WireGuard: How to Access a Peer’s Local Network

This is a guide about accessing peer A’s local network from peer B.

Requirements

  • Already setup wireguard network
  • iptables installed

If you are not familiar with WireGuard’s configuration, head to ArchWiki or WireGuard’s quickstart guide.

Wireguard-figure

Configs

Server’s config

[Interface]
PrivateKey = <server's private key>
Address = 10.10.1.3/24
ListenPort = 51820

[Peer]
#PeerA
PublicKey = <peer A's public key>
AllowedIPs = 10.10.1.1/32, 192.168.1.0/24

[Peer]
#PeerB
PublicKey = <peer B's public key>
AllowedIPs = 10.10.1.2/32

Peer A client config

[Interface]
Address = 10.10.1.1/24
PrivateKey = <peer A private key>
ListenPort = 123123
DNS = 1.1.1.1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24
PersistentKeepalive = 25

Since in my occasion PeerA is a RPi connected wirelessly to the network, notice the wlan0 in PostUp and PostDown commands.

Note

PeerA must have net.ipv4.ip_forward = 1 in kernel parameters.

To do that at runtime pass sudo sysctl net.ipv4.ip_forward=1. For a permanent solution, edit /etc/sysctl.conf with net.ipv4.ip_forward=1.

Peer B client config

[Interface]
PrivateKey = <peer B private key>
Address = 10.10.1.2/24

[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24, 192.168.1.0/24
PersistentKeepalive = 25

Results

This way if peer B pings 192.168.1.1, the traffic is routed through 10.10.1.3 then to 10.10.1.1 and then to 192.168.1.1 as we wanted.

Doing a mtr 192.168.1.1 from peer B:

mtr