Hello,
I have the following setup:
Right now devices on the local networks of the WG Client 1 and the Server can see each other. But when the Mobile Device (WG Client 2) gets connected to the Server, it can only see the Server's local network (192.168.1.1/24).
How do I setup routing b/w the WG Client 2 and the local network of the WG Client 1 (192.168.220.1/24)?
On a Wireguard interface with more than one peer, allowed_ips are critical.
The "outer" two devices have only one peer-- the server, and so their view of the server is that it can send any allowed IP to it, and it will always return any tunneled packet to the only peer that it has: the server. Often a road warrior tunnels to the whole Internet, so allowed_ips would be 0.0.0.0/0.
But on the server you have tunnels to two peers, and Wireguard's choice of which tunnel to send a packet through requires a nonoverlapping set of allowed_ips for the multiple peers.
If the outer peer is a router, allowed IPs (source IPs of packets that may arrive from that peer) are it's tunnel address (10.0.1.2/32) and any LAN on that peer (192.168.220.0/24) Note that when the subnet is larger than 32, the IP specified must be the zero'th IP in that subnet. 192.168.220.1/24 is illegal as a network specifier or allowed IP.
If the outer peer is a road warrior, allowed_ips configured for it on the server should be only the road warrior's single /32 tunnel IP 10.0.1.3/32. All packets that it sends will originate from that IP and be returned to it.
What you're saying makes sense to me, thank you for the explanation.
Also, the original picture I sent was somewhat incorrect/incomplete. My apologies for that. Here is the corrected version (just double-checked the settings on all the peers):
And as I said above, devices on the 192.168.220.0/24 and 192.168.1.0/24 networks can see all devices in its peer's network.
The mobile device can connect to the WG server and also sees devices on the 192.168.1.0/24.
What I can't figure out is how to change the settings so that the mobile device could also see the 192.168.220.0 network (since the WG Client 1 is connected as a peer to the same server, I assume WG server should be able to route traffic b/w the mobile device and the WG Client 1 as well).
Suggestions are very welcome.
Apart from the WG config, your server needs to have IP forwarding enabled. My /etc/wireguard/wg0.conf on my server running Ubuntu Server looks like this:
[Interface]
Address = 172.27.66.253
ListenPort = 51820
PrivateKey = redacted
PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = sysctl -w net.ipv6.conf.all.forwarding=1
[Peer]
# Router 1
PublicKey = xxxx
AllowedIPs = 127.27.66.1/32,192.168.17.0/24,192.168.18.0/24,192.168.20.0/24
[Peer]
# Router 2
PublicKey = xxxxxxxxx
AllowedIPs = 172.27.66.254/32,192.168.177.0/24
[Peer]
# Router 3
PublicKey =
AllowedIPs = 172.27.66.100/32,192.168.19.0/24
[Peer]
# Smartphone
PublicKey = xxxxxxxxx
AllowedIPs = 172.27.66.101/32
Note the Pre-Up calls to sysctl!
The first 3 peers are my routers at three different locations, each with an own subnet (or three subnets for router 1). The mobile client has the subnets configured as allowed_ips that it can have access to.
The peer tunnel IPs need to be in the same /24 that is defined on the tunnel, but a different /32 for each one. Declaring the /24 on the wireguard interface will place a route in the "hub" server's routing table that any time it sees a 10.0.1.0/24 it belongs to the wireguard tunnel. If you use 10.0.0.X for a peer the server has no idea where that packet came from.
Then in the server you also need a route 192.168.220.0/24 via wireguard interface. Technically the gateway is 10.0.1.2 but I don't think that is essential just get the packet into wireguard and the internal allowed_ip table will send it into the proper peer tunnel.
When a packet for 192.168.220.X from the phone, it will come out of the wireguard tunnel into the server's main kernel routing table, which must then route it back into wireguard. In OpenWrt, the route_allowed_ips option installs such a route. If the server is not running OpenWrt you're on your own how to do that.
My config posted above is from a Ubuntu Server. Apart from enabling IP forwarding, no additional configuration was required, the peers ended up in the kernel routing table automagically 
I somehow assumed that OP wasn't running OpenWrt on the server.
Got it. Thanks for breaking that down for me! I'll try and post the results.
My "WG Server" runs OpenWRT. But I appreciate your sharing that extra step - I learned something new
In OpenWrt, being a routing-centric OS, IP forwarding is always enabled. There is no need to add any scripts to implement this use case, just standard UCI configuration.
After I made the correction you suggested, everything works exactly as I wanted.
Below are the corrected schema and peers' configs.
WG Server config:
config interface 'wg0'
option proto 'wireguard'
option private_key <REDACTED>
option listen_port '<>'
list addresses '10.0.1.1/24'
config wireguard_wg0
option description 'network-share-tunnel'
option route_allowed_ips '1'
option public_key '<>'
list allowed_ips '192.168.220.0/24'
list allowed_ips '10.0.1.2/32'
config wireguard_wg0
option public_key '<>'
option description 'Mobile-tunnel'
list allowed_ips '10.0.1.3/32'
option route_allowed_ips '1'
Client 1 config:
[Interface]
PrivateKey = <REDACTED>
Address = 10.0.1.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <>
AllowedIPs = 192.168.1.0/24, 10.0.1.0/24
Endpoint = <WG_Server_IP>
Mobile device config:
[Interface]
PrivateKey = <REDACTED>
Address = 10.0.1.3/24
DNS = 1.1.1.1
[Peer]
PublicKey = <>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <WG_Server_IP>
By the way, what is the best practice:
AllowedIPs = ..., 10.0.1.0/24 - catch-all for all the possible hosts on the 10.0.1.x.AllowedIPs = ..., 10.0.1.1/32, 10.0.1.3/32?
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.