Routing between WireGuard peers

Hi all, wondering if what I’m wanting to do is possible before I spend a heap of time working it out.

I’ve got a Vyos wireguard ‘server’ with wg interface IP I’ve got 2 x road warrior ‘clients’ ( and that are both connecting to the server, but not each other.

Is it possible, with the right config, for peers .11 and .12 to communicate with each other using .1 as a gateway/router rather than being directly connected?


It will work as you expected :slight_smile:
All traffic will go via central “hub” .1
And there are no session between peers without central gateway in this case

Well would you look at that… easy as!

I’ve got one additional layer of complexity that I’m stuck on now. I’m trying to route as follows:

Desktop - (local subnet) - Vyos A - (wireguard) - Vyos B - (wireguard) - laptop.

  • The desktop without wireguard can ping the wireguard interface address of Vyos B but not the laptop
  • The laptop and Vyos A can ping each others wireguard interface address
  • The desktop and the laptop can’t ping each other

When I try to ping the laptop wireguard address from the desktop, wireshark shows that there is no response, but Vyos B bounces back a ‘Redirect for host’, which I presume means I need to fix up a routing table somewhere?

What routes do you push to WG client?
I’d include

Yes, the clients have those routes, I presume they are working because they can see and ping the wireguard addresses anywhere on the wireguard network.

It’s just the route between the desktop that is trying to use a wireguard peer as a gateway to the laptop that not peered directly to that gateway that is giving me trouble. Writing it like that makes it sound silly to even try.

Let me try to explain the context better. I have a couple of machines on my local network that I use for remote support of my clients devices. My devices are connected to my Vyos A instance (LAN), their devices are connected to their Vyos B instance (wireguard) and the Vyos instances are connected to each other (wireguard). The ‘master’ wireguard node is their server, my office is a client.