I want a Point to Site topology but since the "client" and "server" hosts are both in their own NAT networks I need to rely on a third host in a Hub and Spoke topology.
Host A (hub)
[Interface]
PrivateKey =
Address = 10.201.50.1/32
ListenPort = 51820
PreUp = sysctl -w net.ipv4.ip_forward=1
[Peer]
PublicKey =
AllowedIPs = 10.201.50.2/32
[Peer]
PublicKey =
AllowedIPs = 10.201.50.3/32
Host B (server)
[Interface]
PrivateKey =
Address = 10.201.50.2/32
PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = iptables -t mangle -A PREROUTING -i %i -j MARK --set-mark 0x40
PreUp = iptables -t nat -A POSTROUTING ! -o %i -m mark --mark 0x40 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i %i -j MARK --set-mark 0x40
PostDown = iptables -t nat -A POSTROUTING ! -o %i -m mark --mark 0x40 -j MASQUERADE
[Peer]
PublicKey =
Endpoint = 198.230.220.45:51820
AllowedIPs = 10.201.50.0/24
PersistentKeepalive = 15
Host C (client)
[Interface]
PrivateKey =
Address = 10.201.50.3/32
[Peer]
PublicKey =
Endpoint = 198.230.220.45:51820
AllowedIPs = 10.201.50.0/24, 10.0.0.0/24
Both peers connect fine to the hub.
interface: wg0
public key:
private key: (hidden)
listening port: 51820
peer:
endpoint: :63882
allowed ips: 10.201.50.3/32
latest handshake: 35 seconds ago
transfer: 213.07 KiB received, 15.93 KiB sent
peer:
endpoint: :33868
allowed ips: 10.201.50.2/32
latest handshake: 1 minute, 6 seconds ago
transfer: 7.19 KiB received, 5.12 KiB sent
I can ping Host B from Host C fine which is good, but any other connection fails. For example, I can't ssh into Host B, it just hangs. I can't curl a web server running on Host B on port 80, it also hangs. No firewall is running on Host B as far as I'm aware.
The other hosts in the Host B network aren't reachable at all.
Appreciate your help.
Cheers
Best Answer
The key in this situation is to make sure
AllowedIPs
on each peer is configured to allow the destination IP addresses of packets you want to send to (or send through) the peer.So if the CIDR block for the local site that you want to access from Host C through Host A to Host B is
10.0.0.0/24
, make sure that theAllowedIPs
setting on Host C for Host A includes10.0.0.0/24
(like you have):And also that the
AllowedIPs
setting on Host A for Host B includes10.0.0.0/24
(which you're missing):But from your description of ping working and SSH/HTTP not, you may also have a MTU problem (packets fragmented/rejected because they've been sized a bit too big for one particular hop along the way). Try adding this setting to the
[Interface]
section of each WireGuard config:And you don't need masquerading on Host A (just on Host B, like you have).
However, if you want to route all traffic (
0.0.0.0/0
) from Host C through Host A to Host B, change your Host A WireGuard config to this:This will use a custom routing table (
123
) for that traffic, to avoid messing with Host A's main routing table.(And change your Host C config to use
AllowedIPs = 0.0.0.0/0
too, but without any other changes to its config.)