WireGuard combining Hub and Spoke with Point to Site

Question

I want a Point to Site topology but since the "client" and "server" hosts are both in their own NAT networks I need to rely on a third host in a Hub and Spoke topology.

visualization

Host A (hub)

[Interface]
PrivateKey = 
Address = 10.201.50.1/32
ListenPort = 51820

PreUp = sysctl -w net.ipv4.ip_forward=1

[Peer]
PublicKey = 
AllowedIPs = 10.201.50.2/32

[Peer]
PublicKey = 
AllowedIPs = 10.201.50.3/32

Host B (server)

[Interface]
PrivateKey = 
Address = 10.201.50.2/32

PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = iptables -t mangle -A PREROUTING -i %i -j MARK --set-mark 0x40
PreUp = iptables -t nat -A POSTROUTING ! -o %i -m mark --mark 0x40 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i %i -j MARK --set-mark 0x40
PostDown = iptables -t nat -A POSTROUTING ! -o %i -m mark --mark 0x40 -j MASQUERADE

[Peer]
PublicKey = 
Endpoint = 198.230.220.45:51820
AllowedIPs = 10.201.50.0/24
PersistentKeepalive = 15

Host C (client)

[Interface]
PrivateKey = 
Address = 10.201.50.3/32

[Peer]
PublicKey = 
Endpoint = 198.230.220.45:51820
AllowedIPs = 10.201.50.0/24, 10.0.0.0/24

Both peers connect fine to the hub.

interface: wg0
  public key: 
  private key: (hidden)
  listening port: 51820

peer: 
  endpoint: :63882
  allowed ips: 10.201.50.3/32
  latest handshake: 35 seconds ago
  transfer: 213.07 KiB received, 15.93 KiB sent

peer: 
  endpoint: :33868
  allowed ips: 10.201.50.2/32
  latest handshake: 1 minute, 6 seconds ago
  transfer: 7.19 KiB received, 5.12 KiB sent

I can ping Host B from Host C fine which is good, but any other connection fails. For example, I can't ssh into Host B, it just hangs. I can't curl a web server running on Host B on port 80, it also hangs. No firewall is running on Host B as far as I'm aware. The other hosts in the Host B network aren't reachable at all.

Appreciate your help. Cheers

Answer 1

The key in this situation is to make sure AllowedIPs on each peer is configured to allow the destination IP addresses of packets you want to send to (or send through) the peer.

So if the CIDR block for the local site that you want to access from Host C through Host A to Host B is 10.0.0.0/24, make sure that the AllowedIPs setting on Host C for Host A includes 10.0.0.0/24 (like you have):

# Host C configuration for Host A peer
AllowedIPs = 10.201.50.0/24, 10.0.0.0/24

And also that the AllowedIPs setting on Host A for Host B includes 10.0.0.0/24 (which you're missing):

# Host A configuration for Host B peer
AllowedIPs = 10.201.50.2/32, 10.0.0.0/24

But from your description of ping working and SSH/HTTP not, you may also have a MTU problem (packets fragmented/rejected because they've been sized a bit too big for one particular hop along the way). Try adding this setting to the [Interface] section of each WireGuard config:

MTU = 1280

And you don't need masquerading on Host A (just on Host B, like you have).

---

However, if you want to route all traffic (0.0.0.0/0) from Host C through Host A to Host B, change your Host A WireGuard config to this:

[Interface]
PrivateKey = ...
Address = 10.201.50.1/24
ListenPort = 51820
Table = 123

PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = ip rule add iif %i table 123 priority 456
PostDown = ip rule del iif %i table 123 priority 456

# to Host B
[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0

# to Host C
[Peer]
PublicKey = ...
AllowedIPs = 10.201.50.3/32

This will use a custom routing table (123) for that traffic, to avoid messing with Host A's main routing table.

(And change your Host C config to use AllowedIPs = 0.0.0.0/0 too, but without any other changes to its config.)