Gateway for Wireguard VPN

Jason A. Donenfeld Jason at zx2c4.com
Tue Nov 21 01:41:04 CET 2017


If you want A and C to communicate through B as a trusted intermediary
for A and C's IPs, then your configs actually need to be:

=== Host A (Fedora 26) ===
# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.1.0.21/24
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
Endpoint = vpn.foo.xx:51820  # vpn.foo.xx is Host B
AllowedIPs = 10.1.0.2/32, 10.1.0.22/32


=== Host B (vpn.foo.xx) (CentOS 7) ===
ip forwarding active: net.ipv4.ip_forward = 1
# cat wg0.conf
[Interface]
Address = 10.1.0.2/24
ListenPort = 51820
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
AllowedIPs = 10.1.0.21/32

[Peer]
PublicKey = *censored*
AllowedIPs = 10.1.0.22/32


=== Host C (CentOS 7) ===

# cat wg0.conf
[Interface]
Address = 10.1.0.22/24
ListenPort = 51820
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
Endpoint = 192.168.1.1:51820
AllowedIPs = 10.1.0.2/32, 10.1.0.21/32


Alternatively, since you're likely going to be doing this for many
peers, you might be best off with this config instead:

=== Host A (Fedora 26) ===
# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.1.0.21/24
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
Endpoint = vpn.foo.xx:51820  # vpn.foo.xx is Host B
AllowedIPs = 10.1.0.0/24


=== Host B (vpn.foo.xx) (CentOS 7) ===
ip forwarding active: net.ipv4.ip_forward = 1
# cat wg0.conf
[Interface]
Address = 10.1.0.2/24
ListenPort = 51820
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
AllowedIPs = 10.1.0.21/32

[Peer]
PublicKey = *censored*
AllowedIPs = 10.1.0.22/32


=== Host C (CentOS 7) ===

# cat wg0.conf
[Interface]
Address = 10.1.0.22/24
ListenPort = 51820
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
Endpoint = 192.168.1.1:51820
AllowedIPs = 10.1.0.0/24


More information about the WireGuard mailing list