I understand that wireguard doesn't really have a concept of client vs server, but they seem to be separate on the documentation for openwrt. I have three nodes relevant to this setup. I want A to reach node C and its wireguard network, but A cannot access C, so I want to use an openwrt device at node B which A can access. That device should relay traffic from A (as server) to C (as client to the other openwrt at C).
Can I simply set up two interfaces on the same subnet? Or is there something else I need to do?
Create a wg link from A to B, and B to C.
Each link with with own peer link address/subnet.
Be more specfic please.
We call that routing.
Just as an example:
You have (non overlapping) subnets on each site, and you have dedicated subnets on your WG links
You ensure that all routes are setup on A, B, and C. Again thats just routing. Every "router" needs to have a route to know where to forward traffic to.[1]
This can be done with static routing and standard wireguard functions (like auto add routes for allowed IPs)
Ensure your wg interfaces are assigned to a firewall zone and you setup corresponding "firewall forwarding rules"
[1] That's also why mankind invented dynamic routing protocols because static routes suck especially in dynamic environments.
Create a wg link from A to B, and B to C.
Each link with with own peer link address/subnet.
Can I have them be on the same subnet? From what I know about wireguard it should be able to support this. I would prefer having a single network with a site-to-site topology using wireguard's features rather than separate networks with routing. I'm mainly concerned about the setup at B, and luci doesn't seem to allow me to add a second wireguard interface there.
On a standard linux box, I would just do the following.
Allow ip forwarding
Set up a wireguard peer interface at B with A and C as peers.
Set up another wireguard peer at C, with endpoint set to B rather than A.
If that is not possible and you want a Man in the Middle (B) to relay traffic that is a hub and spoke setup.
You setup B as a standard "server" with two peers (A and C)
A and C have their firewall setup as a "server" and each peer has the subnets of the other two routers.
I have this setup see my notes:
You need the Server setup guide which has a paragraph about this.
if you are interested, be sure to download the guide as Github only show the ifrst 5 pages
You told you this? Wireguard is a tunnel. It has no concept of Layer-3. Everything with wireguard is layer-3. So we talk about routing of IP packets here.
This just don't rhyme. I do not want to offend you, but are you should you understand you IP routing works?
I doubt that.
Did you tried to configure it via /etc/config/network, then?
If you have more then 2 peers on a single interface you can not do routing. Or let's say its getting ridiculous complicated and error prone. If you want to do routing, then use point-to-point tunnel links with only two peers.