Can a single Wireguard cover an entire local network?

Hi, i have a doubt about Wireguard on OpenWRT: Can a single Wireguard peer cover an entire local remote network?

This is the diagram of the networks.

Actually, i can have access from my phone to Wireguard Server on Network A and Wireguard Client on Network B, but what i want to do is to have access from my phone to all single host in both networks.

Can it be possible without configuring a Peer for each host?

The problem is that some host cant install Wireguard (IoT devices).

Is there any option to cover the entire A or B Network with a single Wireguard Peer? If not, how can i do what im trying to do?


Wireguard only has the concept of peers, there is no dedicated sever or client. What you need is a site-to-site VPN, allowing you to access the entire host range of A from B and vice versa. None of the hosts in A or B needs to be aware of Wireguard.

Is there also an OpenWrt router in network B? If yes, you can simply put Wireguard on both routers and configure the allowed ip ranges (routing) accordingly.

Your phone then connects to either of the two routers and gains access to both networks.

1 Like

Thats the point, my ISP in B network doesnt allow clients to have PPPoE credentials thats why i cant install an OpenWRT router there. And that why i ask for peers with WG

Can you add static routes on the router in network B?

1 Like

You can always put a second router behind your ISP router - if you can add static routes as already suggested, you can avoid double-NAT. But even with double-NAT it's not a deal breaker, I have two sites running with double-NAT and a DMZ for the OpenWrt host as the ISP router doesn't allow any other configuration.

You can have a site-to-site wireguard connection, if A has a public address, even if B is behind NAT; all devices on each network will seamlessly be able to reach all devices on the other network.

Then, you can also connect from you phone to the router on A, using wireguard too, and have access to devices on both networks.

Yes, i can:

With the actual WG configuration i can access B from A but cant access to A from B, how do i configure it to have access to A from B?

It would be helpful if you were very clear about what can and can't be accessed.

From the device running wireguard in network A, what can you access in network B?
From devices not running wireguard in network A, what can you access in network B?

From the device running wireguard in network B, what can you access in network A?
From devices not running wireguard in network B, what can you access in network A?

What ISP and country is it?

1 Like

At site B, the Wireguard client machine needs to have a known, consistent IP on the B lan. This is usually done with a DHCP reservation in the B main router, or if that is not possible, statically configure the IP in the Wireguard client machine.

The configure a static route in the B main router: via <WG client's IP in B lan>
This will cause a B LAN endpoint's request (or return traffic to) the A lan to "bounce" to the separate Wireguard server at site B, and then be routed into the tunnel, encrypted and dispatched to site A. Such a setup is not required at site A since there the Wireguard server is also the main router, so it already knows how to route to site B.

Make sure you are not using NAT (masquerade) into or out of any of the wireguard and LANs. There will be symmetric routing where in site to site traffic, the B client will see requests originating from the machine's actual IP on the A lan, and vise versa.


From all devices in network A i can access the peer running Wireguard in network B. (Doesnt matter if devices in network A is running Wireguard or not)

I cant access any device on network A, running or not Wireguard, from network B

This is done, the peer on network A has the IP is 192.168.116

how can i check if that network is behind a NAT?

Sounds like a routing issue then. Should be solvable by adding a static route (like the example given by @mk24) to the router in network B.

Is this correct?

Forgot this. ISP is Vodafone, country Spain

Assuming the gateway address is correct then yes it looks right.

Using your own Tomato router with Vodafone Spain (

Is a few years old but there's a decent chance the process it describes to find PPPoE details is still valid.

Yes that is the proper route.

By not having NAT I mean within your networks as you go from lan A <-> Wireguard <-> lan B. Assuming you have set up lan and vpn zones, the Masquerade option must not be checked on any of those zones. The wan zone at A continues to need masquerade as in any IPv4 home router, but this will not affect the operation of the VPN tunnel since the "outer" encrypted packets can be NATd with no problem.

I tried long ago but it doesnt work with my router. Im looking for a new ISP that gives me the PPPoE credentials. Like Digi Spain

Is not working so can i assume that is a problem of NAT?

Already added:

No. Unless you've set up masquerading/NAT while setting up wireguard then it's very unlikely to be involved here. The first step would be to establish the static route is working. The easiest way would be to use a device in network B and run traceroute (or similar) to an address in network A. You should see the traffic go to the network b router and then to the 'wireguard client'. If it isn't then the static route isn't working.

The local route seems to be ok.

I suppose then is a problem with the WAN route

I cant traduce the CMD, so if you dont understand something, let me know

Again, no. If the traffic is getting to the wireguard peer but seemingly no further then it's probably an issue with the wireguard tunnel or the routing table on that device.

What's the wireguard config on the network B device? Is it running linux?

Yes, as you can see here:



Does this help?

Though this probably isn't the problem here, your own address ( should not be an allowed_ip. Allowed_ips are peer specifig IPs that you expect to see as the source IP in packets arriving from the peer. It is important when there are multiple peers that the various sets of allowed_ips do not overlap at all, or Wireguard will not work.

The next thing I would try is run a packet capture on the wireguard tunnel at the A main router and see if any packets are being sent from B when you have a B endpoint try to ping an A LAN IP.