WireGuard: How to Access a Peer’s Local Network
This is a guide about accessing peer A’s local network from peer B.
Requirements
- Already setup wireguard network
iptables
installed
If you are not familiar with WireGuard’s configuration, head to ArchWiki or WireGuard’s quickstart guide.
Configs
Server’s config
[Interface]
PrivateKey = <server's private key>
Address = 10.10.1.3/24
ListenPort = 51820
[Peer]
#PeerA
PublicKey = <peer A's public key>
AllowedIPs = 10.10.1.1/32, 192.168.1.0/24
[Peer]
#PeerB
PublicKey = <peer B's public key>
AllowedIPs = 10.10.1.2/32
Peer A client config
[Interface]
Address = 10.10.1.1/24
PrivateKey = <peer A private key>
ListenPort = 123123
DNS = 1.1.1.1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE
[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24
PersistentKeepalive = 25
Since in my occasion PeerA is a RPi connected wirelessly to the network, notice the wlan0 in PostUp
and PostDown
commands.
Note
PeerA must have net.ipv4.ip_forward = 1
in kernel parameters.
To do that at runtime pass sudo sysctl net.ipv4.ip_forward=1
. For a permanent solution, edit /etc/sysctl.conf
with net.ipv4.ip_forward=1
.
Peer B client config
[Interface]
PrivateKey = <peer B private key>
Address = 10.10.1.2/24
[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24, 192.168.1.0/24
PersistentKeepalive = 25
Results
This way if peer B pings 192.168.1.1, the traffic is routed through 10.10.1.3 then to 10.10.1.1 and then to 192.168.1.1 as we wanted.
Doing a mtr 192.168.1.1 from peer B: