WireGuard connecting hosts WAN->LAN

Bruno Wolff III bruno at wolff.to
Wed Mar 18 22:50:26 CET 2020

On Sat, Mar 14, 2020 at 16:33:44 +0100,
  Germano Massullo <germano.massullo at gmail.com> wrote:
>A simple question to Wireguard developers, since while asking for help
>in OpenWRT forum[1] I have been told that I am asking a thing that
>Wireguard cannot do, so I want to ask upstream if it is possible or not
>A = internet (WAN) host (WireGuard IP
>B = OpenWRT router (WireGuard IP
>C = LAN host (WireGuard IP
>I want to:
>1) connect A to C passing through B. I don't want to expose C to
>internet at all, (so no things like port forwarding)
>2) A must have C public key (and viceversa), so in case of B being
>compromised, the A<->C VPN will not be compromised.
>In a few words, I want B to just route forwards packages from A to C.

This set of requirements seems odd.
Do you not trust C to be able to properly ignore unwanted packets?

It is possible to have C ignore layer 3 traffic (DHCP traffic is special) 
that is not using the tunnel. Inbound you block all traffic not 
destined for the tunnel's port. Outbound you block all traffic not 
tagged as tunnel traffic. (Wireguard provides a way to tag tunnel traffic.) 
The default route should be through the tunnel. Tunnel traffic should be 
routed through B. The configuration gets trickier if you want to send 
traffic to A's external address as then you have a routing dependency not 
based on the destination address. You can do this by having two routing 
tables using the tag to pick which table gets used.

More information about the WireGuard mailing list