Score:0

WireGuard combining Hub and Spoke with Point to Site

us flag

I want a Point to Site topology but since the "client" and "server" hosts are both in their own NAT networks I need to rely on a third host in a Hub and Spoke topology.

visualization

Host A (hub)

[Interface]
PrivateKey = 
Address = 10.201.50.1/32
ListenPort = 51820

PreUp = sysctl -w net.ipv4.ip_forward=1

[Peer]
PublicKey = 
AllowedIPs = 10.201.50.2/32

[Peer]
PublicKey = 
AllowedIPs = 10.201.50.3/32

Host B (server)

[Interface]
PrivateKey = 
Address = 10.201.50.2/32

PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = iptables -t mangle -A PREROUTING -i %i -j MARK --set-mark 0x40
PreUp = iptables -t nat -A POSTROUTING ! -o %i -m mark --mark 0x40 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i %i -j MARK --set-mark 0x40
PostDown = iptables -t nat -A POSTROUTING ! -o %i -m mark --mark 0x40 -j MASQUERADE

[Peer]
PublicKey = 
Endpoint = 198.230.220.45:51820
AllowedIPs = 10.201.50.0/24
PersistentKeepalive = 15

Host C (client)

[Interface]
PrivateKey = 
Address = 10.201.50.3/32

[Peer]
PublicKey = 
Endpoint = 198.230.220.45:51820
AllowedIPs = 10.201.50.0/24, 10.0.0.0/24

Both peers connect fine to the hub.

interface: wg0
  public key: 
  private key: (hidden)
  listening port: 51820

peer: 
  endpoint: :63882
  allowed ips: 10.201.50.3/32
  latest handshake: 35 seconds ago
  transfer: 213.07 KiB received, 15.93 KiB sent

peer: 
  endpoint: :33868
  allowed ips: 10.201.50.2/32
  latest handshake: 1 minute, 6 seconds ago
  transfer: 7.19 KiB received, 5.12 KiB sent

I can ping Host B from Host C fine which is good, but any other connection fails. For example, I can't ssh into Host B, it just hangs. I can't curl a web server running on Host B on port 80, it also hangs. No firewall is running on Host B as far as I'm aware. The other hosts in the Host B network aren't reachable at all.

Appreciate your help. Cheers

Score:0
cn flag

The key in this situation is to make sure AllowedIPs on each peer is configured to allow the destination IP addresses of packets you want to send to (or send through) the peer.

So if the CIDR block for the local site that you want to access from Host C through Host A to Host B is 10.0.0.0/24, make sure that the AllowedIPs setting on Host C for Host A includes 10.0.0.0/24 (like you have):

# Host C configuration for Host A peer
AllowedIPs = 10.201.50.0/24, 10.0.0.0/24

And also that the AllowedIPs setting on Host A for Host B includes 10.0.0.0/24 (which you're missing):

# Host A configuration for Host B peer
AllowedIPs = 10.201.50.2/32, 10.0.0.0/24

But from your description of ping working and SSH/HTTP not, you may also have a MTU problem (packets fragmented/rejected because they've been sized a bit too big for one particular hop along the way). Try adding this setting to the [Interface] section of each WireGuard config:

MTU = 1280

And you don't need masquerading on Host A (just on Host B, like you have).


However, if you want to route all traffic (0.0.0.0/0) from Host C through Host A to Host B, change your Host A WireGuard config to this:

[Interface]
PrivateKey = ...
Address = 10.201.50.1/24
ListenPort = 51820
Table = 123

PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = ip rule add iif %i table 123 priority 456
PostDown = ip rule del iif %i table 123 priority 456

# to Host B
[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0

# to Host C
[Peer]
PublicKey = ...
AllowedIPs = 10.201.50.3/32

This will use a custom routing table (123) for that traffic, to avoid messing with Host A's main routing table.

(And change your Host C config to use AllowedIPs = 0.0.0.0/0 too, but without any other changes to its config.)

us flag
Thank you very much for the pointer, I can connect to the B subnet now. I don't know if you're aware but your Wireguard tutorials are immensely helpful to the Wireguard community, there's nothing quite like it anywhere else. People link to them everywhere. Helped me out very much. Also, the connection between hosts wasn't working because the jump host had pretty strict iptables rules setup, I've fixed that now.
us flag
I have another question if you don't mind. How would I go about routing all traffic from host C through host B without routing all traffic from the hub through it as well? That's what would happen if I just added 0.0.0.0/0 to AllowedIPs of the peer B config on the hub.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.