WireGuard: How to access a peer’s local network

  • Post Author:
  • Post Category:Tips
  • Post Comments:4 Comments

This guide is about accessing peer A’s local network from peer B.

Requirements

  • Already setup wireguard network
  • iptables installed

If you are not familiar with WireGuard’s configuration, head to ArchWiki or WireGuard’s quickstart guide.

Network Figure
Network Figure 1

Configs

Server’s config

[Interface]
PrivateKey = <server's private key>
Address = 10.10.1.3/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
#PeerA
PublicKey = <peer A's public key>
AllowedIPs = 10.10.1.1/32, 192.168.1.0/24

[Peer]
#PeerB
PublicKey = <peer B's public key>
AllowedIPs = 10.10.1.2/32

Notice the PostUp and PostDown commands. You might have to change eth0 to suit your needs.

Peer A client config

[Interface]
Address = 10.10.1.1/24
PrivateKey = <peer A private key>
ListenPort = 123123
DNS = 1.1.1.1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24
PersistentKeepalive = 25

Since in my occasion PeerA is a RPi connected wirelessly to the network, notice the wlan0 in PostUp and PostDown commands.

Note

PeerA must have net.ipv4.ip_forward = 1 in kernel parameters.

To do that at runtime pass sudo sysctl net.ipv4.ip_forward=1. For a permanent solution, edit /etc/sysctl.conf with net.ipv4.ip_forward=1.

Peer B client config

[Interface]
PrivateKey = <peer B private key>
Address = 10.10.1.2/24

[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24, 192.168.1.0/24
PersistentKeepalive = 25

Results

This way if peer B pings 192.168.1.1, the traffic is routed through 10.10.1.3 then to 10.10.1.1 and then to 192.168.1.1 as we wanted.

Doing a mtr 192.168.1.1 from peer B:

mtr result
mtr result

This Post Has 4 Comments

  1. Michael

    Just wanted to a very big: Thank you! This helped me quite a lot!

    1. Ilias

      Thank you, Michael!

      1. Michael

        You’re welcome 🙂

        A little follow-up: have not yet managed to wrap my head around those `iptables` rules, so your guide came quite handy!

        At home I am behind a DS-Lite-(https://en.wikipedia.org/wiki/IPv6_transition_mechanism)-Setup with no fixed public IPv4 (and no IPv6 support at my office) and was desperate for a solution!

  2. Polo

    Thank you very much !
    I was just trying to do set up exactly the same configuration but I got messed up with iptables rules. Following your clear and concise explanation allowed me to start from a fresh start.

Leave a Reply