Question about AllowedIPs and proper "mesh" setup

Brian vger-list at
Thu Nov 8 20:33:06 CET 2018

If you're familiar with iptables at all, this was my solution:

1) On your peer's nat table, enable masquerading on your wg interface
(you can do this as a PostUp in your wg config):

iptables -A POSTROUTING -o wg0 -j MASQUERADE

2) On peers, enable packet forwarding in sysctl if necessary:

net.ipv4.conf.wg0.forwarding = 1  (or just net.ipv4.conf.all.forwarding = 1)

3) On your laptop, pick the peer you want to connect to and put the
whole range of your wireguard IP space as its AllowedIPs.  The other
peers don't need to be in your laptop's wireguard config at all.

Once you do that, your laptop will send all its traffic to the peer you
chose, which will then act as a router and "route" the packets back into
its wireguard interface and to the intended other peer.

You can even go over multiple hops this way to access an entire network
connected to another peer if you have packet forwarding and masquerading
set up on both peers (the peer sharing the network needs iptables
masquerading and packet forwarding on the shared network's interface
also), and you put the destination network ip space in your laptop's
peer's AllowedIPs.


On 11/6/18 3:41 PM, Lars Francke wrote:
> Phil, Matthias,
> thanks for the answers. I haven't received Matthias answer but I can
> see it in the archive.
> The reason I wanted to do it the way I initially described is
> laziness. I'm setting up the machines using Ansible[0]. It'd be great
> if I didn't need any special cases but it seems that that's going to
> be way easier than figuring out another way (which doesn't even seem
> to exist yet) ;-)
> Thank you both!
> Cheers,
> Lars
> [0] <> (It's not
> beautiful but it does what I need)
> On Tue, Nov 6, 2018 at 9:16 PM Phil Hofer <phil at> wrote:
>     > Now I want to add an outside client into the mix (e.g. my
>     laptop). I want to be able to connect to just one of those hosts
>     and have that host forward my packages to the others.
>     > I can get it to work if I pick _one_ specific jump host but I
>     haven't managed to set it up in a way that I can connect to any of
>     them.
>     You might consider setting up just one of your servers
>     as a gateway for a subnet dedicated to your client machine(s).
>     Then add routes on your servers to the gateway.
>     For example, set up as the gateway to
>     <>,
>     and set your client machine up as Machines on
> <> remain connected directly.
>     If you need to be able to route through any one of
>     your servers on an ad-hoc basis, then you'll need some
>     additional routing protocol magic, as Matthias suggested.
>     Cheers,
>     Phil
> _______________________________________________
> WireGuard mailing list
> WireGuard at

More information about the WireGuard mailing list