LAN over wireguard?

Question

As far as I understand, WireGuard is point-to-point and does not have a server/client architecture. However, I would still want to use a centralized server in order to by-pass firewalls and deal with non-static IPs.

The setup looks like this:

• Peer 1: a server with a static IP, all other Peers will connect to this one;
• Peer 2: a windows machine for which I want to serve some SMB and remote desktop stuff over WireGuard channel; Lives behind NAT router and does not have a static IP.
• Peer 3: other machine(s) that will need to connect to Peer 2, through Peer 1

I managed to get to this setup:

Peer 1 (Ubuntu 18.04)

tunnel IP: 10.10.123.1

$ wg
interface: wg0
  public key: OuQHfIZE7/28I4Z/cY3ixpK0VIjfZGkE0XB1OtjTqgs=
  private key: (hidden)
  listening port: 51820
  fwmark: 0xca6c

peer: cJx868ZvsArhzYVjtuywFrD0nHv6vjshnHcNszDsyyQ=
  endpoint: <censored>:65229
  allowed ips: 10.10.123.69/32
  latest handshake: 9 seconds ago
  transfer: 44.45 KiB received, 24.71 KiB sent

peer: m2ivoopxHRunmwtweArcixWEPmHgjiL2vqCyU9zFiBQ=
  endpoint: <censored>:51820
  allowed ips: 10.10.123.99/32
  latest handshake: 25 minutes, 14 seconds ago
  transfer: 2.47 KiB received, 3.56 KiB sent

Peer 2 (Debian 10)

tunnel IP: 10.10.123.99

$ wg
interface: wg0
  public key: m2ivoopxHRunmwtweArcixWEPmHgjiL2vqCyU9zFiBQ=
  private key: (hidden)
  listening port: 51820

peer: OuQHfIZE7/28I4Z/cY3ixpK0VIjfZGkE0XB1OtjTqgs=
  endpoint: <censored>:51820
  allowed ips: 10.10.123.0/24
  latest handshake: 30 minutes, 19 seconds ago
  transfer: 604 B received, 692 B sent

Peer 3 (Windows 7)

tunnel IP: 10.10.123.69

Pings

• Peer 1 can ping 10.10.123.99 (peer 2) and 10.10.123.69 (peer 3)
• Peer 2 can ping 10.10.123.1 (peer 1) and not 10.10.123.69 (peer 3)
• Peer 3 can ping 10.10.123.1 (peer 1) and not 10.10.123.99 (peer 2)

Routes

So most probably the routes are off?

On peer 2 I'm using wg-quick which is supposed to set up the routes in accordance with AllowedIps directive in config file:

cat wg0.conf 
[Interface]
Address = 10.10.123.99/24
ListenPort = 51820
PrivateKey = <censored>
Table = auto

[Peer]
PublicKey = OuQHfIZE7/28I4Z/cY3ixpK0VIjfZGkE0XB1OtjTqgs=
AllowedIPs = 10.10.123.0/24
Endpoint = <censored>:51820

And ip route does output:

10.10.123.0/24 dev wg0 proto kernel scope link src 10.10.123.99

On peer 1 I'm also using wg-quick:

$ cat wg0.conf 
[Interface]
Address = 10.10.123.1/24
SaveConfig = true
ListenPort = 51820
FwMark = 0xca6c
PrivateKey = <censored>

[Peer]
PublicKey = m2ivoopxHRunmwtweArcixWEPmHgjiL2vqCyU9zFiBQ=
AllowedIPs = 10.10.123.99/32
Endpoint = <censored>:51820

[Peer]
PublicKey = cJx868ZvsArhzYVjtuywFrD0nHv6vjshnHcNszDsyyQ=
AllowedIPs = 10.10.123.69/32
Endpoint = <censored>:56431

And ip route output:

10.10.123.0/24 dev wg0 proto kernel scope link src 10.10.123.1

On peer 3 (windows) I'm using the GUI from the official packages. This one does not seem to set the "Gateway" on the network interface. I could not find a key in the settings which would allow for this. So I've manually added the gateway of 10.10.123.1

Question:

Is it at all possible to create a kind of wireguard LAN? If yes, what am I missing in my configuration? I'm looking for a more or less dynamic (routing) configuration as more peers might be added later on.

Answer 1

If I understand the question correctly, you would like all of the wireguard peers to be able to talk to each other via the central node.

Additionally you may like the wireguard peers to be able to communicate out via a physical LAN interface, and potentially even a WAN interface for internet service.

All you are missing is to allow packet forwarding in the kernel. By doing this, you may also allow the wireguard interfaces to forward to other subnets, such as a physically attached LAN on Ubuntu Peer #1.

On the Ubuntu Peer #1:

Step 1: Ensure packet forwarding is allowed in the kernel.

Edit /etc/sysctl.conf and set net.ipv4.ip_forward = 1 for IPv4, optionally net.ipv6.ip_forward = 1 for IPv6.

Reload the configuration with sudo sysctl -p

Now test the connection. If you have no firewall configured, it should work already.

Step 2 (optional): Ensure forwarding is allowed in the firewall.

If you are using IPTABLEs and have FORWARD DROP set as the default policy, you may need some rules like this:

Allow packets on wg0 to be received by PEER #1, sent from PEER #1, and also forwarded from PEER #1 to anywhere:

-A INPUT -i wg0 -j ACCEPT
-A OUTPUT -o wg0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT

Allow packets incoming on a LAN interface enp2s0 to be sent, received, and forwarded anywhere:

-A INPUT -i enp2s0 -j ACCEPT
-A OUTPUT -o enp2s0 -j ACCEPT
-A FORWARD -i enp2s0 -j ACCEPT

Bonus round:

If you want to use the Ubuntu machine as an all-out internet facing router, enable WAN interface rules. Allow only already established connections from a WAN interface enp1s0 to be accepted by PEER #1 or forwarded out to other interfaces:

-A INPUT -i enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o enp1s0 -j ACCEPT

# Allow ICMP for correct operation
-A INPUT -i enp1s0 -p icmp -j ACCEPT

If you intend to use this as an internet facing router, you should also lock down the default policies and then explicitly open things up with additional rules as necessary:

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

If you are using the iptables-persistant package, this can be added to /etc/iptables/rules.v4 under the *filter section.