Need some advice on a set up with four machines communicating over wireguard. All wireguard interfaces are defined with /32 addresses, and all peers are set up with allowed IPs as /32s.
I would like A and other machines on the 192.168.1.* subnet to be able to connect to services on D through the B-D wireguard tunnel. B and D can ping each other's wireguard IPs successfully, but even though A (and other hosts on the LAN) use B as their default gateway, they cannot access any services on D.
D's wireguard config has AllowedIPs = 0.0.0.0/0 and I also tried including 192.168.1.0/24. B's wireguard config has D set up as a peer with its /32 IP address as an allowed IP. All machines have persistent keepalive enabled and are set up to route allowed IPs.
Also, I'm open to neater/cleaner configuration suggestions, especially when it comes to the addressing scheme. Some machines use policy-based routing so that only certain client IPs have their traffic routed through the relevant wireguard tunnel, and all other clients are routed directly to the internet.
Is this site to site or just a mesh of peers or a Frankenstein where you want to have both?
Site to site would be more clean and easy. Also consider to use ospf as a dynamic routing protocol to avoid using so routing because it is far more easily.
Until recently, there was no requirement for any connectivity outside the wireguard endpoints. Introducing the requirement for LAN machines to access services on D suggests site-site, so to answer your question, it's mostly point-point except for the LAN to D connection.
Since you have redundant paths to reach different networks, you'd need some more advanced routing there. For example a dynamic routing protocol.
It may work without a routing protocol, however there are certain limitations.
Some remarks are:
Use of 0.0.0.0/0 in the allowed IPs along route the allowed IPs is not a good idea.
Host D doesn't know where 192.168.1.0/24 is (verify its routing) or host B doesn't allow forwarding.
There is a chance that you have multiple routing tables with the PBR that don't give you the expected results.
Post the following from all hosts to get an idea:
ip -4 addr; ip -4 ro list table all; ip -4 ru; uci show firewall
