I have a couple of Linux servers whose main purpose is to serve as a Wireguard server. The peers on these servers are a combination of pure clients (like a mobile phone or laptop) and more traditional site-to-site tunnel connections (like a router at a remote location). The site-to-site connections usually are routing a remote network over the wireguard tunnel, something like a /24 network so you can access the far site's local network.
Wireguard makes this easy to do, you just add the /24 network as an "AllowedIP" for that peer. Wireguard does the work of adding that route to the routing table on the Linux server itself. If this Wireguard server is part of a more complex network, though, you need to be sending these remote networks to your Wireguard server so everyone can access them, not just those using Wireguard. I have been forced to add static routes on my main router to point those networks to my Wireguard servers.
Enter OSPF! If you are reading this, I am going to assume you know what OSPF is and why it's preferred over static routing. What follows is the steps I took to get my Wireguard "AllowedIPs" network automatically advertised to my main router using OSPF.
Install FRR
FRR is a Linux package that implements a lot of networking routing protocols. On your server running Wireguard (I'm assuming Debian/Ubuntu), running apt get install -y frr
gets everything you need installed. This includes a vtysh
command that dumps you into a Cisco IOS-like terminal to configure your OSPF routing.
Enable OSPF daemon
Before configuring OSPF, you must enable the ospfd daemon in the FRR config. Edit /etc/frr/daemons
and change the ospfd=no` line to read ospfd=yes
. Then systemctl restart frr
is needed to restart FRR with OSPF enabled.
Save your changes
That's it! You can end
and then write memory
to save your configuration to /etc/frr/frr.conf
. If you miss this part, all of this configuration will be erased when FRR is restarted.
Troubleshooting
Here are a couple of commands I used in the vtysh
interface to verify my configuration.
show ip ospf neighbor
- this should return a record showing your neighbor relationship with your main router
show ip route kernel
- this should return all of your AllowedIPs networks that you have configured in Wireguard. These are the networks we are redistributing over OSPF.
show ip ospf interface
- this should return a record indicating ens160 is up
, or whatever your LAN interface on your Wireguard server is. You can also see neighbor count here, which should be 1 in a point-to-point OSPF network.