As far as I understand, WireGuard is point-to-point and does not have a server/client architecture. However, I would still want to use a centralized server in order to by-pass firewalls and deal with non-static IPs.
The setup looks like this:
- Peer 1: a server with a static IP, all other Peers will connect to this one;
- Peer 2: a windows machine for which I want to serve some SMB and remote desktop stuff over WireGuard channel; Lives behind NAT router and does not have a static IP.
- Peer 3: other machine(s) that will need to connect to Peer 2, through Peer 1
I managed to get to this setup:
Peer 1 (Ubuntu 18.04)
tunnel IP: 10.10.123.1
$ wg
interface: wg0
public key: OuQHfIZE7/28I4Z/cY3ixpK0VIjfZGkE0XB1OtjTqgs=
private key: (hidden)
listening port: 51820
fwmark: 0xca6c
peer: cJx868ZvsArhzYVjtuywFrD0nHv6vjshnHcNszDsyyQ=
endpoint: <censored>:65229
allowed ips: 10.10.123.69/32
latest handshake: 9 seconds ago
transfer: 44.45 KiB received, 24.71 KiB sent
peer: m2ivoopxHRunmwtweArcixWEPmHgjiL2vqCyU9zFiBQ=
endpoint: <censored>:51820
allowed ips: 10.10.123.99/32
latest handshake: 25 minutes, 14 seconds ago
transfer: 2.47 KiB received, 3.56 KiB sent
Peer 2 (Debian 10)
tunnel IP: 10.10.123.99
$ wg
interface: wg0
public key: m2ivoopxHRunmwtweArcixWEPmHgjiL2vqCyU9zFiBQ=
private key: (hidden)
listening port: 51820
peer: OuQHfIZE7/28I4Z/cY3ixpK0VIjfZGkE0XB1OtjTqgs=
endpoint: <censored>:51820
allowed ips: 10.10.123.0/24
latest handshake: 30 minutes, 19 seconds ago
transfer: 604 B received, 692 B sent
Peer 3 (Windows 7)
tunnel IP: 10.10.123.69
Pings
- Peer 1 can ping
10.10.123.99
(peer 2) and10.10.123.69
(peer 3) - Peer 2 can ping
10.10.123.1
(peer 1) and not10.10.123.69
(peer 3) - Peer 3 can ping
10.10.123.1
(peer 1) and not10.10.123.99
(peer 2)
Routes
So most probably the routes are off?
On peer 2 I'm using wg-quick
which is supposed to set up the routes in accordance with AllowedIps
directive in config file:
cat wg0.conf
[Interface]
Address = 10.10.123.99/24
ListenPort = 51820
PrivateKey = <censored>
Table = auto
[Peer]
PublicKey = OuQHfIZE7/28I4Z/cY3ixpK0VIjfZGkE0XB1OtjTqgs=
AllowedIPs = 10.10.123.0/24
Endpoint = <censored>:51820
And ip route
does output:
10.10.123.0/24 dev wg0 proto kernel scope link src 10.10.123.99
On peer 1 I'm also using wg-quick
:
$ cat wg0.conf
[Interface]
Address = 10.10.123.1/24
SaveConfig = true
ListenPort = 51820
FwMark = 0xca6c
PrivateKey = <censored>
[Peer]
PublicKey = m2ivoopxHRunmwtweArcixWEPmHgjiL2vqCyU9zFiBQ=
AllowedIPs = 10.10.123.99/32
Endpoint = <censored>:51820
[Peer]
PublicKey = cJx868ZvsArhzYVjtuywFrD0nHv6vjshnHcNszDsyyQ=
AllowedIPs = 10.10.123.69/32
Endpoint = <censored>:56431
And ip route
output:
10.10.123.0/24 dev wg0 proto kernel scope link src 10.10.123.1
On peer 3 (windows) I'm using the GUI from the official packages. This one does not seem to set the "Gateway" on the network interface. I could not find a key in the settings which would allow for this. So I've manually added the gateway of 10.10.123.1
Question:
Is it at all possible to create a kind of wireguard LAN? If yes, what am I missing in my configuration? I'm looking for a more or less dynamic (routing) configuration as more peers might be added later on.