Actually, i can have access from my phone to Wireguard Server on Network A and Wireguard Client on Network B, but what i want to do is to have access from my phone to all single host in both networks.
Can it be possible without configuring a Peer for each host?
The problem is that some host cant install Wireguard (IoT devices).
Is there any option to cover the entire A or B Network with a single Wireguard Peer? If not, how can i do what im trying to do?
Wireguard only has the concept of peers, there is no dedicated sever or client. What you need is a site-to-site VPN, allowing you to access the entire host range of A from B and vice versa. None of the hosts in A or B needs to be aware of Wireguard.
Is there also an OpenWrt router in network B? If yes, you can simply put Wireguard on both routers and configure the allowed ip ranges (routing) accordingly.
Your phone then connects to either of the two routers and gains access to both networks.
Thats the point, my ISP in B network doesnt allow clients to have PPPoE credentials thats why i cant install an OpenWRT router there. And that why i ask for peers with WG
You can always put a second router behind your ISP router - if you can add static routes as already suggested, you can avoid double-NAT. But even with double-NAT it's not a deal breaker, I have two sites running with double-NAT and a DMZ for the OpenWrt host as the ISP router doesn't allow any other configuration.
You can have a site-to-site wireguard connection, if A has a public address, even if B is behind NAT; all devices on each network will seamlessly be able to reach all devices on the other network.
Then, you can also connect from you phone to the router on A, using wireguard too, and have access to devices on both networks.
It would be helpful if you were very clear about what can and can't be accessed.
From the device running wireguard in network A, what can you access in network B?
From devices not running wireguard in network A, what can you access in network B?
From the device running wireguard in network B, what can you access in network A?
From devices not running wireguard in network B, what can you access in network A?
At site B, the Wireguard client machine needs to have a known, consistent IP on the B lan. This is usually done with a DHCP reservation in the B main router, or if that is not possible, statically configure the IP in the Wireguard client machine.
The configure a static route in the B main router: 192.168.2.0/24 via <WG client's IP in B lan>
This will cause a B LAN endpoint's request (or return traffic to) the A lan to "bounce" to the separate Wireguard server at site B, and then be routed into the tunnel, encrypted and dispatched to site A. Such a setup is not required at site A since there the Wireguard server is also the main router, so it already knows how to route to site B.
Make sure you are not using NAT (masquerade) into or out of any of the wireguard and LANs. There will be symmetric routing where in site to site traffic, the B client will see requests originating from the machine's actual IP on the A lan, and vise versa.
From all devices in network A i can access the peer running Wireguard in network B. (Doesnt matter if devices in network A is running Wireguard or not)
I cant access any device on network A, running or not Wireguard, from network B
This is done, the peer on network A has the IP is 192.168.116
By not having NAT I mean within your networks as you go from lan A <-> Wireguard <-> lan B. Assuming you have set up lan and vpn zones, the Masquerade option must not be checked on any of those zones. The wan zone at A continues to need masquerade as in any IPv4 home router, but this will not affect the operation of the VPN tunnel since the "outer" encrypted packets can be NATd with no problem.
No. Unless you've set up masquerading/NAT while setting up wireguard then it's very unlikely to be involved here. The first step would be to establish the static route is working. The easiest way would be to use a device in network B and run traceroute (or similar) to an address in network A. You should see the traffic go to the network b router and then to the 'wireguard client'. If it isn't then the static route isn't working.
Again, no. If the traffic is getting to the wireguard peer but seemingly no further then it's probably an issue with the wireguard tunnel or the routing table on that device.
What's the wireguard config on the network B device? Is it running linux?
Though this probably isn't the problem here, your own address (192.168.9.2) should not be an allowed_ip. Allowed_ips are peer specifig IPs that you expect to see as the source IP in packets arriving from the peer. It is important when there are multiple peers that the various sets of allowed_ips do not overlap at all, or Wireguard will not work.
The next thing I would try is run a packet capture on the wireguard tunnel at the A main router and see if any packets are being sent from B when you have a B endpoint try to ping an A LAN IP.
