E2%9C%85_Verify_Tunnel\" >\u2705 Verify Tunnel<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#Install_FRR\" >Install FRR<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#Hub\" >Hub<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#Spoke_2\" >Spoke #2<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#Spoke_1\" >Spoke #1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#Lets_announce_a_BGP-Route\" >Let&#8217;s announce a BGP-Route<\/a><\/li><\/ul><\/nav><\/div>\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_FRR\"><\/span>Why FRR?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scalability<\/strong>: Supports complex network topologies.<\/li>\n\n\n\n<li><strong>Flexibility<\/strong>: Easily integrates with existing network infrastructures.<\/li>\n\n\n\n<li><strong>Community-driven<\/strong>: Regular updates and active community support.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"A_Brief_History\"><\/span>A Brief History<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>FRR originated as a fork of the Quagga project (which is still used for the <a href=\"https:\/\/www.bgp4.as\/looking-glasses\/\">Looking Glass<\/a> service) in 2016, aiming to create a more dynamic and community-focused development path. Since then, it has grown into a robust and widely adopted routing platform, used by service providers, enterprises, and research institutions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Demo_Lab_Overview\"><\/span>Demo Lab Overview<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%F0%9F%8C%90_Topology\"><\/span>\ud83c\udf10 Topology<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>This demo lab showcases a&nbsp;<strong>Hub-and-Spoke<\/strong>&nbsp;topology using&nbsp;<strong><a href=\"https:\/\/www.wireguard.com\/\">WireGuard<\/a><\/strong>&nbsp;for secure tunneling between the nodes.<br>We use unique <a href=\"https:\/\/en.wikipedia.org\/wiki\/Autonomous_system_(Internet)\">ASN<\/a> (<strong>A<\/strong>utonomous <strong>S<\/strong>ystem Numbe<strong>r<\/strong>) to run eBGP (<strong>e<\/strong>xternal <strong>B<\/strong>order <strong>G<\/strong>ateway <strong>P<\/strong>rotocol) between the entities. <br>The OS we use is Ubuntu 24.04.1.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-style-default\"><a href=\"https:\/\/www.cipv6.de\/worp\/?attachment_id=1306\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"840\" height=\"356\" data-attachment-id=\"1306\" data-permalink=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/cipv6frr_online-drawio-4\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/cipv6FRR_online.drawio-1.jpg?fit=2006%2C851&amp;ssl=1\" data-orig-size=\"2006,851\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"cipv6FRR_online.drawio\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/cipv6FRR_online.drawio-1.jpg?fit=840%2C356&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/cipv6FRR_online.drawio-1.jpg?resize=840%2C356&#038;ssl=1\" alt=\"\" class=\"wp-image-1306\" srcset=\"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/cipv6FRR_online.drawio-1.jpg?w=2006&amp;ssl=1 2006w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/cipv6FRR_online.drawio-1.jpg?resize=300%2C127&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/cipv6FRR_online.drawio-1.jpg?resize=1024%2C434&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/cipv6FRR_online.drawio-1.jpg?resize=768%2C326&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/cipv6FRR_online.drawio-1.jpg?resize=1536%2C652&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/cipv6FRR_online.drawio-1.jpg?resize=1200%2C509&amp;ssl=1 1200w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/cipv6FRR_online.drawio-1.jpg?w=1680&amp;ssl=1 1680w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/a><\/figure>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p><strong>Hub:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public IP:&nbsp;<em>Static (known)<\/em><\/li>\n\n\n\n<li>Tunnel IP:&nbsp;<code>10.5.5.1<\/code><\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>Spoke #1:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public IP:&nbsp;<em>Ephemeral<\/em><\/li>\n\n\n\n<li>Tunnel IP:&nbsp;<code>10.5.5.20<\/code><\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>Spoke #2:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public IP:&nbsp;<em>Ephemeral<\/em><\/li>\n\n\n\n<li>Tunnel IP:&nbsp;<code>10.5.5.10<\/code><\/li>\n<\/ul>\n<\/div>\n\n\n\n<p>The&nbsp;<strong>Hub<\/strong>&nbsp;acts as a central point with a fixed public IP, while both&nbsp;<strong>Spokes<\/strong> establish dynamic <a href=\"https:\/\/www.wireguard.com\/\">WireGuard<\/a> connections, enabling BGP peering over the secure tunnels.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Objectives\"><\/span>Objectives<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Establish <a href=\"https:\/\/www.wireguard.com\/\">WireGuard<\/a> tunnels between the Hub and Spokes.<\/li>\n\n\n\n<li>Configure BGP on FRR to route traffic between the nodes.<\/li>\n\n\n\n<li>Ensure seamless communication between Spokes through the Hub.<\/li>\n<\/ul>\n\n\n\n<p>In the next sections, we\u2019ll dive into the&nbsp;<strong>WireGuard setup<\/strong>, followed by configuring&nbsp;<strong>FRR BGP<\/strong>&nbsp;for efficient routing.<\/p>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Firewall_Considerations\"><\/span>Firewall Considerations<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><span style=\"text-decoration: underline;\">Hub:<\/span><\/strong>\n<ul class=\"wp-block-list\">\n<li>Allow&nbsp;<strong>inbound UDP 51820<\/strong>&nbsp;to accept incoming WireGuard connections from the Spokes.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><span style=\"text-decoration: underline;\">Spokes:<\/span><\/strong>\n<ul class=\"wp-block-list\">\n<li>Allow&nbsp;<strong>outbound UDP 51820<\/strong>&nbsp;to the Hub\u2019s public IP to establish the WireGuard tunnel.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>BGP (TCP 179)<\/strong>&nbsp;runs&nbsp;<strong>inside<\/strong>&nbsp;the WireGuard tunnel and does&nbsp;<strong>not<\/strong>&nbsp;require any firewall exceptions.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_Use_WireGuard\"><\/span>Why Use WireGuard?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>We chose <a href=\"https:\/\/www.wireguard.com\">WireGuard <\/a> for this setup to enhance the privacy, integrity, and security&nbsp;for every bit we transport across the internet.<br>Wireguard provides:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>End-to-End Encryption<\/strong>: All traffic between Hub and Spokes is encrypted using state-of-the-art cryptographic protocols (ChaCha20 for encryption, Poly1305 for message authentication).<\/li>\n\n\n\n<li><strong>Simplicity &amp; Performance<\/strong>: WireGuard is lightweight, easy to configure, and offers high performance with low overhead.<\/li>\n\n\n\n<li><strong>Ephemeral IP Handling<\/strong>: Its ability to handle dynamic public IPs makes it ideal for spokes with changing network addresses.<\/li>\n\n\n\n<li><strong>Integrity &amp; Authentication<\/strong>: Only peers with the correct public keys can establish connections, ensuring data integrity and preventing unauthorized access.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"WireGuard_Setup\"><\/span>WireGuard Setup<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%F0%9F%93%A6_Prerequisites\"><\/span>\ud83d\udce6 Prerequisites<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p>Ensure&nbsp;<strong>WireGuard<\/strong>&nbsp;is installed on all nodes:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-0f3d142d0461e4d47d8b8aa258c1b2b6\"><code lang=\"bash\" class=\"language-bash\">sudo apt update\nsudo apt install wireguard<\/code><\/pre>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%F0%9F%94%91_Key_Generation\"><\/span>\ud83d\udd11 Key Generation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p>On each node (Hub and Spokes), generate WireGuard key pairs:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-53396e030dfbcfdcfa08c92aefa60de1\"><code lang=\"bash\" class=\"language-bash\">cd \/etc\/wireguard\/\nwg genkey | tee privatekey | wg pubkey &gt; publickey<\/code><\/pre>\n<\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>privatekey<\/code>&nbsp;    \u2192 Keep this <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-bright-red-color\">secure<\/mark>.<\/li>\n\n\n\n<li><code>publickey<\/code>&nbsp;      \u2192<mark style=\"background-color:rgba(0, 0, 0, 0);color:#24f73c\" class=\"has-inline-color\">Share<\/mark> with peers.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E2%9A%99%EF%B8%8F_Hub_Configuration_etcwireguardwg0conf\"><\/span>\u2699\ufe0f Hub Configuration (<code>\/etc\/wireguard\/wg0.conf<\/code>)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-26ffefcaadeafbdeb7548ae9b8733672\"><code lang=\"bash\" class=\"language-bash\">[Interface]\nAddress = 10.5.5.1\/24\nListenPort = 51820\nPrivateKey = &lt;Hub_Private_Key&gt;\n\n# Spoke #1\n[Peer]\nPublicKey = &lt;Spoke1_Public_Key&gt;\nAllowedIPs = 10.5.5.20\/32\n\n# Spoke #2\n[Peer]\nPublicKey = &lt;Spoke2_Public_Key&gt;\nAllowedIPs = 10.5.5.10\/32<\/code><\/pre>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E2%9A%99%EF%B8%8F_Spoke_Configuration_etcwireguardwg0conf\"><\/span>\u2699\ufe0f Spoke Configuration (<code>\/etc\/wireguard\/wg0.conf<\/code>)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p><strong>Spoke #1:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-a71d3f9d237f2c6bb351b0bdd89cb132\"><code lang=\"bash\" class=\"language-bash\">[Interface]\nAddress = 10.5.5.20\/32\nPrivateKey = &lt;Spoke1_Private_Key&gt;\n\n[Peer]\nPublicKey = &lt;Hub_Public_Key&gt;\nEndpoint = &lt;Hub_Public_IP&gt;:51820\nAllowedIPs = 10.5.5.0\/24\nPersistentKeepalive = 25<\/code><\/pre>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p><strong>Spoke #2:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-19089803e5d89b5dbc9238db8677ab6f\"><code lang=\"bash\" class=\"language-bash\">[Interface]\nAddress = 10.5.5.10\/32\nPrivateKey = &lt;Spoke2_Private_Key&gt;\n\n[Peer]\nPublicKey = &lt;Hub_Public_Key&gt;\nEndpoint = &lt;Hub_Public_IP&gt;:51820\nAllowedIPs = 10.5.5.0\/24\nPersistentKeepalive = 25<\/code><\/pre>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%F0%9F%9A%80_Start_WireGuard\"><\/span>\ud83d\ude80 Start WireGuard<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p>On all nodes, start and enable WireGuard:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-0a5acfc8210cb089765980bca1629aec\"><code lang=\"bash\" class=\"language-bash\">sudo wg-quick up wg0\nsudo systemctl enable wg-quick@wg0<\/code><\/pre>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E2%9C%85_Verify_Tunnel\"><\/span>\u2705 Verify Tunnel<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p>Run on each node to check peer status:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-eddac74040021a48340227ea8d3f6675\"><code lang=\"bash\" class=\"language-bash\">sudo wg show<\/code><\/pre>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p>example-output for Spoke1:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-c588736e69308c7b9f333e6cf0653c34\"><code lang=\"bash\" class=\"language-bash\">root@spoke1:\/home\/ugu5ma# wg show\ninterface: wg0\n  public key: kRhYptcrypticPublicKeyHFZRg=\n  private key: (hidden)\n  listening port: 42119\n\npeer: zqkjHAd3+crypticPublicKeymCU4=\n  endpoint: &lt;Publix-IP&gt;:51820\n  allowed ips: 10.5.5.0\/24\n  latest handshake: 1 minute, 41 seconds ago\n  transfer: 8.50 KiB received, 10.52 KiB sent\n  persistent keepalive: every 25 seconds\nroot@spoke1:\/home\/ugu5ma#<\/code><\/pre>\n<\/div>\n\n\n\n<p>Once the tunnels are active, you can&nbsp;<strong>ping<\/strong>&nbsp;between the nodes using their Tunnel IPs.<\/p>\n\n\n\n<p>Next, we\u2019ll dive into configuring&nbsp;<strong>BGP<\/strong>&nbsp;to enable dynamic routing over the WireGuard tunnels.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Install_FRR\"><\/span>Install FRR<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p>Ensure&nbsp;<strong>FRR<\/strong>&nbsp;is installed on all nodes, we will stick on the stable release of FRR:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-a76dd7230ed6b39b9c072226691e101b\"><code lang=\"bash\" class=\"language-bash\"># add GPG key\ncurl -s https:\/\/deb.frrouting.org\/frr\/keys.gpg | sudo tee \/usr\/share\/keyrings\/frrouting.gpg &gt; \/dev\/null\n\nFRRVER=\"frr-stable\"\necho deb '[signed-by=\/usr\/share\/keyrings\/frrouting.gpg]' https:\/\/deb.frrouting.org\/frr \\\n     $(lsb_release -s -c) $FRRVER | sudo tee -a \/etc\/apt\/sources.list.d\/frr.list\n\n# update and install FRR\nsudo apt update &amp;&amp; sudo apt install frr frr-pythontools\n\n<\/code><\/pre>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p>expected output:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-e5e5e20d27ea062cc1fc0eddf389fe23\"><code lang=\"bash\" class=\"language-bash\">root@hub:\/home\/ugu5ma# # add GPG key\ncurl -s https:\/\/deb.frrouting.org\/frr\/keys.gpg | sudo tee \/usr\/share\/keyrings\/frrouting.gpg &gt; \/dev\/null\n# possible values for FRRVER:\nFRRVER=\"frr-stable\"\necho deb '[signed-by=\/usr\/share\/keyrings\/frrouting.gpg]' https:\/\/deb.frrouting.org\/frr \\\n     $(lsb_release -s -c) $FRRVER | sudo tee -a \/etc\/apt\/sources.list.d\/frr.list\n# update and install FRR\nsudo apt update &amp;&amp; sudo apt install frr frr-pythontools\ndeb [signed-by=\/usr\/share\/keyrings\/frrouting.gpg]\nhttps:\/\/deb.frrouting.org\/frr noble frr-stable\nHit:1 http:\/\/de.archive.ubuntu.com\/ubuntu noble InRelease\nHit:2 http:\/\/de.archive.ubuntu.com\/ubuntu noble-updates InRelease\nHit:3 http:\/\/de.archive.ubuntu.com\/ubuntu noble-backports InRelease\nHit:4 http:\/\/security.ubuntu.com\/ubuntu noble-security InRelease\nGet:5 https:\/\/deb.frrouting.org\/frr noble InRelease [34.3 kB]\nGet:6 https:\/\/deb.frrouting.org\/frr noble\/frr-stable amd64 Packages [5,461 B]\nFetched 39.8 kB in 1s (29.2 kB\/s)\nReading package lists... Done\nBuilding dependency tree... Done\nReading state information... Done\nAll packages are up to date.\nReading package lists... Done\nBuilding dependency tree... Done\nReading state information... Done\nThe following additional packages will be installed:\n  libcares2 libyang2\nSuggested packages:\n  frr-doc\nThe following NEW packages will be installed:\n  frr frr-pythontools libcares2 libyang2\n0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.\nNeed to get 7,032 kB of archives.\nAfter this operation, 40.9 MB of additional disk space will be used.\nDo you want to continue? [Y\/n] y\nGet:1 http:\/\/de.archive.ubuntu.com\/ubuntu noble\/main amd64 libcares2 amd64 1.27.0-1.0ubuntu1 [73.7 kB]\nGet:2 https:\/\/deb.frrouting.org\/frr noble\/frr-stable amd64 libyang2 amd64 2.1.128-2~ubuntu24.04u1 [506 kB]\nGet:3 https:\/\/deb.frrouting.org\/frr noble\/frr-stable amd64 frr amd64 10.2.1-0~ubuntu24.04.1 [6,414 kB]\nGet:4 https:\/\/deb.frrouting.org\/frr noble\/frr-stable amd64 frr-pythontools all 10.2.1-0~ubuntu24.04.1 [38.4 kB]\nFetched 7,032 kB in 7s (966 kB\/s)\nSelecting previously unselected package libcares2:amd64.\n(Reading database ... 86641 files and directories currently installed.)\nPreparing to unpack ...\/libcares2_1.27.0-1.0ubuntu1_amd64.deb ...\nUnpacking libcares2:amd64 (1.27.0-1.0ubuntu1) ...\nSelecting previously unselected package libyang2:amd64.\nPreparing to unpack ...\/libyang2_2.1.128-2~ubuntu24.04u1_amd64.deb ...\nUnpacking libyang2:amd64 (2.1.128-2~ubuntu24.04u1) ...\nSelecting previously unselected package frr.\nPreparing to unpack ...\/frr_10.2.1-0~ubuntu24.04.1_amd64.deb ...\nUnpacking frr (10.2.1-0~ubuntu24.04.1) ...\nSelecting previously unselected package frr-pythontools.\nPreparing to unpack ...\/frr-pythontools_10.2.1-0~ubuntu24.04.1_all.deb ...\nUnpacking frr-pythontools (10.2.1-0~ubuntu24.04.1) ...\nSetting up libyang2:amd64 (2.1.128-2~ubuntu24.04u1) ...\nSetting up libcares2:amd64 (1.27.0-1.0ubuntu1) ...\nSetting up frr (10.2.1-0~ubuntu24.04.1) ...\ninfo: Selecting GID from range 100 to 999 ...\ninfo: Adding group `frrvty' (GID 110) ...\ninfo: Selecting GID from range 100 to 999 ...\ninfo: Adding group `frr' (GID 111) ...\ninfo: The home dir \/nonexistent you specified can't be accessed: No such file or directory\n\ninfo: Selecting UID from range 100 to 999 ...\n\ninfo: Adding system user `frr' (UID 110) ...\ninfo: Adding new user `frr' (UID 110) with group `frr' ...\ninfo: Not creating `\/nonexistent'.\nCreated symlink \/etc\/systemd\/system\/multi-user.target.wants\/frr.service \u2192 \/usr\/lib\/systemd\/system\/frr.service.\nSetting up frr-pythontools (10.2.1-0~ubuntu24.04.1) ...\nProcessing triggers for rsyslog (8.2312.0-3ubuntu9) ...\nProcessing triggers for man-db (2.12.0-4build2) ...\nProcessing triggers for libc-bin (2.39-0ubuntu8.4) ...\nScanning processes...\nScanning candidates...\nScanning linux images...\n\nRunning kernel seems to be up-to-date.\n\nRestarting services...\n\nService restarts being deferred:\n \/etc\/needrestart\/restart.d\/dbus.service\n systemctl restart systemd-logind.service\n systemctl restart unattended-upgrades.service\n\nNo containers need to be restarted.\n\nUser sessions running outdated binaries:\n ugu5ma @ session #1: login[1283]\n ugu5ma @ user manager service: systemd[1420]\n\nNo VM guests are running outdated hypervisor (qemu) binaries on this host.\nroot@hub:\/home\/ugu5ma#<\/code><\/pre>\n<\/div>\n<\/div>\n\n\n\n<p>Check if FRR daemon is up and running with <code>systemctl status frr.service<\/code><\/p>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>output:<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-618ac35d90f2e422499ead02469801d8\"><code lang=\"bash\" class=\"language-bash\">root@hub:\/home\/ugu5ma# systemctl status frr.service\n\u25cf frr.service - FRRouting\n     Loaded: loaded (\/usr\/lib\/systemd\/system\/frr.service; enabled; preset: enabled)\n     Active: active (running) since Thu 2025-02-13 11:29:06 UTC; 4min 54s ago\n       Docs: https:\/\/frrouting.readthedocs.io\/en\/latest\/setup.html\n    Process: 14391 ExecStart=\/usr\/lib\/frr\/frrinit.sh start (code=exited, status=0\/SUCCESS)\n   Main PID: 14401 (watchfrr)\n     Status: \"FRR Operational\"\n      Tasks: 8 (limit: 4554)\n     Memory: 14.7M (peak: 27.3M)\n        CPU: 223ms\n     CGroup: \/system.slice\/frr.service\n             \u251c\u250014401 \/usr\/lib\/frr\/watchfrr -d -F traditional zebra mgmtd staticd\n             \u251c\u250014411 \/usr\/lib\/frr\/zebra -d -F traditional -A 127.0.0.1 -s 90000000\n             \u251c\u250014416 \/usr\/lib\/frr\/mgmtd -d -F traditional -A 127.0.0.1\n             \u2514\u250014418 \/usr\/lib\/frr\/staticd -d -F traditional -A 127.0.0.1\n\nFeb 13 11:29:05 hub watchfrr[14401]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00\nFeb 13 11:29:05 hub frrinit.sh[14436]: [14436|watchfrr] done\nFeb 13 11:29:05 hub staticd[14418]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00\nFeb 13 11:29:06 hub frrinit.sh[14438]: [14438|staticd] done\nFeb 13 11:29:06 hub watchfrr[14401]: [QDG3Y-BY5TN] zebra state -&gt; up : connect succeeded\nFeb 13 11:29:06 hub watchfrr[14401]: [QDG3Y-BY5TN] mgmtd state -&gt; up : connect succeeded\nFeb 13 11:29:06 hub watchfrr[14401]: [QDG3Y-BY5TN] staticd state -&gt; up : connect succeeded\nFeb 13 11:29:06 hub watchfrr[14401]: [KWE5Q-QNGFC] all daemons up, doing startup-complete notify\nFeb 13 11:29:06 hub frrinit.sh[14391]:  * Started watchfrr\nFeb 13 11:29:06 hub systemd[1]: Started frr.service - FRRouting.\nroot@hub:\/home\/ugu5ma#<\/code><\/pre>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p>Let&#8217;s enable BGPd with <code>vi \/etc\/frr\/daemons<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-1f848a282b3a1f3d40004fc743153b94\"><code lang=\"bash\" class=\"language-bash\">bgpd=yes<\/code><\/pre>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p>Restart the daemon with with <code>systemctl restart frr.service<\/code><br>With enabled BGPd  FRR uses minimal resources:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignleft size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"840\" height=\"178\" data-attachment-id=\"1281\" data-permalink=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/attachment\/01\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/01.png?fit=2706%2C574&amp;ssl=1\" data-orig-size=\"2706,574\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"01\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/01.png?fit=840%2C178&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/01.png?resize=840%2C178&#038;ssl=1\" alt=\"\" class=\"wp-image-1281\" srcset=\"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/01.png?resize=1024%2C217&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/01.png?resize=300%2C64&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/01.png?resize=768%2C163&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/01.png?resize=1536%2C326&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/01.png?resize=2048%2C434&amp;ssl=1 2048w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/01.png?resize=1200%2C255&amp;ssl=1 1200w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/01.png?w=1680&amp;ssl=1 1680w, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/01.png?w=2520&amp;ssl=1 2520w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><figcaption class=\"wp-element-caption\">Compute-allocation for FRR with enabled BGPd <\/figcaption><\/figure>\n<\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Let&#8217;s access the virtual-console of the Hub with <code>sudo vtysh<\/code> and setup the virtual-router. We also log all configuration commands entered via the&nbsp;<strong>vtysh shell<\/strong>:<\/p>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Hub\"><\/span>Hub<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-670a7eb25cd6e0289b013fa84e97968e\"><code lang=\"bash\" class=\"language-bash\">root@hub:\/home\/ugu5ma# vtysh\n\nHello, this is FRRouting (version 10.2.1).\nCopyright 1996-2005 Kunihiro Ishiguro, et al.\n\nhub# conf t\nhub(config)# log commands\nhub(config)# router bgp 65000\nhub(config)# bgp router-id 10.5.5.1\nhub(config)# no bgp ebgp-requires-policy\nhub(config-router)# neighbor 10.5.5.10 remote-as 65010\nhub(config-router)# neighbor 10.5.5.10 description Spoke1\nhub(config-router)# neighbor 10.5.5.20 remote-as 65020\nhub(config-router)# neighbor 10.5.5.20 description Spoke2\nhub(config-router)# exit\nhub(config)# exit\nhub# wr t\nBuilding configuration...\nhub# show running-config\nBuilding configuration...\n\nCurrent configuration:\n!\nfrr version 10.2.1\nfrr defaults traditional\nhostname cipv6lts\nlog syslog informational\nno ipv6 forwarding\nservice integrated-vtysh-config\n!\nrouter bgp 65000\n bgp router-id 10.5.5.1\n no bgp ebgp-requires-policy\n neighbor 10.5.5.10 remote-as 65010\n neighbor 10.5.5.10 description Spoke2\n neighbor 10.5.5.20 remote-as 65020\n neighbor 10.5.5.20 description Spoke1\n !\n address-family ipv4 unicast\n  network 10.0.0.0\/8\n  network 10.5.7.1\/32\n exit-address-family\nexit\n!\n!\nend\n\nhub# exit<\/code><\/pre>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Spoke_2\"><\/span>Spoke #2<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-81526b436f536a41d06fdd3f49a3124a\"><code lang=\"bash\" class=\"language-bash\">root@spoke2:\/home\/ugu5ma# vtysh\n\nHello, this is FRRouting (version 10.2.1).\nCopyright 1996-2005 Kunihiro Ishiguro, et al.\n\nspoke2# conf t\nspoke2(config)# log commands\nspoke2(config)# router bgp 65010\nspoke2(config)# bgp router-id 10.5.5.10\nspoke2(config)# no bgp ebgp-requires-policy\nspoke2(config-router)# neighbor 10.5.5.1 remote-as 65000\nspoke2(config-router)# exit\nspoke2(config)# exit\nspoke2# wr t\nBuilding configuration...\nspoke1# exit<\/code><\/pre>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Spoke_1\"><\/span>Spoke #1<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-96156c5fb5565901a5368d76dee22f5c\"><code lang=\"bash\" class=\"language-bash\">root@spoke1:\/home\/ugu5ma# vtysh\n\nHello, this is FRRouting (version 10.2.1).\nCopyright 1996-2005 Kunihiro Ishiguro, et al.\n\nspoke1# conf t\nspoke1(config)# log commands\nspoke1(config)# router bgp 65020\nspoke1(config)# bgp router-id 10.5.5.20\nspoke1(config)# no bgp ebgp-requires-policy\nspoke1(config-router)# neighbor 10.5.5.1 remote-as 65000\nspoke1(config-router)# exit\nspoke1(config)# exit\nspoke1# wr t\nBuilding configuration...\nspoke2# exit<\/code><\/pre>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p>Let&#8217;s see if Spoke#1 can see the Hub as a BGP neighbor:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-8020c0f87032edb3efbb4a1a8e44720f\"><code lang=\"bash\" class=\"language-bash\">spoke1# show ip bgp summary\n\nIPv4 Unicast Summary:\nBGP router identifier 10.5.5.20, local AS number 65020 VRF default vrf-id 0\nBGP table version 0\nRIB entries 0, using 0 bytes of memory\nPeers 1, using 24 KiB of memory\n\nNeighbor        V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up\/Down State\/PfxRcd   PfxSnt Desc\n10.5.5.1        4      65000         0         0        0    0    0    never       Active        0 N\/A\n\nTotal number of neighbors 1\nspoke1#<\/code><\/pre>\n<\/div>\n<\/div>\n\n\n\n<p>The Lab seems to be in a pretty good shape \ud83d\ude42<br>Go ahead and try to establish a connection with Spoke#2!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Lets_announce_a_BGP-Route\"><\/span>Let&#8217;s announce a BGP-Route<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p>On the HUB, we will announce a BGP route (10.5.7.1\/32) for testing. <br>To do this, we will create a dummy interface and assign an IPv4 address. <br>FRR will then announce this network via BGP to the peers (Spoke#1 and Spoke#2). <br>Finally, we will verify if we are advertising the route to Spoke#1.<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-6010b0f2da781a1ce2ca84ade5a67f1b\"><code lang=\"bash\" class=\"language-bash\">ip link add dummy0 type dummy\nip addr add 10.5.7.1\/32 dev dummy0\nip link set dummy0 up\nvtysh\nshow ip bgp neighbors 10.5.5.20 advertised-routes\nBGP table version is 1, local router ID is 10.5.5.1, vrf id 0\nDefault local pref 100, local AS 65000\nStatus codes:  s suppressed, d damped, h history, u unsorted, * valid, &gt; best, = multipath,\n               i internal, r RIB-failure, S Stale, R Removed\nNexthop codes: @NNN nexthop's vrf id, &lt; announce-nh-self\nOrigin codes:  i - IGP, e - EGP, ? - incomplete\nRPKI validation codes: V valid, I invalid, N Not found\n\n     Network          Next Hop            Metric LocPrf Weight Path\n *&gt; 10.5.7.1\/32      0.0.0.0                  0         32768 i\n\nTotal number of prefixes 1\n<\/code><\/pre>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p><\/p>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<p>Ok, let&#8217;s see if we receive route <strong>10.5.7.1\/32<\/strong> on <strong>Spoke#1<\/strong> and check connectivity: <\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-dark-gray-background-color has-text-color has-background has-link-color wp-elements-e020501129e4e335df5792245bbf1c74\"><code lang=\"bash\" class=\"language-bash\">spoke1## show ip route bgp\nCodes: K - kernel route, C - connected, L - local, S - static,\n       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,\n       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,\n       f - OpenFabric, t - Table-Direct,\n       &gt; - selected route, * - FIB route, q - queued, r - rejected, b - backup\n       t - trapped, o - offload failure\n\nB&gt;* 10.5.7.1\/32 [20\/0] via 10.5.5.1, wg0, weight 1, 00:00:18\nspoke1# ping 10.5.7.1\nPING 10.5.7.1 (10.5.7.1) 56(84) bytes of data.\n64 bytes from 10.5.7.1: icmp_seq=1 ttl=64 time=17.0 ms<\/code><\/pre>\n<\/div>\n<\/div>\n\n\n\n<p>Good! That&#8217;s it so far.<\/p>\n\n\n\n<p><br>We have established a highly secure and scalable network topology across the internet. By leveraging WireGuard for routing transmission and communication, we ensure that this network topology remains exceptionally secure.<\/p>\n\n\n\n<p><br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Free Range Routing (FRR)&nbsp;is a powerful, open-source routing software suite that provides implementations of various routing protocols, including BGP, OSPF, IS-IS, RIP, PIM, and more. It\u2019s designed to run on Linux and Unix-like systems, making it a flexible solution for a wide range of network setups\u2014from small labs to large-scale data centers. Why FRR? A &hellip; <a href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1293,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"template-page-builder.php","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"Discover how to build a highly secure and scalable Hub-and-Spoke network topology using WireGuard and eBGP!","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-1279","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP - cipv6.de<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP - cipv6.de\" \/>\n<meta property=\"og:description\" content=\"Free Range Routing (FRR)&nbsp;is a powerful, open-source routing software suite that provides implementations of various routing protocols, including BGP, OSPF, IS-IS, RIP, PIM, and more. It\u2019s designed to run on Linux and Unix-like systems, making it a flexible solution for a wide range of network setups\u2014from small labs to large-scale data centers. Why FRR? A &hellip; Continue reading &quot;Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/\" \/>\n<meta property=\"og:site_name\" content=\"cipv6.de\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-25T13:26:35+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-02-25T13:32:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/VPN-BGP-WireGuard-topology.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"ugu5ma\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ugu5ma\" \/>\n<meta name=\"twitter:site\" content=\"@ugu5ma\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ugu5ma\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/index.php\\\/2025\\\/02\\\/25\\\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/index.php\\\/2025\\\/02\\\/25\\\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\\\/\"},\"author\":{\"name\":\"ugu5ma\",\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/#\\\/schema\\\/person\\\/5d62b275485540be9e5e9e33d4fab86d\"},\"headline\":\"Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP\",\"datePublished\":\"2025-02-25T13:26:35+00:00\",\"dateModified\":\"2025-02-25T13:32:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/index.php\\\/2025\\\/02\\\/25\\\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\\\/\"},\"wordCount\":758,\"publisher\":{\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/#\\\/schema\\\/person\\\/5d62b275485540be9e5e9e33d4fab86d\"},\"image\":{\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/index.php\\\/2025\\\/02\\\/25\\\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/www.cipv6.de\\\/worp\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/VPN-BGP-WireGuard-topology.jpg?fit=1024%2C1024&ssl=1\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/index.php\\\/2025\\\/02\\\/25\\\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\\\/\",\"url\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/index.php\\\/2025\\\/02\\\/25\\\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\\\/\",\"name\":\"Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP - cipv6.de\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/index.php\\\/2025\\\/02\\\/25\\\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/index.php\\\/2025\\\/02\\\/25\\\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/www.cipv6.de\\\/worp\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/VPN-BGP-WireGuard-topology.jpg?fit=1024%2C1024&ssl=1\",\"datePublished\":\"2025-02-25T13:26:35+00:00\",\"dateModified\":\"2025-02-25T13:32:13+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/index.php\\\/2025\\\/02\\\/25\\\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/index.php\\\/2025\\\/02\\\/25\\\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/index.php\\\/2025\\\/02\\\/25\\\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\\\/#primaryimage\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/www.cipv6.de\\\/worp\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/VPN-BGP-WireGuard-topology.jpg?fit=1024%2C1024&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/www.cipv6.de\\\/worp\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/VPN-BGP-WireGuard-topology.jpg?fit=1024%2C1024&ssl=1\",\"width\":1024,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/index.php\\\/2025\\\/02\\\/25\\\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/#website\",\"url\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/\",\"name\":\"cipv6.de\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/#\\\/schema\\\/person\\\/5d62b275485540be9e5e9e33d4fab86d\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/www.cipv6.de\\\/worp\\\/#\\\/schema\\\/person\\\/5d62b275485540be9e5e9e33d4fab86d\",\"name\":\"ugu5ma\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7211dd31d32612293e4228c8f880721a803dcc15211868f096ea9a8e77b6f316?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7211dd31d32612293e4228c8f880721a803dcc15211868f096ea9a8e77b6f316?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7211dd31d32612293e4228c8f880721a803dcc15211868f096ea9a8e77b6f316?s=96&d=mm&r=g\",\"caption\":\"ugu5ma\"},\"logo\":{\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7211dd31d32612293e4228c8f880721a803dcc15211868f096ea9a8e77b6f316?s=96&d=mm&r=g\"},\"sameAs\":[\"https:\\\/\\\/cipv6.de\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP - cipv6.de","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/","og_locale":"en_US","og_type":"article","og_title":"Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP - cipv6.de","og_description":"Free Range Routing (FRR)&nbsp;is a powerful, open-source routing software suite that provides implementations of various routing protocols, including BGP, OSPF, IS-IS, RIP, PIM, and more. It\u2019s designed to run on Linux and Unix-like systems, making it a flexible solution for a wide range of network setups\u2014from small labs to large-scale data centers. Why FRR? A &hellip; Continue reading \"Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP\"","og_url":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/","og_site_name":"cipv6.de","article_published_time":"2025-02-25T13:26:35+00:00","article_modified_time":"2025-02-25T13:32:13+00:00","og_image":[{"width":1024,"height":1024,"url":"https:\/\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/VPN-BGP-WireGuard-topology.jpg","type":"image\/jpeg"}],"author":"ugu5ma","twitter_card":"summary_large_image","twitter_creator":"@ugu5ma","twitter_site":"@ugu5ma","twitter_misc":{"Written by":"ugu5ma","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#article","isPartOf":{"@id":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/"},"author":{"name":"ugu5ma","@id":"https:\/\/www.cipv6.de\/worp\/#\/schema\/person\/5d62b275485540be9e5e9e33d4fab86d"},"headline":"Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP","datePublished":"2025-02-25T13:26:35+00:00","dateModified":"2025-02-25T13:32:13+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/"},"wordCount":758,"publisher":{"@id":"https:\/\/www.cipv6.de\/worp\/#\/schema\/person\/5d62b275485540be9e5e9e33d4fab86d"},"image":{"@id":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/VPN-BGP-WireGuard-topology.jpg?fit=1024%2C1024&ssl=1","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/","url":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/","name":"Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP - cipv6.de","isPartOf":{"@id":"https:\/\/www.cipv6.de\/worp\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#primaryimage"},"image":{"@id":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/VPN-BGP-WireGuard-topology.jpg?fit=1024%2C1024&ssl=1","datePublished":"2025-02-25T13:26:35+00:00","dateModified":"2025-02-25T13:32:13+00:00","breadcrumb":{"@id":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#primaryimage","url":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/VPN-BGP-WireGuard-topology.jpg?fit=1024%2C1024&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/VPN-BGP-WireGuard-topology.jpg?fit=1024%2C1024&ssl=1","width":1024,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/02\/25\/secure-networking-with-hub-and-spoke-topology-using-wireguard-and-ebgp\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cipv6.de\/worp\/"},{"@type":"ListItem","position":2,"name":"Secure Networking with Hub-and-Spoke Topology Using WireGuard and eBGP"}]},{"@type":"WebSite","@id":"https:\/\/www.cipv6.de\/worp\/#website","url":"https:\/\/www.cipv6.de\/worp\/","name":"cipv6.de","description":"","publisher":{"@id":"https:\/\/www.cipv6.de\/worp\/#\/schema\/person\/5d62b275485540be9e5e9e33d4fab86d"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cipv6.de\/worp\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.cipv6.de\/worp\/#\/schema\/person\/5d62b275485540be9e5e9e33d4fab86d","name":"ugu5ma","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/7211dd31d32612293e4228c8f880721a803dcc15211868f096ea9a8e77b6f316?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7211dd31d32612293e4228c8f880721a803dcc15211868f096ea9a8e77b6f316?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7211dd31d32612293e4228c8f880721a803dcc15211868f096ea9a8e77b6f316?s=96&d=mm&r=g","caption":"ugu5ma"},"logo":{"@id":"https:\/\/secure.gravatar.com\/avatar\/7211dd31d32612293e4228c8f880721a803dcc15211868f096ea9a8e77b6f316?s=96&d=mm&r=g"},"sameAs":["https:\/\/cipv6.de"]}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/02\/VPN-BGP-WireGuard-topology.jpg?fit=1024%2C1024&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9uBTs-kD","jetpack-related-posts":[{"id":740,"url":"https:\/\/www.cipv6.de\/worp\/index.php\/2022\/04\/17\/mac-network-commands-cheat-sheet\/","url_meta":{"origin":1279,"position":0},"title":"Mac Network Commands Cheat Sheet","author":"ugu5ma","date":"April 17, 2022","format":false,"excerpt":"nice CLI-cmd-overview created by JJ can be found at: https:\/\/gist.github.com\/jjnilton\/add1eeeb3a9616f53e4c","rel":"","context":"In &quot;MacOS\/IOS&quot;","block_context":{"text":"MacOS\/IOS","link":"https:\/\/www.cipv6.de\/worp\/index.php\/category\/macos\/"},"img":{"alt_text":"photo of imac near macbook","src":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2022\/04\/pexels-photo-1029757.jpeg?fit=1200%2C786&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2022\/04\/pexels-photo-1029757.jpeg?fit=1200%2C786&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2022\/04\/pexels-photo-1029757.jpeg?fit=1200%2C786&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2022\/04\/pexels-photo-1029757.jpeg?fit=1200%2C786&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2022\/04\/pexels-photo-1029757.jpeg?fit=1200%2C786&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":939,"url":"https:\/\/www.cipv6.de\/worp\/index.php\/2024\/08\/26\/duplicati-rpi-setup-on-64-bit-ubuntu-os-jammy-22-04\/","url_meta":{"origin":1279,"position":1},"title":"Duplicati RPi setup on 64-bit Ubuntu OS Jammy (22.04)","author":"ugu5ma","date":"August 26, 2024","format":false,"excerpt":"Setting up Duplicati on Ubuntu Jammy (22.04) for Raspberry Pi (RPI) is a great way to ensure your data is securely backed up. Duplicati is a free, open-source backup solution that allows you to store encrypted, incremental, and compressed backups on various cloud storage services and remote file servers.\u00a0It supports\u2026","rel":"","context":"In &quot;Linux&quot;","block_context":{"text":"Linux","link":"https:\/\/www.cipv6.de\/worp\/index.php\/category\/linux\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/08\/CleanShot-2024-08-26-at-11.43.33%402x.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/08\/CleanShot-2024-08-26-at-11.43.33%402x.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/08\/CleanShot-2024-08-26-at-11.43.33%402x.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/08\/CleanShot-2024-08-26-at-11.43.33%402x.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/08\/CleanShot-2024-08-26-at-11.43.33%402x.png?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":1203,"url":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/01\/29\/run-deepseek-llm-locally-on-your-m-series-mac-with-lm-studio-and-integrate-iterm2\/","url_meta":{"origin":1279,"position":2},"title":"Run DeepSeek LLM locally on your M series Mac with LM Studio and integrate iTerm2","author":"ugu5ma","date":"January 29, 2025","format":false,"excerpt":"With the integration of LM Studio and iTerm2, powered by the cutting-edge DeepSeek LLM, developers can now streamline their workflows. This setup enhances coding efficiency while maintaining complete control over their data.Running DeepSeek LLM locally offers several benefits: Enhanced Privacy: Your data stays on your machine, ensuring that sensitive information\u2026","rel":"","context":"In &quot;MacOS\/IOS&quot;","block_context":{"text":"MacOS\/IOS","link":"https:\/\/www.cipv6.de\/worp\/index.php\/category\/macos\/"},"img":{"alt_text":"DeepSeek LM Studio iTerm2 integration","src":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/01\/lmdImage2.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/01\/lmdImage2.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/01\/lmdImage2.jpg?fit=1024%2C1024&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2025\/01\/lmdImage2.jpg?fit=1024%2C1024&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":954,"url":"https:\/\/www.cipv6.de\/worp\/index.php\/2024\/08\/28\/secure-your-ssh-communication-with-certificates-based-authentication\/","url_meta":{"origin":1279,"position":3},"title":"Secure your SSH communication with certificates","author":"ugu5ma","date":"August 28, 2024","format":false,"excerpt":"How about securing your SSH-Server to only support login-attempts including a valid signed certificate from a trusted CA ? This sounds pretty cool, but there are a couple of pitfalls which should be outlined first: OpenSSH supports cert-based authentication since version 5.4 (in 2010) OpenSSH does not support x.509-certificates !\u2026","rel":"","context":"In &quot;Linux&quot;","block_context":{"text":"Linux","link":"https:\/\/www.cipv6.de\/worp\/index.php\/category\/linux\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/08\/coverpicsshcert.jpeg?fit=1024%2C1024&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/08\/coverpicsshcert.jpeg?fit=1024%2C1024&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/08\/coverpicsshcert.jpeg?fit=1024%2C1024&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/08\/coverpicsshcert.jpeg?fit=1024%2C1024&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1103,"url":"https:\/\/www.cipv6.de\/worp\/index.php\/2025\/01\/11\/automate-your-cloud-backups-rclone-and-duplicati\/","url_meta":{"origin":1279,"position":4},"title":"Automate Your Cloud Backups: rclone and Duplicati","author":"ugu5ma","date":"January 11, 2025","format":false,"excerpt":"In today's digital age, safeguarding your data is more crucial than ever. With the increasing reliance on cloud storage, it's essential to have a robust backup strategy in place. This blog post will guide you through automating your cloud backups (like Onedrive in this example) using\u00a0rclone\u00a0and\u00a0Duplicati\u00a0on a Linux system (in\u2026","rel":"","context":"In &quot;Linux&quot;","block_context":{"text":"Linux","link":"https:\/\/www.cipv6.de\/worp\/index.php\/category\/linux\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/12\/himage.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/12\/himage.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/12\/himage.jpg?fit=1024%2C1024&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/12\/himage.jpg?fit=1024%2C1024&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":973,"url":"https:\/\/www.cipv6.de\/worp\/index.php\/2024\/09\/06\/manual-steps-for-certificate-based-ssh-communication\/","url_meta":{"origin":1279,"position":5},"title":"Lab setup: Secure your SSH communication with certificates","author":"ugu5ma","date":"September 6, 2024","format":false,"excerpt":"When you Ssh the first time to a host the screen shows something like: ssh test@10.50.100.110 The authenticity of host '10.50.100.110 (10.50.100.110)' can't be established. ED25519 key fingerprint is SHA256:jCJ0TIJkKnjgu3RTv5eGER7p4IN5Tb\/JpTEVJNMfpMs. This key is not known by any other names Are you sure you want to continue connecting (yes\/no\/[fingerprint])? Be honest:\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/www.cipv6.de\/worp\/index.php\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/09\/ssh_cover.jpeg?fit=1024%2C1024&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/09\/ssh_cover.jpeg?fit=1024%2C1024&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/09\/ssh_cover.jpeg?fit=1024%2C1024&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.cipv6.de\/worp\/wp-content\/uploads\/2024\/09\/ssh_cover.jpeg?fit=1024%2C1024&ssl=1&resize=700%2C400 2x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.cipv6.de\/worp\/index.php\/wp-json\/wp\/v2\/posts\/1279","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cipv6.de\/worp\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cipv6.de\/worp\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cipv6.de\/worp\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cipv6.de\/worp\/index.php\/wp-json\/wp\/v2\/comments?post=1279"}],"version-history":[{"count":0,"href":"https:\/\/www.cipv6.de\/worp\/index.php\/wp-json\/wp\/v2\/posts\/1279\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cipv6.de\/worp\/index.php\/wp-json\/wp\/v2\/media\/1293"}],"wp:attachment":[{"href":"https:\/\/www.cipv6.de\/worp\/index.php\/wp-json\/wp\/v2\/media?parent=1279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cipv6.de\/worp\/index.php\/wp-json\/wp\/v2\/categories?post=1279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cipv6.de\/worp\/index.php\/wp-json\/wp\/v2\/tags?post=1279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}