Ipsec + wireguard

i have router in location A and ipsec tunnel to router in location B.

So basically all devices in B can see subnet in A and all devices...inside that subnet.

I also run wireguard server on A ; is it possible to initiate wireguard client connection from client within subnet B to A? I mean i can do that but speed rapidly downgrade. Maybe some conflict and duplicate packets etc...?

The reason i wanted wireguard connection is so that specific device acts on internet with public ip of A location.
ipsec tunnel works fine, but clients expose public ip of location B.


If you change the encryption domain in both peers to be on router A, I don't see why not. However it would be much easier with wireguard on both ends.

i dont understand your comment at all.

What i am saying here is that i have already ipsec tunnel between A and B
and opening wireguard connection is like tunnel inside tunnel ... and that might be issue ...

whats encryption domain?

Sorry, I did not understand the question properly.
You can have tunnel within tunnel. However you'll need to adjust the MTU to fit.
Encryption domain is the interesting that gets encrypted when going through the IPsec tunnel.

I think you're saying you want to run Wireguard on one of the endpoints at site B and have that one endpoint tunnel all of its Internet use through site A.

This could be done without tunnel in tunnel by simply having that Wireguard client send encrypted packets directly to A's public IP on another port, completely separate from IPsec.

thats how i do it. but seems that tunnel in tunnel reduce up/down speed dramatically ;(