3 router Edgerouter Wireguard setup. A Master B & C Peers - Peer to Peer connection only works from Edgerouter its self no clients

[GhostlyCrowd]

I have a VPN set up Site A is master, B and C are peers A can see B and C, B and C can see A. but B and C clients can't see each other. (peers cannot see each other) however B can ping C and C can ping B if I ping from the edge router its self, HOWEVER if I ping from a client at B to anything at C its 100% packet loss and vise versa.

Any help please?

[dc361]

Is B a peer of C and C a peer of B and if so do they have appropriate allowed IP ranges?

[GhostlyCrowd]

Is B a peer of C and C a peer of B and if so do they have appropriate allowed IP ranges?

No A is the main host, B and C are peers to A. There is no interconnection between B and C I Put in a masquerade and now C and C seem to be able to ping and talk.

IIs this the correct method? or should I be making a big peer loop as your asking?

[dc361]

I'll have to try one of my setups to verify but since WG is a peer to peer network and not server-client, I would think that having B and C as peers of each other would give you a more 'direct' connection. At the moment it would be C->A (and A knows about B) -> B. I would think with the peer setup it would be C->B.

[GhostlyCrowd]

I'll have to try one of my setups to verify but since WG is a peer to peer network and not server-client, I would think that having B and C as peers of each other would give you a more 'direct' connection. At the moment it would be C->A (and A knows about B) -> B. I would think with the peer setup it would be C->B.

Simply peering from B to C should complete the triangle?

Or are you suggesting every site would require a connection to and fro? 6 wireguard tunnels?

A -> B, A <- B, A -> C, A <- C, B -> C, B <- C.

This doesn't seem very efficient. That's seems like some form of logic insanity.

[dc361]

Do all your peers need to interact or just a select few B's and C's ... for many people the primary is B->A or C->A only.

[GhostlyCrowd]

Do all your peers need to interact or just a select few B's and C's ... for many people the primary is B->A or C->A only.

All 3 need to be able to see each other. the Main endpoint and B and C as peers is how its currently set up.

[dc361]

What I've done in past for my peers like your B and C is to assign A's /32 in the allowed ips and also the wireguard /24. So for example if A is 10.8.0.1 I'd have 10.8.0.1/32 and 10.8.0.0/24 in the allowed IPs.

There is no 'direct' route from B to C so the traffic will be routed through A.