I have two networks configured with Wireguard. wg0 is for servers and wg1 for VPN users. When a VPN user on wg1 wants to reach the wg0 network, the packets should be router over one of the wg0 servers (the VPN gate).
wg0.conf on VPN gateway and on all servers with wg0 interface
[Interface]
Address = 10.1.0.15
ListenPort = 51820
PrivateKey = privatekey1
# node23
[Peer]
PublicKey = pubkey
AllowedIps = 10.1.0.23
Endpoint = node23.fqdn:51820
# node24
[Peer]
PublicKey = pubkey
AllowedIps = 10.1.0.24
Endpoint = node24:51820
# node25
[Peer]
PublicKey = pubkey
AllowedIps = 10.1.0.25
Endpoint = node25.fqdn:51820
...
wg1.conf on VPN gateway
[Interface]
Address = 10.100.0.1/32
ListenPort = 51810
PrivateKey = privatekey2
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# user1 [Peer]
PublicKey = pubkey
AllowedIps = 10.100.0.2/32
...
And this is the users wg1.conf (actually wg0 because they don't have a 10.1.0.0 address)
[Interface]
Address = 10.100.0.2/32
ListenPort = 21841
PrivateKey = myprivatekey
[Peer]
PublicKey = pubkey
EndPoint = vpngate.fqdn:51810
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
So, on the VPN gate itself I can run curl -v http://10.1.0.23/
and I'm getting a response within the wg0 network. Ping works to. I can reach all servers within the network. The same with wg1-client and wg1-server. Also I can browse the internet via the VPN gate. But when I try to call from my wg1-client a wg0-server like curl -v http://10.1.0.23/
which should be route (I think) thru the vpn-gate and from there via wg1 -> wg0 there is no response.
What do I miss?