Wireguard hub and spoke, a spoke has extra subnet
Goodday,
I have a central site Z, and a few spoke sites A and B. The goal is that internal traffic can go from A to B, via Z.
All internal nets are in 192.168.0.0/16
A 192.168.1.1/24 with 192.168.1.2 reserved as local IP-address for wireguard
B 192.168.2.1/24 with 192.168.2.2 reserved as local IP-address for wireguard
and so on
Z 192.168.26.1/24 with 192.168.26.2 reserved as local IP-address for wireguard
On the spokes I set AllowedAddress 192.168.0.0/16
On the hub I have AllowedAddress 192.168.1.0/24 for peer A, 192.168.2.0/24 for peer B
So far so good. Traffic flows where it needs to go.
The problem is when a spoke has an extra net. E.g. 192.168.101.1/24. How do I configure this?
I tried the way it works on the WireGuard client. There one could specify "AllowedIPs = 192.168.1.0/24, 192.168.101.0/24". This cannot be entered in the hub's peer entry, one network only or else "Invalid Format".
I tried routing. Does not work as there is no interface for vpn. I have tried, against better judgment, to route 192.168.101.0/24 with next hop 192.168.1.1, 192.168.1.2, 192.168.26.1, 92.168.26.2, and the WAN IP. I cannot find a setting that works.
I tried setting up an extra wireguard interface on A and an extra peer on both A and Z. I almost got this to work.
(I also tried without the extra interface, did not get it working at all that way)
On Z I can create an extra peer, AllowedAddress 192.168.101.0/24, and this part seems to work.
On A it is also possible to create an extra peer, but it cannot have AllowedAdress 192.168.0.0/16 ("The allowed address is repeated").
When I modify this entry, it works partially, but only for the range I set. E.g. 192.168.2.0/24 works, but then other IPs in the network cannot connect.
I feel I'm close, but fail to stitch the final pieces together.
@Clive_A informed me it actually is okay to have 192.168.0.0/16 two times, so my last paragraph needs work. I changed some addresses but that does not change the problem.
I tried setting up an extra wireguard interface on A and an extra peer on both A and Z. I almost got this to work.
(I also tried without the extra interface, did not get it working at all that way)
On Z I can create an extra peer, AllowedAddress 192.168.116.0/24, and this part seems to work.
On A it is also possible to create an extra peer, but it cannot have AllowedAdress 192.168.0.0/16 ("The allowed address is repeated").
On A I setup an extra peer, also with AllowedAddress 192.168.0.0/16 but this does not seem to work.
On the hub I have
where 16.0/24 and 116.0/24 are on the same spoke. Here is the spoke:
I myself are on yet another spoke and can reach the entire wheel, except 192.168.116.0/24.
I can ping 192.168.16.1
I can ping 192.168.16.2
I cannot ping 192.168.116.1
I cannot ping 192.168.116.2
I cannot traceroute 192.168.116.1
(please notice on hop 3 the reply comes from 192.168.16.2, not 192.168.116.2)
When I change lan116 AllowedAddress to my local /24 subnet, I can ping 192.168.116.1, I can traceroute, and so on.
As you can see, now it does reach 192.168.116.2 instead of 192.168.16.2
But this is still no good. I can reach 192.168.116.0/24 but the rest cannot.
Any insight would be appreciated.
