Site-to-site joins two LANs (e.g. office 192.168.10.0/24 and home 192.168.20.0/24) so any host
on one can reach any host on the other, via a WireGuard gateway on each side.
1. Enable IP forwarding on BOTH gateways
echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/99-wg.conf
sudo sysctl --system
2. Gateway A (office, has a public IP) — /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = A_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT
[Peer]
# Gateway B
PublicKey = B_PUBLIC_KEY
# B's VPN IP + the LAN behind B:
AllowedIPs = 10.0.0.2/32, 192.168.20.0/24
3. Gateway B (home) — /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.2/24
PrivateKey = B_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT
[Peer]
# Gateway A
PublicKey = A_PUBLIC_KEY
Endpoint = A_PUBLIC_IP:51820
# A's VPN IP + the LAN behind A:
AllowedIPs = 10.0.0.1/32, 192.168.10.0/24
PersistentKeepalive = 25
The trick: each gateway lists the remote LAN subnet in its peer’s AllowedIPs, so traffic for
that subnet is routed across the tunnel.
4. Let other LAN hosts use the route
Hosts on each LAN need to know to send the remote subnet via their gateway. Either add a static route on the router (best) or per-host, e.g. on a home host:
sudo ip route add 192.168.10.0/24 via 192.168.20.1
Verify
ping 192.168.20.5 # from an office host to a home host
sudo wg show # recent handshake on both ends
No masquerade here (unlike full-tunnel) so original source IPs are preserved across sites — that
needs the FORWARD accept rules above plus IP forwarding on both gateways. If only the gateways
can ping each other but LAN hosts can’t, the missing piece is the static route in step 4.