A simple question to Wireguard developers, since while asking for help in OpenWRT forum[1] I have been told that I am asking a thing that Wireguard cannot do, so I want to ask upstream if it is possible or not
Scenario: A = internet (WAN) host (WireGuard IP 10.1.1.3) B = OpenWRT router (WireGuard IP 10.1.1.1) C = LAN host (WireGuard IP 10.1.1.2) I want to: 1) connect A to C passing through B. I don't want to expose C to internet at all, (so no things like port forwarding) 2) A must have C public key (and viceversa), so in case of B being compromised, the A<->C VPN will not be compromised. In a few words, I want B to just route forwards packages from A to C. I have been told: ===== In your scenario A is not connected to C. Having peer entries for A and C at each end are completely pointless because they're not doing anything. The keys you have in those entries will only ever be used if A and C are connected directly. As long as you have B in the middle then packets will be sent from A (or C) to B which will decrypt then with the appropriate public key. B will then re-encrypt them with it's own private key before sending them on to C (or A). If you don't want that to happen then you'll need to connect A and C directly. ===== What do you think about? For information completeness, below I attach the configuration of the three hosts In past I had a similar configuration with 3 Fedora/CentOS machines, where A had just the B public key and I could connect to C because in A configuration, the allowed IPs of B had a /24 mask. Now I would like to setup a more strict configuration Thank you for your time [1]: https://forum.openwrt.org/t/wireguard-connecting-hosts-wan-lan/ **Host A - WireGuard configuration file (Fedora)** ``` [Interface] Address = 10.1.1.3/24 PrivateKey = censored ListenPort = 51820 # Host B [Peer] PublicKey = censored Endpoint = tom.foo.bar:51820 AllowedIPs = 10.1.1.1/32 # Host C [Peer] PublicKey = censored AllowedIPs = 10.1.1.2/32 ``` **Host B - OpenWRT /etc/config/network configuration file** ``` root@OpenWrt:/etc# cat config/network config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'censored::/48' config interface 'lan' option type 'bridge' option ifname 'eth0.1' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ip6assign '60' config interface 'wan' option ifname 'eth0.2' option proto 'pppoe' option username 'censored' option password 'censored' option ipv6 'auto' config device 'wan_dev' option name 'eth0.2' option macaddr 'censored' config interface 'wan6' option ifname 'eth0.2' option proto 'dhcpv6' config switch option name 'switch0' option reset '1' option enable_vlan '1' config switch_vlan option device 'switch0' option vlan '1' option ports '2 3 4 5 0t' config switch_vlan option device 'switch0' option vlan '2' option ports '1 0t' config interface 'wg0' option proto 'wireguard' option private_key 'censored' option listen_port '51820' option route_allowed_ips '1' list addresses '10.1.1.1/24' # Host A config wireguard_wg0 'wg_client_host_A' option public_key 'censored' list allowed_ips '10.1.1.3/32' # Host C config wireguard_wg0 'wg_client_host_C' option public_key 'censored' list allowed_ips '10.1.1.2/32' ``` **Host C - WireGuard configuration file (CentOS)** ``` [Interface] Address = 10.1.1.2/24 ListenPort = 51820 PrivateKey = censored # Host B [Peer] PublicKey = censored Endpoint = 192.168.1.1:51820 AllowedIPs = 10.1.1.1/32 # Host A [Peer] PublicKey = censored AllowedIPs = 10.1.1.3/32 ```