VPN architecture using a central WireGuard server on Hetzner to connect two FreePBX systems

This guide will walk you through the process of setting up a secure, hub-and-spoke VPN architecture using a central WireGuard server on Hetzner to connect your two FreePBX systems. It addresses the critical challenge of having identical internal IP address ranges (192.168.x.x) in both offices by using Network Address Translation (NAT) over the VPN.

The plan is divided into three key phases:

1. Phase 1: Configure the Central Hetzner VPN Server
2. Phase 2: Configure the Routers at Each Office
3. Phase 3: Configure the FreePBX Systems

Phase 1: Configure the Central Hetzner VPN Server (The Hub)

The server you’ve identified at 91.98.x.x will act as the central communication hub, making it possible for the two offices to connect without their overlapping internal IP addresses causing a conflict.

1. Provision and Secure the Hetzner Server:
   • After creating your server instance (a stable Linux distribution like Ubuntu is recommended), ensure it is configured with a public IPv4 address.[1]
   • Firewall Configuration: Hetzner’s Cloud Firewall is the first line of defense. You must configure it to explicitly allow specific inbound traffic to your server 91.98.x.x.[2, 3] All other traffic will be dropped by default.[4, 5]
     • SSH: Allow incoming TCP traffic on port 22 (or a different, non-standard port if you changed it) from your trusted IP addresses for remote administration.[6]
     • WireGuard: Allow incoming UDP traffic on port 51820 (the default WireGuard port) from the public IP addresses of both your Germany and Greece offices.[7, 8]
2. Install and Configure WireGuard on the Server:
   • Connect to your server via SSH.
   • Install WireGuard and the necessary tools: sudo apt update && sudo apt install wireguard wireguard-tools -y.[9, 1]
   • Enable IP Forwarding: This is a crucial step that allows the server to forward traffic between the Germany and Greece VPN clients. Run the following command: sudo sysctl -w net.ipv4.ip_forward=1.[10, 11, 9] This change should be made permanent in the /etc/sysctl.conf file.
   • Create the Server Configuration File: Create and edit the WireGuard configuration file (e.g., sudo nano /etc/wireguard/wg0.conf): [Interface] Address = 10.80.0.1/24 SaveConfig = true PrivateKey = <SERVER_PRIVATE_KEY> ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <SERVER_PUBLIC_INTERFACE> -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <SERVER_PUBLIC_INTERFACE> -j MASQUERADE
     • Replace <SERVER_PRIVATE_KEY> with a private key you generate using the command wg genkey.[9]
     • Address = 10.80.0.1/24 defines the IP address for the server on the new virtual VPN network.[11, 9]
     • PostUp and PostDown commands are used to enable and disable Network Address Translation (NAT) so that clients can route internet traffic through the VPN.[10, 11, 12]

Phase 2: Configure the Routers at Each Office (The Spokes)

This phase is essential to resolve the overlapping IP issue. The core concept is that each office’s router will translate its 192.168.x.x network into a unique, non-overlapping “virtual” network before sending any traffic to the other office over the VPN tunnel.[13, 14, 15]

Proposed Network Schema:

• Hetzner VPN: 10.80.0.0/24 [16]
• Germany Office (Physical): 192.168.1.0/24
• Germany Office (Translated/Virtual): 10.20.0.0/24
• Greece Office (Physical): 192.168.1.0/24
• Greece Office (Translated/Virtual): 10.30.0.0/24

Configuration for the German Office Router:

1. Configure the WireGuard Client: Set up a WireGuard client on your router or firewall.[17, 8, 18]
2. Create a New WireGuard Peer: The peer configuration will point to your Hetzner VPN server.[17]
   • Endpoint Address: 91.98.x.x (your server’s public IP).
   • Endpoint Port: 51820.
   • PublicKey: The public key of your Hetzner server.
   • Allowed IPs: 10.80.0.0/24, 10.30.0.0/24.[10] This tells the router to route traffic destined for the Hetzner hub and the Greece office’s virtual network through the VPN tunnel.
3. Implement NAT over VPN Rules: This is the most complex but most critical step. Configure a source NAT rule on your router to translate traffic from 192.168.1.x to 10.20.0.x when the destination is 10.30.0.x.[19, 15]
4. Add a Static Route: Create a static route on the router that directs all traffic destined for the Greece office’s virtual subnet (10.30.0.0/24) to the WireGuard VPN tunnel interface.[1, 17]

Configuration for the Greece Office Router:
Repeat the same steps, but reverse the IP addresses and rules.

1. Configure the WireGuard Client:
2. Create a New WireGuard Peer:
   • Endpoint Address: 91.98.x.x.
   • Endpoint Port: 51820.
   • PublicKey: The public key of your Hetzner server.
   • Allowed IPs: 10.80.0.0/24, 10.20.0.0/24.[10]
3. Implement NAT over VPN Rules: Configure a source NAT rule to translate traffic from 192.168.1.x to 10.30.0.x when the destination is 10.20.0.x.[19, 15]
4. Add a Static Route: Create a static route that directs all traffic for the Germany office’s virtual subnet (10.20.0.0/24) through the WireGuard VPN tunnel interface.[1, 17]

Phase 3: Configure the FreePBX Systems

With the network foundation in place, you can now configure the FreePBX systems to use the new VPN tunnel. We will use an IAX2 trunk as it is designed for this type of peer-to-peer connection.[20, 21]

1. On the Germany FreePBX System:
   • Create the IAX2 Trunk:
     • Log into FreePBX and navigate to Connectivity -> Trunks -> Add IAX2 Trunk.[21]
     • General Tab: Name the trunk something descriptive, like To_Greece.[21]
     • iax2 Settings Tab (Outgoing):
       • host=10.30.0.100 (The translated IP of the Greece FreePBX).[21]
       • username=greece_to_germany.[21]
       • secret=SharedSecretPassword (Choose a strong password).[21]
       • qualify=yes.[21]
       • context=from-internal.[21]
   • Create the Outbound Route:
     • Go to Connectivity -> Outbound Routes -> Add Outbound Route.[21, 22]
     • Route Settings Tab: Name the route Intra-Office_Greece and select the To_Greece trunk.[21]
     • Dial Patterns Tab: Since the extensions overlap, use a prefix like 9|XXXX. This means a user would dial 9 followed by the Greece extension. The PBX will strip the 9 and send the four-digit extension to the remote office.[21, 23, 22]
2. On the Greece FreePBX System:
   • Create the IAX2 Trunk:
     • Go to Connectivity -> Trunks -> Add IAX2 Trunk.[21]
     • General Tab: Name the trunk To_Germany.[21]
     • iax2 Settings Tab (Outgoing):
       • host=10.20.0.100 (The translated IP of the Germany FreePBX).[21]
       • username=germany_to_greece.[21]
       • secret=SharedSecretPassword.[21]
       • qualify=yes.[21]
       • context=from-internal.[21]
   • Create the Outbound Route:
     • Go to Connectivity -> Outbound Routes -> Add Outbound Route.[21, 22]
     • Route Settings Tab: Name the route Intra-Office_Germany and select the To_Germany trunk.[21]
     • Dial Patterns Tab: Use the same prefix, 9|XXXX.[21, 23, 22]
3. Finalize FreePBX Configuration:
   • Go to Settings -> Asterisk SIP Settings and ensure the Local Networks field includes the VPN tunnel subnet (10.80.0.0/24) and the translated virtual subnets (10.20.0.0/24, 10.30.0.0/24).[24, 25, 26] This is a crucial step to prevent one-way audio issues by telling the PBX to correctly handle the RTP media.[27, 28]
   • Submit and apply your changes to finalize the configuration on both PBXs.[29]

By following these steps, you will have a functional and secure interconnection between your Germany and Greece offices, enabling seamless calling between extensions.