[Frotag]

> The gateway device performs 1:1 NAT. Traffic arriving for 100.97.14.3 is destination-translated to 192.168.1.100, and the source is masqueraded to the gateway's own LAN address.

Couldn't you tell the WG devices that 192.168.2.0/24 refers to the 192.168.1.0/24 network at customer A, such that 192.168.2.55 is routed to 192.168.1.55. Same for 192.168.3.0/24 referring to customer B.

I think this is what the article is getting at but I don't see the value in manually assigning an alias to each non-wg device, versus assigning an alias to the entire LAN.

[direwolf20]

It's not enough to set fake routes. You have to edit the addresses in the packets, so the end devices will receive them.

[Frotag]

Yeah so instead DNAT, use NETMAP on the gateway device to that LAN. (Sorry if I'm abusing the terminology, I only do this stuff like once a year for homelab.)

eg this is what I'm currently using to alias my home network

    # Rewrite 192.168.150.?? as 192.168.50.??
    PreUp = iptables -t nat -A PREROUTING -d 192.168.150.0/24 -j NETMAP --to 192.168.50.0/24
    PostDown = iptables -t nat -D PREROUTING -d 192.168.150.0/24 -j NETMAP --to 192.168.50.0/24

With other wg peers getting a 192.168.150.0/24 entry in the AllowedIPs for this gateway (if needed).

[pcarroll]

The problem there is you still need to keep track of the subnets. It works for a while, but it's quite complex. NAT is actually easier when you get into hundreds of sites.