# Example Server-To-Server Config with Roaming Devices
WARNING: **Make sure to change the IP addresses and ranges in your configs before running!**
The blocks used in these examples are reserved for documentation purposes by the IETF and should never be used in real network setups.
- **`192.0.2.0/24`** (TEST-NET-1) IPv4 example range [RFC5737](https://tools.ietf.org/html/rfc5737)
- **`2001:DB8::/32`** IPv6 example range [RFC3849](https://tools.ietf.org/html/rfc3849)
You can use any private range you want instead, e.g. `10.0.44.0/24`, just make sure
it doesn't conflict with any of the LAN subnet ranges your peers are on.
The complete example config for the setup below can be found here: https://github.com/pirate/wireguard-docs/tree/master/full-example (WARNING: do not use it on your devices without changing the public/private keys!).
## Overview
### Network Topology
These 5 devices are used in our example setup to explain how WireGuard supports bridging across a variety of network conditions, they're all under an example domain `example-vpn.dev`, with the following short hostnames:
-`public-server1` (not behind a NAT, acts as the main VPN bounce server)
-`public-server2` (not behind a NAT, joins as a peer without bouncing traffic)
-`home-server` (behind a NAT, joins as a peer without bouncing traffic)
-`laptop` (behind NAT, sometimes shared w/ home-server/phone, sometimes roaming)
-`phone` (behind NAT, sometimes shared w/ home-server/laptop, sometimes roaming)
### Explanation
This VPN config simulates setting up a small VPN subnet `192.0.2.1/24` shared by 5 nodes. Two of the nodes (public-server1 and public-server2) are VPS instances living in a cloud somewhere, with public IPs accessible to the internet. home-server is a stationary node that lives behind a NAT with a dynamic IP, but it doesn't change frequently. Phone and laptop are both roaming nodes, that can either be at home in the same LAN as home-server, or out-and-about using public wifi or cell service to connect to the VPN.
Whenever possible, nodes should connect directly to each other, depending on whether nodes are directly accessible or NATs are between them, traffic will route accordingly:
### The Public Relay
`public-server1` acts as an intermediate relay server between any VPN clients behind NATs, it will forward any 192.0.2.1/24 traffic it receives to the correct peer at the system level (WireGuard doesn't care how this happens, it's handled by the kernel `net.ipv4.ip_forward = 1` and the iptables routing rules).
This example demonstrates a **simple relay-only setup** where NAT-ed clients can reach the public servers but NOT each other. In this configuration:
- NAT-ed clients (home-server, laptop, phone) only define the public relay server as a peer
- They can communicate with public-server1 and public-server2, but not with each other
- Traffic between NAT-ed clients is not possible because they don't have each other's public keys
**For NAT-to-NAT Communication:**
If you need NAT-ed clients to communicate with each other (e.g., laptop → phone), you must:
1. Add peer definitions on each NAT-ed client for every other NAT-ed peer they need to reach
2. Include the `PublicKey` and `AllowedIPs` for each peer (but omit `Endpoint` for NAT-ed peers)
3. Keep the relay server's `AllowedIPs = 192.0.2.1/24` to enable packet forwarding
Example: If `laptop` needs to reach `phone`, add this to `laptop`'s config:
```ini
[Peer]
# Name = phone.example-vpn.dev
PublicKey = <publickeyforphone.example-vpn.dev>
AllowedIPs = 192.0.2.5/32
# No Endpoint - traffic will be relayed through public-server1
```
This is necessary because WireGuard requires peer public keys for end-to-end encryption—the relay server only forwards encrypted packets and cannot encrypt/decrypt on behalf of the clients.
To run this full example, simply copy the `full wg0.conf config file for node` section from each node onto each server, enable IP forwarding on the public relay, and then start WireGuard on all the machines.
For more detailed instructions, see the [Quickstart](#Quickstart) guide and API reference above. You can also download the complete example setup here: https://github.com/pirate/wireguard-docs/tree/master/full-example (WARNING: do not use it on your devices without changing the public/private keys!).
## Node Config
### public-server1.example-vpn.tld
* public endpoint: `public-server1.example-vpn.tld:51820`
* own vpn ip address: `192.0.2.1`
* can accept traffic for ips: `192.0.2.1/24`
* priv key: `<private key for public-server1.example-vpn.tld>`
* pub key: `<public key for public-server1.example-vpn.tld>`
