Wireguard hub and spoke, a spoke has extra subnet
Goodday,
I have a central site Z, and a few spoke sites A and B. The goal is that internal traffic can go from A to B, via Z.
All internal nets are in 192.168.0.0/16
A 192.168.1.1/24 with 192.168.1.2 reserved as local IP-address for wireguard
B 192.168.2.1/24 with 192.168.2.2 reserved as local IP-address for wireguard
and so on
Z 192.168.26.1/24 with 192.168.26.2 reserved as local IP-address for wireguard
On the spokes I set AllowedAddress 192.168.0.0/16
On the hub I have AllowedAddress 192.168.1.0/24 for peer A, 192.168.2.0/24 for peer B
So far so good. Traffic flows where it needs to go.
The problem is when a spoke has an extra net. E.g. 192.168.101.1/24. How do I configure this?
I tried the way it works on the WireGuard client. There one could specify "AllowedIPs = 192.168.1.0/24, 192.168.101.0/24". This cannot be entered in the hub's peer entry, one network only or else "Invalid Format".
I tried routing. Does not work as there is no interface for vpn. I have tried, against better judgment, to route 192.168.101.0/24 with next hop 192.168.1.1, 192.168.1.2, 192.168.26.1, 92.168.26.2, and the WAN IP. I cannot find a setting that works.
I tried setting up an extra wireguard interface on A and an extra peer on both A and Z. I almost got this to work.
(I also tried without the extra interface, did not get it working at all that way)
On Z I can create an extra peer, AllowedAddress 192.168.101.0/24, and this part seems to work.
On A it is also possible to create an extra peer, but it cannot have AllowedAdress 192.168.0.0/16 ("The allowed address is repeated").
When I modify this entry, it works partially, but only for the range I set. E.g. 192.168.2.0/24 works, but then other IPs in the network cannot connect.
I feel I'm close, but fail to stitch the final pieces together.