I have several Wireguard servers hosted on Ubuntu VPS servers. There are peers setup on each VPN server. I have the servers setup in "mesh" configuration and they're all able to ping each other directly. The servers have ipv4 forwarding enabled. I can connect to each server as a peer and have my internet connection routed through that server.
I would like to forward some peers through multiple Wireguard servers (multi-hop) while also leaving some peers to connect to the internet via the first Wireguard hop. Eventually I intend to control this dynamically with a node app executing the relevant iptables rules as required (or whatever the solution may be)
For example:
Peer 1 > Server 1 > Server 2 > Internet
Peer 2 > Server 1 > Internet
Peer 3 > Server 3 > Internet
Peer 4 > Server 2 > Server 1 > Internet
Would this be possible with iptables rules? I have spent a couple of days reading similar posts and trying things. The closest I have come is setting the following on Server1:
iptables -t nat -A PREROUTING -s 10.42.1.4(Peer1) -j DNAT --to-destination 10.42.1.2(Server2)
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
Using tcpdump -n -v -i wg0 I can see packets being passed from Server1 to Server2 but it looks like the MAQUERADE rule is altering the destination IP? I tried adding iptables -t nat -A POSTROUTING -d 10.42.1.2 -j SNAT --to-source 10.42.1.4 too.
Diagram of the setup
