Back to Help Center

How to configure Multihop

WireGuard Multihop

This guide is for Linux systems only. Mac and Windows will not be able to follow this guide.

To start, head over to the configs section of your dashboard and download the configs you'd like to use for multihop. This guide will show you how to do it with 2 configs (a single hop), for any more hops, please refer to Additional Hops. After downloading your configs, move or copy them to your WireGuard folder at /etc/wireguard. Next, if your configs are using a domain for the endpoint (for example, ny1.shockvpn.com), you will need to find the address that this resolves to. Provided you have nslookup and sed installed on your system, this can be done easily with the command:

nslookup <domain> | sed -n 's/.*Address: //p'

For this guide, we will be using configs from Texas (tx2) and West Chicago (wc2). We will be hopping from the Texas config to the West Chicago config, so for clarity, we are going to rename the configs appropriately. Our Texas config will be named hop.conf, and our West Chicago config will be named dest.conf, this is also how we will refer to each config moving forward.

First, open your hop.conf in your favorite editor, make the following changes:

  • remove the DNS line as we don't need it anymore (should look something like DNS = 10.0.0.1)
  • modify the AllowedIPs section so that it points to the IP address for our destination with the "prefix" 32 (in our case 104.36.229.172/32 for wc2)

At this point, your hop.conf should look something like this:

[Interface]
Address = 10.0.0.2
PrivateKey = GFK+w7ZNKso27lNF0Q04CuVcIrOONXFMgrrCOB5j5Wo=
 
[Peer]
PublicKey = z0vcAafN0cEFXu+7nFcvtRvWmszxQzxwn8uTjxziWhk=
PresharedKey = KNnIaX4EgJEfRrCRXL0CaSD+5afZhCEfTzTWKMAMBgU=
Endpoint = tx2.shockvpn.com:51820
AllowedIPs = 104.36.229.172/32
PersistentKeepalive = 25

Excluding Subnets

Next, it gets a little complicated. We need to exclude all the subnets that don't include the IP address for the hop config (in our case 172.96.137.210). To assist with this, we've created a helpful endpoint to process this for you. The endpoint will take in an IP address (or multiple IP addresses separated by commas) and return the subnets that you would need to include in your AllowedIPs section to exclude the IP address[es] you passed in.

To use the endpoint, you can make a request to /api/ip/exclude-subnets?ip=IP_ADDRESS with the ip query parameter being the IP address (or multiple IP addresses separated by commas) that you want to exclude from the tunnel. For example, using our example IP address (172.96.137.210), we would expect make a request to /api/ip/exclude-subnets?ip=172.96.137.210, which would return the following output:

AllowedIPs = 0.0.0.0/1, 192.0.0.0/2, 128.0.0.0/3, 176.0.0.0/4, 160.0.0.0/5, 168.0.0.0/6, 174.0.0.0/7, 173.0.0.0/8, 172.128.0.0/9, 172.0.0.0/10, 172.64.0.0/11, 172.112.0.0/12, 172.104.0.0/13, 172.100.0.0/14, 172.98.0.0/15, 172.97.0.0/16, 172.96.0.0/17, 172.96.192.0/18, 172.96.160.0/19, 172.96.144.0/20, 172.96.128.0/21, 172.96.140.0/22, 172.96.138.0/23, 172.96.136.0/24, 172.96.137.0/25, 172.96.137.128/26, 172.96.137.224/27, 172.96.137.192/28, 172.96.137.216/29, 172.96.137.212/30, 172.96.137.208/31, 172.96.137.211/32

Copy and paste this into your dest.conf where it currently shows AllowedIPs = 0.0.0.0/0, ::/0. Your dest.conf should now look something like this:

[Interface]
Address = 10.0.0.2
PrivateKey = ONc2MyUlUJ0rsmELuSrZ+Pj8AhtYuS256cMHRrRAxlg=
DNS = 10.0.0.1
 
[Peer]
PublicKey = qISFh8PKjuCFpqDaA2UCVMM+mKe6ySERf+E+boPoRUM=
PresharedKey = C4KeRFCxY+imL+r9/VftX994tLrBhI2zWKIFnoJ5xyc=
Endpoint = wc2.shockvpn.com:51820
AllowedIPs = 0.0.0.0/1, 192.0.0.0/2, 128.0.0.0/3, 176.0.0.0/4, 160.0.0.0/5, 168.0.0.0/6, 174.0.0.0/7, 173.0.0.0/8, 172.128.0.0/9, 172.0.0.0/10, 172.64.0.0/11, 172.112.0.0/12, 172.104.0.0/13, 172.100.0.0/14, 172.98.0.0/15, 172.97.0.0/16, 172.96.0.0/17, 172.96.192.0/18, 172.96.160.0/19, 172.96.144.0/20, 172.96.128.0/21, 172.96.140.0/22, 172.96.138.0/23, 172.96.136.0/24, 172.96.137.0/25, 172.96.137.128/26, 172.96.137.224/27, 172.96.137.192/28, 172.96.137.216/29, 172.96.137.212/30, 172.96.137.208/31, 172.96.137.211/32
PersistentKeepalive = 25

At this point, we're ready to bring up the interfaces. Starting with our hop: sudo wg-quick up hop, and following up with our destination sudo wg-quick up dest. You can verify that this is now working by running curl -LsS api.shockvpn.com/v1/ip or curl -LsS api.shockvpn.com/v1/ip | jq if you have jq installed for a cleaner output. You should see that your response shows the output of whatever location you have for your dest.conf, in our case, this is the response we see:

{
  "ip": "104.36.229.172",
  "country": "US",
  "city": "West Chicago",
  "latitude": 41.8812,
  "longitude": -88.2059,
  "connected": true
}

Great, looks like we're all set!

Additional Hops

For any hops other than the single hop outlined in this guide, the process will be mostly the same, aside from the AllowedIPs section of your configurations section of your configurations. For example, if we did 2 hops, our first hop would have the AllowedIPs for only the IP address of our second hop, the second hop would have only the AllowedIPs for our destination, and the destination would have all the subnets that don't include either of the first 2 config's IP addresses. Using our examples from the guide, that would look something like /api/ip/exclude-subnets?ip=172.96.137.210,104.36.229.172 with the output being:

AllowedIPs = 0.0.0.0/2, 192.0.0.0/2, 64.0.0.0/3, 128.0.0.0/3, 112.0.0.0/4, 176.0.0.0/4, 96.0.0.0/5, 160.0.0.0/5, 108.0.0.0/6, 168.0.0.0/6, 106.0.0.0/7, 174.0.0.0/7, 105.0.0.0/8, 173.0.0.0/8, 104.128.0.0/9, 172.128.0.0/9, 104.64.0.0/10, 172.0.0.0/10, 104.0.0.0/11, 172.64.0.0/11, 104.48.0.0/12, 172.112.0.0/12, 104.40.0.0/13, 172.104.0.0/13, 104.32.0.0/14, 172.100.0.0/14, 104.38.0.0/15, 172.98.0.0/15, 104.37.0.0/16, 172.97.0.0/16, 104.36.0.0/17, 172.96.0.0/17, 104.36.128.0/18, 172.96.192.0/18, 104.36.192.0/19, 172.96.160.0/19, 104.36.240.0/20, 172.96.144.0/20, 104.36.232.0/21, 172.96.128.0/21, 104.36.224.0/22, 172.96.140.0/22, 104.36.230.0/23, 172.96.138.0/23, 104.36.228.0/24, 172.96.136.0/24, 104.36.229.0/25, 172.96.137.0/25, 104.36.229.192/26, 172.96.137.128/26, 104.36.229.128/27, 172.96.137.224/27, 104.36.229.176/28, 172.96.137.192/28, 104.36.229.160/29, 172.96.137.216/29, 104.36.229.168/30, 172.96.137.212/30, 104.36.229.174/31, 172.96.137.208/31, 104.36.229.173/32, 172.96.137.211/32