If you want A and C to communicate through B as a trusted intermediary for A and C's IPs, then your configs actually need to be:
=== Host A (Fedora 26) === # cat /etc/wireguard/wg0.conf [Interface] Address = 10.1.0.21/24 PrivateKey = *censored* [Peer] PublicKey = *censored* Endpoint = vpn.foo.xx:51820 # vpn.foo.xx is Host B AllowedIPs = 10.1.0.2/32, 10.1.0.22/32 === Host B (vpn.foo.xx) (CentOS 7) === ip forwarding active: net.ipv4.ip_forward = 1 # cat wg0.conf [Interface] Address = 10.1.0.2/24 ListenPort = 51820 PrivateKey = *censored* [Peer] PublicKey = *censored* AllowedIPs = 10.1.0.21/32 [Peer] PublicKey = *censored* AllowedIPs = 10.1.0.22/32 === Host C (CentOS 7) === # cat wg0.conf [Interface] Address = 10.1.0.22/24 ListenPort = 51820 PrivateKey = *censored* [Peer] PublicKey = *censored* Endpoint = 192.168.1.1:51820 AllowedIPs = 10.1.0.2/32, 10.1.0.21/32 Alternatively, since you're likely going to be doing this for many peers, you might be best off with this config instead: === Host A (Fedora 26) === # cat /etc/wireguard/wg0.conf [Interface] Address = 10.1.0.21/24 PrivateKey = *censored* [Peer] PublicKey = *censored* Endpoint = vpn.foo.xx:51820 # vpn.foo.xx is Host B AllowedIPs = 10.1.0.0/24 === Host B (vpn.foo.xx) (CentOS 7) === ip forwarding active: net.ipv4.ip_forward = 1 # cat wg0.conf [Interface] Address = 10.1.0.2/24 ListenPort = 51820 PrivateKey = *censored* [Peer] PublicKey = *censored* AllowedIPs = 10.1.0.21/32 [Peer] PublicKey = *censored* AllowedIPs = 10.1.0.22/32 === Host C (CentOS 7) === # cat wg0.conf [Interface] Address = 10.1.0.22/24 ListenPort = 51820 PrivateKey = *censored* [Peer] PublicKey = *censored* Endpoint = 192.168.1.1:51820 AllowedIPs = 10.1.0.0/24 _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard