I have a multi-site environment where each location is connected to each other using ROS' Wireguard facility. It works great -- thanks to the generous and expert help of people here.

But, the "road warrior" set up needs a little improvement.

I can use the native WG apps in IOS and Windows to connect to any one site and have access. But, what I would like is to connect to a single site and have access to all sites.

Can I do that without major changes to the way I have WG set up now? I understand I have all sites set up with a separate link to all other site, as opposed to a main or hub site that all other sites connect to.

I don't know if it would be easier to provide me help if I provided snippets of the config that I thought were relevant, or all the config, or just a couple of the config. I'll go with number 3 until I hear differently.

The "road warrior" peer that I've been using is the 10.10.100.9.

The WG conf file use on the iPhone and Windows PC is as follows (I know I should set up separate one -- just haven't gotten around to it):
I also tried it with without the AllowedIP of 192.168.0.0/16

Thank you.

Well it all depends doesnt it.
Do you wish to be able to reach all devices by accessing one MT device in particular, or do you want to be able to reach all the configs when connecting to any device.
The hub and spoke method you didnt use, makes connecting to all device stupid simple as one connects to the hub and then you connect from there to the particular MT device you want to reach.
Now you have a mixed bag of connections and it may be much harder.......

so the vague question needs more specifics....
Do you wish to be able to reach all devices by accessing one MT device in particular, or do you want to be able to reach all the configs when connecting to any device.

Do you wish to be able to reach all devices by accessing one MT device in particular, or do you want to be able to reach all the configs when connecting to any device.

I don't think I understand question.

Here is an example of what I want to do:

I'm on my laptop or cell phone and I I want to be able to reach Blue Iris video servers at 192.168.2.x and 192.168.0.x at the same time.

Or,

I want to be able to always reach a Home Assistant server at 192.168.2.x at all times while also connecting to devices at 192.168.20.x

Preferably, I would leave a single WG connection active on an iPhone and another on a Windows laptop and have access to any devices/servers at any of the home locations from wherever the iPhone or laptop might be (cellular or off-premises wifi connected).

Does that clarify?

Sure thats very logical.
THe problem is how to do that depends on the current setup.

If it was connect to router A via wireguard and then over existing tunnels go to any other device or any other LAN on any device is TOO easy.
This assumes device A is the server for handshake, and device B,C,D,E,F are client peers for handshake.

It sounds though what you have or attempted to setup is different or some variant thereof:
Assumes any router can initiate connection to any router and that all routers have reachable public IP addresses or ISP router can forward port to MT device.

A to B and B to A
router A--> endpoint port 15102 and keep alive // interface=wgA listening port=15101, allowed IP=10.100.100.2/32
Throw in appropriate remote subnets in allowed IPs.
ip address is 10.100.100.1/24
router B-> endpoint port 15101 and keep alive // interface=wgB listening port=15102, allowed IP=10.100.100.1/32
Throw in appropriate remote subnets in allowed IPs.
ip address is 10.100.100.2/24

A to C and C to A
router A--> endpoint port 15103 and keep alive // interface=wgA listening port=15101, allowed IP=10.100.100.3/32
Throw in appropriate remote subnets in allowed IPs.
ip address is 10.100.100.1/24
router C > endpoint port 15101 and keep alive // interface=wgC listening port=15103, allowed IP=10.100.100.1/32
Throw in appropriate remote subnets in allowed IPs.
ip address is 10.100.100.3/24

Router A has 3 other Wireguard interfaces. Repeat and rinse.
A to D and D to A
A to E and E to A
A to F and F to A

Routers B,C, D, E, F Repeat and rinse.

However the problem with this approach is it doesnt lend itself at all to having road warriors traverse to any other device after arriving at Device A.
Each router would need to have a road warrior definition, specific to that router.

So in your smart phone you would have 6 different VPN connections to choose and same with Laptop etc........
Each device would need an allowed IP simply for that single device. So thats a total of 6 pairs of keys needed to exchange.
THe more devices the more profiles, with two devices thats 12 pairs of keys.

+++++++++++++++++++++++++++++++++++++++

If not, you need to explain exactly how you have setup wireguard for the six devices............

+++++++++++++++++++++++++++++++++++++++

I can see multiple WIREGUARD for redundancy purposes with only one acting as server at a time
Router A is server for handshake all others go through A.
If Router A goes down.
Then Router B is new primary and Routers C,D,E use Router B as primary
If Router A and B go down, then Router C is the new Primary and Routers D, E use Router C as primary
If Router A and B and C go down, then Router D is the new primary and Router E uses Router D as primary
If Router A and B and C dog down, the Router E needs to be reached directly and is the new and only primary.

With this in mind, the above first iteration, may actually be less complex.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I cannot recall the thread but was this not already done and can be reviewed ---> your current config or is this something you came up with on your own???

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

So with a bit more info, may be able to proceed............

What I would consider doing.
IS ONE ROUTER, most stable connection as ONLY ONE server..............all other devices are peers.
Separate WG interface on each device, solely for you as admin to connect to each router, in case Router A goes down.

THis is what I would do, to lessen the complexity of at least the admin being able to reach every device.
It does not help with LAN devices reaching Remote LAN devices if the Router A goes down.
How long are outages normally.
How critical is the connectivity?

+++++++++++++++++++++++++++++++++++++++++++

Thinking of another complex setup.
13 Separate wireguard interfaces per router
Each router is a Peer Server for one other Router and and a peer Client for each other router. 12 Tunnels.
So a Router is Server 6 times and a CLient 6 times all on different wg interfaces.
I thrown in a 13th for road warriors only.

Your smart phone would need six profiles, one for each router anyway.
But in this way we can reach any other router by way of firewall rules.

think ( legend. wireguard interface the first letter in capital identifies the server for handshake )
Router A:
/interface list
add name=wg-GROUP comment="list of router client peers the roadwarrior can reach"
/interface list members
add interface=wgAb list=wg-Group
add interface=wgAc list=wg-Group
add interface=wgAd list=wg-Group
add interface=wgAe list=wg-Group
add interface=wgAf list=wg-Group
add interface=wgRW list=wg-Group

/ip firewall
add chain=forward action=accept in-interface=wg-Group out-interface=wg-Group

Thus any roadwarrior coming into A, has a path now to any of the other device.
example.
smartphone admin profile for Router A, is assigned WG address of 192.168.100.2
smartphone connects via WG to interface wgRW on Router A.
User types in any subnet address on the browser and is then connected to the correct peer for that subnet through wireguard.
User types in any wireguard IP address for any other router, and is connected to the config........ (using the MT App).

This is because Router A on the client peer definitions has all the subnets identified and the client peer address identified.
One would have to ensure that all subnets AS PER NORMAL are identified correctly to the correct WG gateway.

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Not saying there is not an easier way, but its late and Im tired LOL
Maybe need NY coffee LOL

My (lay person's) analysis of using a "central hub" (let's call it the "WGServer") vs. individual connections comes down to 2 factors:

1) The reliability of the WGServer site's internet connection, and
2) The overall performance hit.

The realibility factor is obvious: If the WGServer's connection goes down (or gets flaky), it affects all other site's connectivity.

As far as how long the outages are, how often, and how mission critical the connections are the answers strictly from my personal perspective are: 'Too long,' 'too often,' and 'super duper.' Of course, from an objective perspective, it's more like: 'Almost never more than a 4-5 hours,' 'quite rare,' and 'the complete opposite of critical.'

The performance is issue is trickier. For example, I have cameras at various locations feeding continuous video to location A and simultaneoulsy have Home Assistant-related connections (sensors, controls, for example) from all locations feeding data to location B. To make all data go through a single hub would surely have a performance impact.

That is why connectivity between certain locations (for example, what might be labeled location D to location E) are completely unimportant.

So, for now, I would to stick with the individual connections.

You helped me greatly set this up. I did, at most, some minor tweaking.

My needs might be satisfied if I could just keep 2 WG connections running on the iPhone and laptop at the same time. I've been playing with this and it seems I can simply add a 2nd peer to the IOS WG app.


BTW: No one is more astounded, perplexed, and disoriented by the persistence of NYC's desireability than me (lifelong, multi-generational NYC'er). That's my soap-box response to your coffee comment. That is to say, coffee (and everything) is much better elsewhere. Nonetheless, anytime you're in the area, coffee (drinks, food, etc.) are definetly on me.

BTW: No one is more astounded, perplexed, and disoriented by the persistence of NYC's desireability than me (lifelong, multi-generational NYC'er). That's my soap-box response to your coffee comment. That is to say, coffee (and everything) is much better elsewhere. Nonetheless, anytime you're in the area, coffee (drinks, food, etc.) are definetly on me.

Touche, food and stuff always seems to taste better when travelling! I do like the museums and the M&Ms store

WireGuard is DESIGNED TO BE a Peer-to-Peer VPN … WHAT DOES THAT MEAN:
definition —- relating to, using, or being a network by which computers operated by individuals can share information and resources “directly” without relying on a dedicated central server.

Unfortunately many do not understand that and try to configure WireGuard as something else …

Peer to peer … “one to one” … not one to many - not many to one …. But “one to one” … performance is only achieved when one understands what “one to one” means …. Yes you can do one to many or many to one BUT that is not WireGuard primary OBJECTIVE/purpose …

Hi Mozerd,
I believe that is what the OP has done in fact. Each pair of routers A,B A,C A,D A,E and A,F have their own wireguard connection but are able to initiate a connection in both directions so each has endpoint address, endpoint port and keep alive set. I would assume each of the interfaces has a unique listening port as well.

That means each router has FIVE Wireguard interfaces and FIVE different listening ports
That means each router has the ability to server or be client at handshake for each pair of routers.

The issue is, how can a remote admin client peer (laptop) sitting in a cafe, access Router A, via wireguard and then view the LAN subnet on Router E.
Whilst sipping his java, and viewing the LAN on his laptop, the op on his remote IPAD client peer, accesses Router B via wireguard and then wants to adjust the config on Router D.
How does your rigid peer to peer outlook solve that????

If all connect to Router A. Its done easy peasy.
add chain=forward action=accept in-interface=wgA out-interface=wgA { all incoming remote peers exit the tunnel on Router A, and are allowed back out the appropriate tunnel to B,C,D,E,F }

In other words, what is the optimal setup for 6 Routers using wireguard to facilitate
a. remote user access to all ( my method )
b. redundancy ( your method FIVE interfaces per router )
c. both a and b. ( ?????? )

The Laptop has a peer to peer connection to Router A -- what is the objective of this connection?

The Laptop has a peer to peer conntion to Router E - objective view the LAN subnet

iPad has a peer-to-peer connection to Router D - objective adjust the config on Router D

iPad has a peer-to-peer connection to Router B - what is the objective of this connection?

Once each objective is understood the answer remains the same --- its Peer to Peer -- KISS

In a Peer to Peer VPN system like WireGuard OBJECTIVES [each and every one] must be clearly defined ...