WireGuard: How to access a peer’s local network

This guide is about accessing peer A’s local network from peer B.

Requirements

  • Already setup wireguard network
  • iptables installed

If you are not familiar with WireGuard’s configuration, head to ArchWiki or WireGuard’s quickstart guide.

Network Figure
Network Figure 1

Configs

Server’s config

[Interface]
PrivateKey = <server's private key>
Address = 10.10.1.3/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
#PeerA
PublicKey = <peer A's public key>
AllowedIPs = 10.10.1.1/32, 192.168.1.0/24

[Peer]
#PeerB
PublicKey = <peer B's public key>
AllowedIPs = 10.10.1.2/32

Notice the PostUp and PostDown commands. You might have to change eth0 to suit your needs.

Peer A client config

[Interface]
Address = 10.10.1.1/24
PrivateKey = <peer A private key>
ListenPort = 123123
DNS = 1.1.1.1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24
PersistentKeepalive = 25

Since in my occasion PeerA is a RPi connected wirelessly to the network, notice the wlan0 in PostUp and PostDown commands.

Note

PeerA must have net.ipv4.ip_forward = 1 in kernel parameters.

To do that at runtime pass sudo sysctl net.ipv4.ip_forward=1. For a permanent solution, edit /etc/sysctl.conf with net.ipv4.ip_forward=1.

Peer B client config

[Interface]
PrivateKey = <peer B private key>
Address = 10.10.1.2/24

[Peer]
PublicKey = <server's public key>
Endpoint = <server's IP/domain>:51820
AllowedIPs = 10.10.1.0/24, 192.168.1.0/24
PersistentKeepalive = 25

Results

This way if peer B pings 192.168.1.1, the traffic is routed through 10.10.1.3 then to 10.10.1.1 and then to 192.168.1.1 as we wanted.

Doing a mtr 192.168.1.1 from peer B:

mtr result
mtr result

This Post Has 12 Comments

  1. Michael

    Just wanted to a very big: Thank you! This helped me quite a lot!

    1. Ilias

      Thank you, Michael!

      1. Michael

        You’re welcome 🙂

        A little follow-up: have not yet managed to wrap my head around those `iptables` rules, so your guide came quite handy!

        At home I am behind a DS-Lite-(https://en.wikipedia.org/wiki/IPv6_transition_mechanism)-Setup with no fixed public IPv4 (and no IPv6 support at my office) and was desperate for a solution!

  2. Polo

    Thank you very much !
    I was just trying to do set up exactly the same configuration but I got messed up with iptables rules. Following your clear and concise explanation allowed me to start from a fresh start.

  3. Petr

    Thank you, my man! These are the droids I’m looking for!

  4. Andrew

    Can a single RaspberryPi be both the server and peerA? … I want to be able to VPN into my home network when I’m out and about. Can’t seem to figure out how to do this. Any help would be greatly appreciated.

      1. Bremoon

        What is the difference then between your suggested setup and this one? What are some advantages for the one you present here

        1. Ilias

          Hello Bremoon, the difference is in the network setup.
          On my post you get access to a peer’s local network, while on the setup that is linked above, you get access to the server’s local network.

  5. Andrew

    Thanks!

  6. MisoPiso

    Hello Andrew,
    one question, i want the network to have two way communication eg. i want for the devices in local network to be able to ping device B. Is that possible and dou you have any usefull links?

    1. Ilias

      Hello,
      As far as I can tell this process includes NAT & masquerading setup.

Leave a Reply to Polo Cancel reply