Connecting to a wireguard peer through a VPS

My current Wireguard setup has a VPS connected to two devices on different local networks. Each of the home network devices are connected to the VPS using Wireguard, but are not configured to accept connections from each other (they haven't been added as peers in each others config files).

I'd like to use the VPS similar to a reverse proxy server, so that home device 1 can connect to the VPS and have its traffic routed to home device 2, without needing to configure a direct connection between the two home devices (essentially a hub and spoke model). Is there a way to route traffic this way?

Current home network device config file:

[Interface]
Address = 10.0.0.2/8
SaveConfig = true
ListenPort = 53910
FwMark = 0xca6c
PrivateKey = <privkey>

[Peer]
PublicKey = <pubkey>
AllowedIPs = 10.0.0.1/32
Endpoint = <IP address>

Server config file:

[Interface]
Address = 10.0.0.1/8
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
ListenPort = 51820
PrivateKey = <privkey>

[Peer]
PublicKey = <pubkey>
AllowedIPs = 10.0.0.2/32
Endpoint = <IP of home network device 1>

[Peer]
PublicKey = <pubkey>
AllowedIPs = 10.0.0.3/32
Endpoint = <IP of home network device 2>

Under these current rules, if I try to ping device 2 from device 1, I get this error message (which seems to suggest that the peers are aware of each other, but that they're not configured correctly?)

user@device1:~/wireguard$ ping 10.0.0.3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
From 10.0.0.2 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available

Thanks!


Update your clients' WireGuard AllowedIPs settings to include the IP addresses of the other devices you want each client to access through its WireGuard connection to the VPS. For example, like this to allow device 1 to use WireGuard to connect to device 2 only:

[Interface]
Address = 10.0.0.2/8
...

[Peer]
PublicKey = <VPS pubkey>
AllowedIPs = 10.0.0.3/32
...

Or like this to allow device 1 to connect to device 2, as well as the VPS itself, through WireGuard:

[Interface]
Address = 10.0.0.2/8
...

[Peer]
PublicKey = <VPS pubkey>
AllowedIPs = 10.0.0.1/32, 10.0.0.3/32
...

Or like this to allow device 1 to use the WireGuard connection to connect to any host in the 10.0.0.0/8 block:

[Interface]
Address = 10.0.0.2/8
...

[Peer]
PublicKey = <VPS pubkey>
AllowedIPs = 10.0.0.0/8
...

See this WireGuard hub-and-spoke guide for a full example.