WireGuard: How to access a peer’s local network

  • Post author:
  • Post category:Tips
  • Post comments:7 Comments

This guide is about accessing peer A’s local network from peer B.

Requirements

  • Already setup wireguard network
  • iptables installed

If you are not familiar with WireGuard’s configuration, head to ArchWiki or WireGuard’s quickstart guide.

Network Figure
Network Figure 1

Configs

Server’s config

[Interface]
PrivateKey = <server's private key>
Address = 10.10.1.3/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
#PeerA
PublicKey = <peer A's public key>
AllowedIPs = 10.10.1.1/32, 192.168.1.0/24

[Peer]
#PeerB
PublicKey = <peer B's public key>
AllowedIPs = 10.10.1.2/32

Notice the PostUp and PostDown commands. You might have to change eth0 to suit your needs.

Peer A client config

[Interface]
Address = 10.10.1.1/24
PrivateKey = <peer A private key>
ListenPort = 123123
DNS = 1.1.1.1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24
PersistentKeepalive = 25

Since in my occasion PeerA is a RPi connected wirelessly to the network, notice the wlan0 in PostUp and PostDown commands.

Note

PeerA must have net.ipv4.ip_forward = 1 in kernel parameters.

To do that at runtime pass sudo sysctl net.ipv4.ip_forward=1. For a permanent solution, edit /etc/sysctl.conf with net.ipv4.ip_forward=1.

Peer B client config

[Interface]
PrivateKey = <peer B private key>
Address = 10.10.1.2/24

[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24, 192.168.1.0/24
PersistentKeepalive = 25

Results

This way if peer B pings 192.168.1.1, the traffic is routed through 10.10.1.3 then to 10.10.1.1 and then to 192.168.1.1 as we wanted.

Doing a mtr 192.168.1.1 from peer B:

mtr result
mtr result

This Post Has 7 Comments

  1. Michael

    Just wanted to a very big: Thank you! This helped me quite a lot!

    1. Ilias

      Thank you, Michael!

      1. Michael

        You’re welcome 🙂

        A little follow-up: have not yet managed to wrap my head around those `iptables` rules, so your guide came quite handy!

        At home I am behind a DS-Lite-(https://en.wikipedia.org/wiki/IPv6_transition_mechanism)-Setup with no fixed public IPv4 (and no IPv6 support at my office) and was desperate for a solution!

  2. Polo

    Thank you very much !
    I was just trying to do set up exactly the same configuration but I got messed up with iptables rules. Following your clear and concise explanation allowed me to start from a fresh start.

  3. Petr

    Thank you, my man! These are the droids I’m looking for!

  4. Andrew

    Can a single RaspberryPi be both the server and peerA? … I want to be able to VPN into my home network when I’m out and about. Can’t seem to figure out how to do this. Any help would be greatly appreciated.

Leave a Reply