Can I make Wireguard VPN peers to talk to each other?
Solution 1
After the whole evening of searching through the internet, I found some useful links that talks about the same problem that I am facing.
Link: https://lists.zx2c4.com/pipermail/wireguard/2018-August/003250.html
That says, we must enable ip forwarding in the server to make it work like an edge router.
By default, the IPv4 policy in linux kernels disables support for IP forwarding. This prevents machines that run linux server from functioning as dedicated edge routers. To enable IP forwarding, use the following command:
[root@myServer ~ ] # sysctl -w net.ipv4.ip_forward=1
This configuration change is only valid for the current session; it does not persist beyond a reboot or network service restart. To permanently set IP forwarding, edit the /etc/sysctl.conf
file as follows:
Locate the following line:
net.ipv4.ip_forward = 0
Edit it to read as follows:
net.ipv4.ip_forward = 1
Use the following command to enable the change to the sysctl.conf file:
[root@myServer ~ ] # sysctl -p /etc/sysctl.conf
With this done, now all my peers are able to talk to each other, and this functions just like a LAN network!
Solution 2
I followed all the steps suggested by Sibidharan but also needed to add an iptables command on the server to forward the wireguard traffic from peer to peer.
iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
I was then able to connect via ssh from peer to peer.
Related videos on Youtube
Sibidharan
Malware Analyst, Independent Security Researcher, Software Developer.
Updated on June 17, 2022Comments
-
Sibidharan almost 2 years
I have a server running Wireguard, and I have multiple clients (peers) connected to it up and running. I am not very sure how VPN works, but this is my current setup.
The
/etc/wireguard/wg0.conf
of my server looks like this.[Interface] Address = 172.16.16.1/24 SaveConfig = true ListenPort = 8999 PrivateKey = XXX [Peer] PublicKey = XXX AllowedIPs = 172.16.16.2/32 [Peer] PublicKey = XXX AllowedIPs = 172.16.16.3/32
And the configuration on my clients
wg0.conf
looks like this.[Interface] PrivateKey = XXX Address = 172.16.16.x/32 [Peer] PublicKey = XXX AllowedIPs = 172.16.16.0/24 PersistentKeepalive = 30
With everything up and running, from my client with IP address
172.16.16.2
, I am able to ping the server172.16.16.1
. I am able to do the same from my other client with172.16.16.3
, I can ping the server172.16.16.1
.Interestingly, from my server, I am able to ping all the peers! That is, from within
172.16.16.1
, I can ping both172.16.16.2
and172.16.16.3
. But that is the prime purpose of the setup!Now, I want my peers to talk to each other, that is, I must be able to ping
172.16.16.2
from my other peer172.16.16.3
and vice-versa, but this is not working. It says that the network is unreachable.The idea is, I want it to work like a LAN server, where one server that acts as a gateway, and multiple peers/clients that can talk to each other, and also talk to the server.
Is this possible? If yes, what am I missing?
-
Ben over 2 yearsAre there good reasons this is disabled by default?
-
Sibidharan over 2 yearsTo prevent peer to peer communication on Internet based systems.. but on private systems, this can be used as a feature.