Wireguard Info

Published on Sep 25, 2020

Got a good post when trying to figure out how to get a wireguard tunnel going on the selfhosted.show discord from user ndonegan, hopefully this will help the next time I try setting it up.

His post follows:

Remember, TCP is two way. Take two hosts, host_1 which has eth0 as on and host_2 which has eth0 as on

Each of them can communicate to the local /24 as it knows that eth0 is the best local route.

Now, if you add Wireguard, it’s the equivilent of dragging a cable between the two hosts on another physical interface on their own little network. So lets say host_1 has on wg0 and host_2 has on wg0.

host_1 knows that to hit it can go over wg0 and likewise host_2 knows that to hit is can go over wg0. You can see this using ip route get $ip

The thing is, host_1 doesn’t have the first clue how to hit anything on the network as it doesn’t have that in it’s route table. It’s going to attempt to send it over it’s default gateway! The same situation exists for host_2 trying to hit

The easiest way to fix this is to use static routes. So, for example, on host_1, you do ip route add via dev wg0 and on host_2 you do ip route add via dev wg0.

What this means is that if you initiate a connection from host_1 to, it’s going to look at the route table, see that routing that packet to via wg0 is the best route to get to that network.

There’s a slight fun gotcha: On the other side, it’s actually going to see the connection as coming from so it will route the traffic back to that address. The reason it will see the traffic as coming from Assuming you have the above setup and run ip route get on host_1 you will see:

$ ip route get via dev wg0 src

So, any traffic going to will appear to come from If is the gateway for the and another host, say attempts to connect to host_2 on it’s source ip will be This means when the packet reachs host_2, it’s going to look at it’s route table to see what’s the best path back to With the static route added earlier, it’s going to see to send back the traffic it has to go via on wg0 and host_1 will then forward the traffic onto