Let Wireguard clients use your IP Blocks advertised by BGP

Utilize those unused IPv4 addresses with a valid use-case to ensure they don't get reclaimed by ARIN or RIPE.

June 16, 2024

As an addendum to my previous post on giving yourself an IPv6 address using wireguard, I wanted to show how, if you are lucky enough to have a IPv4 range before the "great IPv4 exhaustion", you can assign those addresses to clients using wireguard.

Several consumer, prosumer, and enterprise cloud hosts, allow you to advertise your IP range for your cloud servers. Some of these providers are OVH, Vultr, and Equinix Metal, but like last time, I suggest you look into OVH due to their predictable costs around bandwidth, as well you don't need to configure a BGP connection with them which makes setup much less work.

Note: If you followed part 1 and added a MASQUERADE rule for your network interface, you will need to remove it when assigning real public IPs from your own range. The MASQUERADE rule rewrites the source IP of outgoing packets to the server's address, which defeats the purpose of giving clients their own public IP. Remove it with iptables -t nat -D POSTROUTING -o <YOUR_NETWORK_INTERFACE> -j MASQUERADE (and the equivalent ip6tables rule if applicable).

Assuming you setup your wireguard connections as described in the previous post, there are a few adjustments that you'll need to make to give your clients an address from your range. For the sake of simplicity, I'll assume your IPv4 range is 8.8.8.0/24, even though this specific range is used by Google's public DNS service.

# server adjustments to wg0.conf
[Peer]
# change each peer to have a specific "allowed IP" from your block of addresses
AllowedIPs = 8.8.8.1/32  # Let's this specific client use this address publicly, note: if you are using IPv6 you'd give them one here too
#...

and for your client, you'd have their Interface configuration match the address defined on the server:

# client adjustments to wg0.conf
[Interface]
Address = 8.8.8.1/32 # must match the "AllowedIPs" configuration on the server for this peer
# ...

You'll need to ensure that your server can indeed receive/send traffic for these ranges. Depending on if you've setup a BGP connection with your provider, or are using OVH where no BGP connection is required, the way to ensure this different based on your situation. A quick way to do this on OVH would be to create virtual interfaces of eth0/eno1 for each address.

Editors Note: If you don't have your own IPv4 range, you can do this with IPv6 which is much easier to get, and if you are an EU citizen I can assist you with this process (send an email to hello at 'this domain without the text part')