Does anyone have any experience stacking Wireguard tunnels? Like, I have a network behind a DSL line with dynamic IP addresses that I want to terminate tunnels from the ouside in.

The idea is to make a tunnel from there to a VPS, and just create a port forwarding on that VPS to push other wireguard traffic coming in from the outside back through the outer tunnel to a different wg endpoint at home.


Instead, I could just terminate both kinds of tunnels on the VPS, and just route from one to the other. Though that means that I have the config for "VPN clients" on a possibly less trustable VPS on foreign infrastructure, and also unencrypted traffic flowing between the two wg tunels out there.
Just forwarding the client tunnel traffic to an wg instance at home would mean that I keep full control over that end.


Not really having used Wireguard up to now (except for very simple 1:1 setups connecting two hosts), it doesn't seem I'd have many concerns to take into account with tunnel-in-tunnel traffic, except keeping an eye on the MTU for the inner tunnel?

Setup of an endpoint that keeps both the tunnel going out to the VPS with a stable IP address and terminate incoming wg traffic coming in through that tunnel will probably need some form of nonstandard configuration...

3/3 (end)

Sign in to participate in the conversation
INFRa Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!