This guide is about accessing peer A’s local network from peer B.
Requirements
- Already setup wireguard network
- iptables installed
If you are not familiar with WireGuard’s configuration, head to ArchWiki or WireGuard’s quickstart guide.

Configs
Server’s config
[Interface]
PrivateKey = <server's private key>
Address = 10.10.1.3/24
ListenPort = 51820
[Peer]
#PeerA
PublicKey = <peer A's public key>
AllowedIPs = 10.10.1.1/32, 192.168.1.0/24
[Peer]
#PeerB
PublicKey = <peer B's public key>
AllowedIPs = 10.10.1.2/32
Notice the PostUp and PostDown commands. You might have to change eth0 to suit your needs.
Peer A client config
[Interface]
Address = 10.10.1.1/24
PrivateKey = <peer A private key>
ListenPort = 123123
DNS = 1.1.1.1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE
[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24
PersistentKeepalive = 25
Since in my occasion PeerA is a RPi connected wirelessly to the network, notice the wlan0 in PostUp and PostDown commands.
Note
PeerA must have net.ipv4.ip_forward = 1
in kernel parameters.
To do that at runtime pass sudo sysctl net.ipv4.ip_forward=1
. For a permanent solution, edit /etc/sysctl.conf
with net.ipv4.ip_forward=1
.
Peer B client config
[Interface]
PrivateKey = <peer B private key>
Address = 10.10.1.2/24
[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24, 192.168.1.0/24
PersistentKeepalive = 25
Results
This way if peer B pings 192.168.1.1, the traffic is routed through 10.10.1.3 then to 10.10.1.1 and then to 192.168.1.1 as we wanted.
Doing a mtr 192.168.1.1 from peer B:

Just wanted to a very big: Thank you! This helped me quite a lot!
Thank you, Michael!
You’re welcome 🙂
A little follow-up: have not yet managed to wrap my head around those `iptables` rules, so your guide came quite handy!
At home I am behind a DS-Lite-(https://en.wikipedia.org/wiki/IPv6_transition_mechanism)-Setup with no fixed public IPv4 (and no IPv6 support at my office) and was desperate for a solution!
Thank you very much !
I was just trying to do set up exactly the same configuration but I got messed up with iptables rules. Following your clear and concise explanation allowed me to start from a fresh start.
Thank you, my man! These are the droids I’m looking for!
Can a single RaspberryPi be both the server and peerA? … I want to be able to VPN into my home network when I’m out and about. Can’t seem to figure out how to do this. Any help would be greatly appreciated.
Hello Andrew, the setup is quite similar and even simpler.
Have a look at this: https://gist.github.com/qdm12/35ab96d6be470ce7a4314722a55a1859
What is the difference then between your suggested setup and this one? What are some advantages for the one you present here
Hello Bremoon, the difference is in the network setup.
On my post you get access to a peer’s local network, while on the setup that is linked above, you get access to the server’s local network.
Thanks!
Hello Andrew,
one question, i want the network to have two way communication eg. i want for the devices in local network to be able to ping device B. Is that possible and dou you have any usefull links?
Hello,
As far as I can tell this process includes NAT & masquerading setup.
Thanks a lot Michael! Very clear. But in may case I’m able to ping from Peer B, Peer A ip 192.168.1.223 but not the device ip192.168.1.2 or 192.168.1.3. I can’t understand why. Thank you.