On Wed, Oct 28, 2020 at 4:22 AM Samuel Holland <[email protected]> wrote: > > Hello, > > On 10/22/20 10:43 AM, Dashamir Hoxha wrote: > > I have created a network as shown in this diagram: > > https://cloud.flossk.org/s/ZsLtNLsxmo8rxPD > > > > The red arrows show the WG connections. Only the server has a public IP. > > From client1 I can ping to the internet and also to client4: `ping > > 192.168.0.3` > > However I cannot ping to the LAN IP of client4: `ping 172.26.0.2` > > > > My ultimate goal is to be able to ping from client2 on LAN1 to client5 on > > LAN2 > > (both of which have no WG configuration and interface), routing through > > the WG network (client1 --> server <-- client4). > > > > Is this possible? I think that it should work, with proper routing, > > but I am not able > > to figure out the proper configurations. Has anybody tried something like > > this? > > Do you have any suggestions or advice? > > Yes, this is possible. You need: > - LAN1 needs to be in the AllowedIPs for client1 on the server > - LAN2 needs to be in the AllowedIPs for client4 on the server
Thanks Samuel. Actually I figured out that I was missing this (LAN1 on AllowedIPs for client1 on the server, and LAN2 for client4). https://gitlab.com/docker-scripts/wireguard/-/blob/master/testing/test5.sh > - A route on client1 to LAN2: ip route add 172.26.0.0/16 dev wg0 > - A route on client4 to LAN1: ip route add 172.25.0.0/16 dev wg0 > - Routes on the server to both LANS (same as above) Actually I am using `wg-quick` and it adds these routes automatically. Instead, I have to add routes to clients on LAN1 and LAN2 that don't have WG interfaces. For example on client2 and client3 I have to add: `ip route add to 172.26.0.0/16 via 172.25.0.2 dev eth0` And on client5 and client6 add the route: `ip route add to 172.25.0.0/16 via 172.26.0.2 dev eth0` > > A gateway for the routes is not needed. Once Linux passes the packet to the > WireGuard interface, cryptokey routing (AllowedIPs) is used. > > You do not need any NAT. That's right. All the WG network seems to work like a router. > > Cheers, > Samuel
