Docs / Security / How to Set Up WireGuard for Site-to-Site VPN

How to Set Up WireGuard for Site-to-Site VPN

By Admin · Mar 1, 2026 · Updated Apr 23, 2026 · 24 views · 1 min read

How to Set Up WireGuard for Site-to-Site VPN

WireGuard provides a lightweight, high-performance VPN tunnel between two Breeze instances or between a Breeze and an on-premises network.

Install WireGuard

Install on both endpoints:

sudo apt install wireguard -y

Generate Key Pairs

On each server, generate a private and public key:

wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
chmod 600 /etc/wireguard/privatekey

Configure Site A

Create /etc/wireguard/wg0.conf on Site A:

[Interface]
Address = 10.0.0.1/24
PrivateKey = <SiteA_PrivateKey>
ListenPort = 51820

[Peer]
PublicKey = <SiteB_PublicKey>
AllowedIPs = 10.0.0.2/32, 192.168.2.0/24
Endpoint = siteB_public_ip:51820
PersistentKeepalive = 25

Configure Site B

Mirror the configuration with swapped keys and addresses, using Address = 10.0.0.2/24 and Site A as the endpoint.

Enable IP Forwarding and Start

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Verify the Tunnel

sudo wg show
ping 10.0.0.2

Traffic between your Breeze instances now flows through an encrypted WireGuard tunnel with minimal overhead.

Was this article helpful?

Related Articles