Page 1 of 1

Routing between Wireguard and OpenVPN network not fully working

Posted: Sun Jul 03, 2022 11:25 am
by MatejKovacic
I have set up "mixed" network between OpenVPN and Wireguard. Both services are on the same machine. I know Wireguard does not have "server-client" infrastructure (they use term peers), but for my case I will call Wireguard "server" a machine with static IP on the internet to which Wireguard "clients" (they are not publicly accessible on the internet) connect.

So my setup is:
- OpenVPN server (IP is 10.8.3.1)
- OpenVPN client (IP is 10.8.3.2)
- Wireguard "server" (IP is 10.8.0.1)
- Wireguard "client" (IP is 10.8.0.5)

OpenVPN client and Wireguard "client" are two different machines.

What do I want? That all machines can see each other.

So in OpenVPN server config I have (among other settings):

Code: Select all

topology subnet
push "topology subnet"

server 10.8.3.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.3.1"
push "dhcp-option DNS 8.8.8.8"
client-to-client
push "route 10.8.0.0 255.255.255.0 10.8.3.1" # to Wireguard network
I am also running this script:

Code: Select all

#!/bin/bash
IPT="/sbin/iptables"

IN_FACE="ens3"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC
OVPN_FACE="tun1"                 # OpenVPN NIC
SUB_NET="10.8.0.0/24"            # WG IPv4 sub/net aka CIDR
WG_PORT="51194"                  # WG udp port

## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT

# WG can see OVPN and vice versa
$IPT -I FORWARD -i $WG_FACE -o $OVPN_FACE -j ACCEPT
$IPT -I FORWARD -i $OVPN_FACE -o $WG_FACE -j ACCEPT

# Wireguard peers can see each other
$IPT -I FORWARD -i $WG_FACE -o $WG_FACE -j ACCEPT
So I did some tests:

From OpenVPN client:
- ping to OpenVPN server: OK
- ping to Wireguard "server": OK
- ping to internet: OK
- curl ifconfig.me: OK (I get public IP address of the OpenVPN/Wireguard server)
- ping to Wireguard "client": OK
- ping to other OpenVPN client: OK

So everything fine here. Now from the Wireguard side:

From Wireguard peer:
- ping to OpenVPN server: OK
- ping to Wireguard "server": OK
- ping to internet: OK
- curl ifconfig.me: OK (I get public IP address of the OpenVPN/Wireguard server)
- ping to other Wireguard "client": OK
- ping to OpenVPN client: NOT WORKING

So as you can see, everything is working fine, except, I am unable to access OpenVPN clients from Wireguard peers ("clients").

Any idea how to solve this?

Re: Routing between Wireguard and OpenVPN network not fully working

Posted: Mon Jul 04, 2022 12:29 pm
by ordex
Does the OpenVNP client have any firewall?
The fact that the OpenVPN client can ping the Wireguard client implies that routing is working fine because packets are flowing in both directions.

Re: Routing between Wireguard and OpenVPN network not fully working

Posted: Mon Jul 04, 2022 9:45 pm
by MatejKovacic
OpenVPN client has firewall (ufw), but is responding to ping. From server I can ping it, however from Wireguard "client" ping is not possible. From OpenVPN client, I can ping this Wireguard "client".