WireGuard: How to access a peer’s local network

  • Post Author:
  • Post Category:Tips
  • Post Comments:0 Comments

This guide is about accessing peer A’s local network from peer B.

Requirements

  • Already setup wireguard network
  • iptables installed

If you are not familiar with WireGuard’s configuration, head to ArchWiki or WireGuard’s quickstart guide.

Network Figure
Network Figure 1

Configs

Server’s config

[Interface]
PrivateKey = <server's private key>
Address = 10.10.1.3/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
#PeerA
PublicKey = <peer A's public key>
AllowedIPs = 10.10.1.1/32, 192.168.1.0/24

[Peer]
#PeerB
PublicKey = <peer B's public key>
AllowedIPs = 10.10.1.2/32

Notice the PostUp and PostDown commands. You might have to change eth0 to suit your needs.

Peer A client config

[Interface]
Address = 10.10.1.1/24
PrivateKey = <peer A private key>
ListenPort = 123123
DNS = 1.1.1.1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24
PersistentKeepalive = 25

Since in my occasion PeerA is a RPi connected wirelessly to the network, notice the wlan0 in PostUp and PostDown commands.

Note

PeerA must have net.ipv4.ip_forward = 1 in kernel parameters.

To do that at runtime pass sudo sysctl net.ipv4.ip_forward=1. For a permanent solution, edit /etc/sysctl.conf with net.ipv4.ip_forward=1.

Peer B client config

[Interface]
PrivateKey = <peer B private key>
Address = 10.10.1.2/24

[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24, 192.168.1.0/24
PersistentKeepalive = 25

Results

This way if peer B pings 192.168.1.1, the traffic is routed through 10.10.1.3 then to 10.10.1.1 and then to 192.168.1.1 as we wanted.

Doing a mtr 192.168.1.1 from peer B:

mtr result
mtr result

Tags: ,

Leave a Reply