Another option instead of using the iptables rule is to create a
and assign the wireguard interface to it.
ip netns add mesh
ip link add wg0 type wireguard
ip link set wg0 netns mesh
ip -n mesh addr add x.x.x.x/24 dev wg0
ip netns exec mesh wg setconf wg0 /etc/wireguard/wg0.conf
ip -n mesh link set wg0 up
I prefer this because it isolates any mesh network routing and firewall
configuration from that of the physical interfaces of the hub server.
You don't have to
worry about a routing or firewall misconfiguration on the hub leading
to the traffic from
the vpn network going on to the hub server's underlying network.
Also if you want to provide a service to the VPN network from the
server you can run
the process in the mesh network namespace or inside a container with
only an interface
in the mesh namespace available to it.
On Tue, Mar 13, 2018 at 1:35 PM,
> Hi Gianluca,
>> I wonder if I need to copy/paste all peers' public key on all the other
>> peers' configuration, or I can just configure each peer to connect to the
>> server and then allow peers talking with other peers passing through this
> If you want each peer to have a 1:1 connection to each other peer, then –
> yes. But to maintain such a mesh will be quite a bit of work…
> The easier solution should be to use the server as a hub. Make sure the
> AllowedIPs on the “clients” permit the subnet IP range you will be using,
> e.g. 192.168.10.0/24. The “server's” setting for AllowedIPs for each peer
> should reflect the single address (/32) you are setting as interface address
> on the peer's side.
> To glue, add an iptables rule:
> iptables -A FORWARD -i wg9 -o wg9 -j ACCEPT
> Kind regards,
> WireGuard mailing list
WireGuard mailing list