wireguard - how to link a remote server with two connections

Fred

2/5/24, 8:30 AM

I have 3 sites. Site A and B are not related. Both need a wireguard connection to a server on site C. How do I accomplish this?

┌──────────────┐              ┌─────────────────────┐             ┌──────────────┐
│              │              │                     │             │              │
│    SITE A    │              │       SITE C        │             │    SITE B    │
│              │   WG0        │    ┌───────────┐    │    WG1      │              │
│              │   10.0.0.0   │    │  SERVER   │    │  11.0.0.0   │              │
│        ──────┼──────────────┼───►│           ├────┼─────────────┼──►           │
│              │              │    │           │    │             │              │
│        ◄─────┼──────────────┼────┤           │◄───┼─────────────┼────          │
│              │  port        │    │           │    │  port       │              │
│              │  50001       │    ├───────────┤    │  50002      │              │
└──────────────┘              └────┴───────────┴────┘             └──────────────┘

The first connection WG0 works well with PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE

If I do the same with WG1 I get no connection. The tunels use different ports. How do I set up this topology correctly?

277

0 + 5

wireguard

larsks

2/5/24, 12:08 PM

I don't think your `MASQUERADE` rule makes any sense. Presumably instead of `-o enp3s0` you want `-o %i`, which would give you a different rule for each interface rather than the same rule for both, which is what you currently have.

Fred

2/5/24, 4:24 PM

If I leave out MASQUERADE I can ping the server in site C and ssh to it but a web service running on it doesn't answer. to wg1.

larsks

2/5/24, 4:35 PM

To be clear I'm not suggesting that you *remove* the masquerade rule; I'm suggesting that you change it to be interface specific. Additional, if your system needs a rule to masquerade traffic out `enp3s0` as well, you may want to add that seperately outside of your wireguard postup script.

Fred

2/5/24, 4:39 PM

Actually, since I only want to access services on the server I guess I don't need NAT.

SzakiLaci

5/24/24, 10:57 AM

IMHO `11.0.0.0` subnet is not allowed. Only `10.x.y.z`. So WG1 must be in `10.11.0.0/16`.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: wireguard - how to link a remote server with two connections

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.