When you want to connect individual external hosts to a LAN via WireGuard, the three key things you need to do are:
- Include the LAN's IP block (or at least the IP address of each individual LAN-side host you want to access) in the
AllowedIPs setting of the WireGuard config on each external host
- Set up packet forwarding on the LAN-side WireGuard host (eg
sysctl -w net.ipv4.ip_forward=1)
- Set up packet masquerading (aka SNAT) on the LAN-side WireGuard host (usually done via
iptables rules)
There's a complete example of this here:
https://www.procustodibus.com/blog/2020/11/wireguard-point-to-site-config/
In that example, the LAN's subnet is 192.168.200.0/24, so that's what AllowedIPs is set to in the WireGuard config of the external host (Endpoint A in the example):
AllowedIPs = 192.168.200.0/24
And in that example, packet forwarding and masquerading are accomplished by adding the following to the WireGuard config on the LAN-side WireGuard host (Host β in the example):
# IP forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# IP masquerading
PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
When the WireGuard interface wg0 is up on the LAN-side WireGuard host, the external host can connect to any host on the LAN via its LAN address -- in the example, the external host (Endpoint A) can connect to a LAN host (Endpoint B) via Endpoint B's local address, 192.168.200.22.
