Another option instead of using the iptables rule is to create a network namespace and assign the wireguard interface to it.
ip netns add mesh ip link add wg0 type wireguard ip link set wg0 netns mesh ip -n mesh addr add x.x.x.x/24 dev wg0 ip netns exec mesh wg setconf wg0 /etc/wireguard/wg0.conf ip -n mesh link set wg0 up I prefer this because it isolates any mesh network routing and firewall configuration from that of the physical interfaces of the hub server. You don't have to worry about a routing or firewall misconfiguration on the hub leading to the traffic from the vpn network going on to the hub server's underlying network. Also if you want to provide a service to the VPN network from the server you can run the process in the mesh network namespace or inside a container with only an interface in the mesh namespace available to it. On Tue, Mar 13, 2018 at 1:35 PM, <condor+wireguard-mailingl...@mailbox.org> wrote: > Hi Gianluca, > >> I wonder if I need to copy/paste all peers' public key on all the other >> peers' configuration, or I can just configure each peer to connect to the >> server and then allow peers talking with other peers passing through this >> server? > > If you want each peer to have a 1:1 connection to each other peer, then – > yes. But to maintain such a mesh will be quite a bit of work… > > The easier solution should be to use the server as a hub. Make sure the > AllowedIPs on the “clients” permit the subnet IP range you will be using, > e.g. 192.168.10.0/24. The “server's” setting for AllowedIPs for each peer > should reflect the single address (/32) you are setting as interface address > on the peer's side. > > To glue, add an iptables rule: > iptables -A FORWARD -i wg9 -o wg9 -j ACCEPT > > > Kind regards, > Peter > > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard