WireGuard connecting hosts WAN->LAN

Luis Ressel aranea at aixah.de
Sat Mar 14 19:16:05 CET 2020

On Sat, Mar 14, 2020 at 04:33:44PM +0100, Germano Massullo wrote:
> I want to:
> 1) connect A to C passing through B. I don't want to expose C to
> internet at all, (so no things like port forwarding)
> 2) A must have C public key (and viceversa), so in case of B being
> compromised, the A<->C VPN will not be compromised.

The answer you quoted is correct. If you don't wish to set up port
forwarding, and C is thus not accessible from the internet at all, A
can't establish a tunnel with it.

You may want to consider setting up two tunnels on A:
* wg0 with B as the peer
* wg1 with C as the peer
and then route the encrypted packets of wg1 through wg0. The
disadvantage of this is that you're encrypting every packet twice, which
hurts performance and lowers the tunnel MTU.


More information about the WireGuard mailing list