Back to Help Center

How to configure Multihop

WireGuard Multihop

This guide is for Linux systems only. Mac and Windows will not be able to follow this guide.

To start, head over to the configs section of your dashboard and download the configs you'd like to use for multihop. This guide will show you how to do it with 2 configs (a single hop), for any more hops please refer to Additional Hops. After downloading your configs, move or copy them to your WireGuard folder at /etc/wireguard. Next, if your configs are using a domain for the endpoint (for example ny1.shockvpn.com), you will need to find the address that this resolves to. Provided you have nslookup and sed installed on your system, this can be done easily with the command:

nslookup <domain> | sed -n 's/.*Address: //p'

For this guide, we will be using configs from Texas (tx2) and West Chicago (wc2). We will be hopping from the Texas config to the West Chicago config, so for clarity we are going to rename the configs appropriately. Our Texas config will be named hop.conf and our West Chicago config will be named dest.conf, this is also how we will refer to each config moving forward.

First, open your hop.conf in your favorite editor and make the following changes:

  • remove the DNS line as we don't need it anymore (should look something like DNS = 10.0.0.1)
  • modify the AllowedIPs section so that it points to the IP address for our destination with the "prefix" 32 (in our case 104.36.229.172/32 for wc2)

At this point, your hop.conf should look something like this:

[Interface]
Address = 10.0.0.2
PrivateKey = GFK+w7ZNKso27lNF0Q04CuVcIrOONXFMgrrCOB5j5Wo=
 
[Peer]
PublicKey = z0vcAafN0cEFXu+7nFcvtRvWmszxQzxwn8uTjxziWhk=
PresharedKey = KNnIaX4EgJEfRrCRXL0CaSD+5afZhCEfTzTWKMAMBgU=
Endpoint = tx2.shockvpn.com:51820
AllowedIPs = 104.36.229.172/32
PersistentKeepalive = 25

Next, it gets a little complicated. We need to exclude all the subnets that don't include the IP address for the hop config (in our case 172.96.137.210). To assist with this, we've created a helpful script you can download from our helpful scripts repo on GitHub, or you can download it with curl by running:

curl -LsS https://shockvpn.com/api/scripts/exclude_subnets.sh -o exclude_subnets.sh

Be sure that your script is executable (chmod +x exclude_subnets.sh) and run the the script with the -s (sort the subnets by prefix for clarity) and -w (give us a response in the format needed for the our WireGuard config) flags. In our case that would look like this:

./exclude_subnets.sh 172.96.137.210 -s -w

This should return something similar to this: 

AllowedIPs = 0.0.0.0/1, 192.0.0.0/2, 128.0.0.0/3, 176.0.0.0/4, 160.0.0.0/5, 168.0.0.0/6, 174.0.0.0/7, 173.0.0.0/8, 172.128.0.0/9, 172.0.0.0/10, 172.64.0.0/11, 172.112.0.0/12, 172.104.0.0/13, 172.100.0.0/14, 172.98.0.0/15, 172.97.0.0/16, 172.96.0.0/17, 172.96.192.0/18, 172.96.160.0/19, 172.96.144.0/20, 172.96.128.0/21, 172.96.140.0/22, 172.96.138.0/23, 172.96.136.0/24, 172.96.137.0/25, 172.96.137.128/26, 172.96.137.224/27, 172.96.137.192/28, 172.96.137.216/29, 172.96.137.212/30, 172.96.137.208/31, 172.96.137.211/32

Copy and paste this into your dest.conf where it currently shows AllowedIPs = 0.0.0.0/0, ::/0. Your dest.conf should now look something like this:

[Interface]
Address = 10.0.0.2
PrivateKey = ONc2MyUlUJ0rsmELuSrZ+Pj8AhtYuS256cMHRrRAxlg=
DNS = 10.0.0.1
 
[Peer]
PublicKey = qISFh8PKjuCFpqDaA2UCVMM+mKe6ySERf+E+boPoRUM=
PresharedKey = C4KeRFCxY+imL+r9/VftX994tLrBhI2zWKIFnoJ5xyc=
Endpoint = wc2.shockvpn.com:51820
AllowedIPs = 0.0.0.0/1, 192.0.0.0/2, 128.0.0.0/3, 176.0.0.0/4, 160.0.0.0/5, 168.0.0.0/6, 174.0.0.0/7, 173.0.0.0/8, 172.128.0.0/9, 172.0.0.0/10, 172.64.0.0/11, 172.112.0.0/12, 172.104.0.0/13, 172.100.0.0/14, 172.98.0.0/15, 172.97.0.0/16, 172.96.0.0/17, 172.96.192.0/18, 172.96.160.0/19, 172.96.144.0/20, 172.96.128.0/21, 172.96.140.0/22, 172.96.138.0/23, 172.96.136.0/24, 172.96.137.0/25, 172.96.137.128/26, 172.96.137.224/27, 172.96.137.192/28, 172.96.137.216/29, 172.96.137.212/30, 172.96.137.208/31, 172.96.137.211/32
PersistentKeepalive = 25

At this point, we're ready to bring up the interfaces. Starting with our hop: sudo wg-quick up hop, and following with our destination sudo wg-quick up dest. You can verify that this is now working by running curl -LsS api.shockvpn.com/v1/ip or curl -LsS api.shockvpn.com/v1/ip | jq if you have jq installed for a cleaner output. You should see that your response shows the output of whatever location you have for your dest.conf, in our case, this is the response we see:

{
  "ip": "104.36.229.172",
  "country": "US",
  "city": "West Chicago",
  "latitude": 41.8812,
  "longitude": -88.2059,
  "connected": true
}

Great, looks like we're all set!

Additional Hops

For any hops other than the single hop outlined in this guide, the process will be mostly the same, aside from the AllowedIPs section of your configurations section of your configurations. For example, if we did 2 hops our first hop would have the AllowedIPs for only the IP address of our second hop, the second hop would have only the AllowedIPs for our destination, and the destination would have all the subnets that don't include either of the first 2 config's IP addresses. Using our examples from the guide, that would look something like ./exclude_subnets.sh 172.96.137.210,104.36.229.172 -s -w with the output being:

AllowedIPs = 0.0.0.0/2, 192.0.0.0/2, 128.0.0.0/3, 64.0.0.0/3, 112.0.0.0/4, 176.0.0.0/4, 160.0.0.0/5, 96.0.0.0/5, 108.0.0.0/6, 168.0.0.0/6, 106.0.0.0/7, 174.0.0.0/7, 105.0.0.0/8, 173.0.0.0/8, 104.128.0.0/9, 172.128.0.0/9, 104.64.0.0/10, 172.0.0.0/10, 104.0.0.0/11, 172.64.0.0/11, 104.48.0.0/12, 172.112.0.0/12, 104.40.0.0/13, 172.104.0.0/13, 104.32.0.0/14, 172.100.0.0/14, 104.38.0.0/15, 172.98.0.0/15, 104.37.0.0/16, 172.97.0.0/16, 104.36.0.0/17, 172.96.0.0/17, 104.36.128.0/18, 172.96.192.0/18, 104.36.192.0/19, 172.96.160.0/19, 104.36.240.0/20, 172.96.144.0/20, 104.36.232.0/21, 172.96.128.0/21, 104.36.224.0/22, 172.96.140.0/22, 104.36.230.0/23, 172.96.138.0/23, 104.36.228.0/24, 172.96.136.0/24, 104.36.229.0/25, 172.96.137.0/25, 104.36.229.192/26, 172.96.137.128/26, 104.36.229.128/27, 172.96.137.224/27, 104.36.229.176/28, 172.96.137.192/28, 104.36.229.160/29, 172.96.137.216/29, 104.36.229.168/30, 172.96.137.212/30, 104.36.229.174/31, 172.96.137.208/31, 104.36.229.173/32, 172.96.137.211/32