Only Dr. miguel can help with this!

@miguel
I am wondering if I got this right. so I have a wireguard VPN server on a VPS and the main interface for all its traffic is wg0, and there are three different routers at 10.66.66.2,3, and 4. what I am trying to do is allow all the 3 subnets which are NAT’s behind the routers to talk to each other!!! did I do it right or did I mess it up? now I know you are gonna ask if the routers have routing tables as well I mean they can but I don’t know if the wireguard server routing table would be enough!!

sudo iptables -t nat -A POSTROUTING -d 192.168.0.0/24 -i wg0 DNAT --to-source 10.3.2.2
sudo iptables -t nat -A POSTROUTING -d 10.8.0.0/24 -i wg0 DNAT --to-source 10.3.2.3
sudo iptables -t nat -A POSTROUTING -d 10.66.66.0/24 -i wg0 DNAT --to-source 10.3.2.4

In case you wanna picture what I am trying to do!

@miguel do you have any suggestions!!! Do you know a program for Ubuntu 18.04 VPS that can do this???

The way I do it is to make my wireguard subnet routable on all devices that are part of the wireguard network. So it won’t matter where they are, or what network they’re on. They’ll still be on the network.

So if your wireguard network is 10.8.1.0/24, then on every device that will be part of it, just have that device forward any traffic to and from that network to the appropriate interface. Don’t worry about NAT and firewalls, they don’t matter to wireguard, and just make things more complicated. What happens when a device on your wireguard network (ie: a phone or laptop) moves to a new wifi network? Who cares? Just have it send all the traffic wireguard traffic to your server.

Now the only issue is for devices that aren’t running wireguard in whatever LAN… if you want access to them from wireguard devices, then another device on that LAN will have to route to and from that LAN and the wireguard network.

I just use tailscale for this. Runs on everything, and does internal LAN routing for non-wireguard devices too. So it doesn’t matter if my raspberry PI is at work or at WW or wherever. As long as it’s connected to the internet somehow, I can get to it through wireguard. NAT and firewalls don’t matter.

Check it out: https://tailscale.com

1 Like

So… the absolute easiest way to accomplish this…

Sign up at tailscale. Have at least one computer in each LAN that you want to connect logged in to tailscale, and have it set to “relay” and advertise the local LAN.

This way, any computer on the tailscale network would be able to see any computer on any of the LANs, even if they’re not running tailscale.

Tailscale is a really easy way to get wireguard going without all the headaches. They run the server for you. It’s free for personal use.

1 Like

Just did it with static routing on the router and with iptables on the VPS!!! However I appreciate the time you have spent typing this comment fully detailed!!!

Thank you professor!

Tailscale would work and it is perfect but it is closed source and is only for PERSONAL use!!!

Tailscale is literally a Wireshark implementation. Here’s the GitHub:

This repository contains all the open source Tailscale client code and the tailscaled daemon and tailscale CLI tool. The tailscaled daemon runs primarily on Linux; it also works to varying degrees on FreeBSD, OpenBSD, Darwin, and Windows.

1 Like

Why I use tailscale rather than make my own wireguard network:

  • don’t need a wireguard server.

  • I don’t need to keep track of IP addresses in my “virtual network”. I can just click the icon and it will let me know which computers are connected. Clicking on one of the hosts automatically copies the IP address to the clipboard.

  • I don’t need to worry about routing, or firewalls, or NAT.

  • Can route between LANs, including devices not using wireguard, with no effort. For example, no matter where I am in the world, I can just type “ssh 192.168.2.68” to get to my iMac.

  • Works when “roaming” without any extra setup. I can sit on any network (ie: at grocery store) and tailscale takes care of the NAT transversal and firewall stuff. I don’t even have to think about it.

  • Works with Cloudflare’s WARP app, (which is also wireguard), to route all traffic to Cloudflare for privacy.

1 Like