Ah alright tha= nks for the info, I finally figured out everything by myself though I still= have one small problem.

For reference, here's every= thing I have done:

<begin>

Isolated VM's DHCP: 172.16.1.0/16

Switch wg0: 172.16.0.2/30

Swi= tch ens3: 172.16.1.1/16<= /a>

Switch ens2: 192.168.2.xx/24 gw 192.168.2.254/24

Rout= er wg0: 172.16.0.1/30

Router eth0: 35.224.54.65/32

# both machines

e= cho "deb h= ttp://deb.debian.org/debian/ unstable main" > /etc/apt/sources.= list.d/unstable-wireguard.list

printf 'Package: *\nPin: = release a=3Dunstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/= limit-unstable

apt update

apt-get install -y linux= -headers-$(uname -r) wireguard

# both machines /et= c/sysctl.conf

net.ipv4.ip_forward=3D1

net.ipv4.conf.all= .proxy_arp =3D 1

# post up (ens3 of switch) and (e= th0 of router) run (wg-quick up wg0)

####isc-dhcp-= server (on switch ens3):

option domain-name "pcr";

option domain-name-servers 8.8.8.8, 8.8.4.4;

default-lease-time 600;

max-lease-time 7200;

ddns-update-style none;

authoritative;

subnet 172.16.0.0 netmask 255.255.0.0 {

=C2= =A0 range 172.16.1.2 172.16.255.253;

=C2=A0 option routers 172.16= .0.1;

}

############### lan vm /etc/wire= guard/wg0.conf

[Interface]

PrivateKey =3D *************=

ListenPort =3D 12345

Address =3D 172.16.0.2/30

PostUp =3D ip rou= te add 172.16.0.1/32= via 172.16.0.2 dev wg0 ; route del default gw 192.168.2.254 ; ip route add= 192.168.2.254 dev ens2 ; route add default gw 172.16.0.1 dev wg0 ; ip rout= e add 35.224.54.65 via 192.168.2.254 ; iptables -A FORWARD -i ens3 -o wg0 -= j ACCEPT ; iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT

[Peer]

PublicKey =3D *************

Endpoint =3D <= a href=3D"http://35.224.54.65:12345" target=3D"_blank">35.224.54.65:12345

AllowedIPs =3D = 0.0.0.0/0

PersistentKeepalive =3D 1

############### google vm /etc/wireguard/wg0.conf

= [Interface]

PrivateKey =3D *************

ListenPort =3D= 12345

Address =3D 172.16.0.1/30

PostUp =3D ip route add 172.16.0.2/32 via 172.16.0.1 dev wg0 ;= ip route add 172.16.0.0= /16 via 172.16.0.2 dev wg0 ; iptables -A INPUT -i eth0 -p tcp -m tcp --= dport 22 -j ACCEPT ; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ;= iptables -A FORWARD -i wg0 -j ACCEPT

[Peer]

PublicKey =3D *************

AllowedIPs =3D 0.0.0.0/0

= <end>

Now the problem I face: whenever I run= 'wg-quick up wg0' on a Google Cloud Engine VM, I can't SSH to = it anymore from the WAN side, but the weird thing is, from the 'switch&= #39; I can ping the router just fine, they have a connection, I can even SS= H (sometimes not).

Now what's weird is, when I= do all configuration steps with commands (ip .. wg set .. blabla), and mak= e it with those commands just like the config, everything works fine. so I = have a script that just does the commands.. but wg-quick should work, every= thing is the same. Yet this happens.. anything I can do to debug this behav= iour?

On 25 January 2018 at 12:08, Jason = A. Donenfeld <Jason@zx2c4.com> wrote:

WireGuard is layer 3, not layer 2, so bridging is not what you wa= nt.

Instead, do ordinary IP routing between different subnets. As you
appear to already have different subnets, this shouldn't be a problem.<= br>
If you'd like to overlap within the same subnet, there's always pro= xy
arp, but I'd caution against that approach.

Lots of people run into this confusion about layer 2 vs layer 3. We
can probably walk you through getting things rolling for your
particular setup in #wireguard on Freenode, if you have IRC.

Jason

--94eb2c1a1a00d4db170563c1ed17--