The key in this situation is to make sure AllowedIPs
on each peer is configured to allow the destination IP addresses of packets you want to send to (or send through) the peer.
So if the CIDR block for the local site that you want to access from Host C through Host A to Host B is 10.0.0.0/24
, make sure that the AllowedIPs
setting on Host C for Host A includes 10.0.0.0/24
(like you have):
# Host C configuration for Host A peer
AllowedIPs = 10.201.50.0/24, 10.0.0.0/24
And also that the AllowedIPs
setting on Host A for Host B includes 10.0.0.0/24
(which you're missing):
# Host A configuration for Host B peer
AllowedIPs = 10.201.50.2/32, 10.0.0.0/24
But from your description of ping working and SSH/HTTP not, you may also have a MTU problem (packets fragmented/rejected because they've been sized a bit too big for one particular hop along the way). Try adding this setting to the [Interface]
section of each WireGuard config:
MTU = 1280
And you don't need masquerading on Host A (just on Host B, like you have).
However, if you want to route all traffic (0.0.0.0/0
) from Host C through Host A to Host B, change your Host A WireGuard config to this:
[Interface]
PrivateKey = ...
Address = 10.201.50.1/24
ListenPort = 51820
Table = 123
PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = ip rule add iif %i table 123 priority 456
PostDown = ip rule del iif %i table 123 priority 456
# to Host B
[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0
# to Host C
[Peer]
PublicKey = ...
AllowedIPs = 10.201.50.3/32
This will use a custom routing table (123
) for that traffic, to avoid messing with Host A's main routing table.
(And change your Host C config to use AllowedIPs = 0.0.0.0/0
too, but without any other changes to its config.)