Routing between Wireguard and OpenVPN

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
MatejKovacic
OpenVPN User
Posts: 44
Joined: Wed Jun 19, 2013 9:43 am

Routing between Wireguard and OpenVPN

Post by MatejKovacic » Tue Jul 26, 2022 7:21 am

I have set up Wireguard peer and OpenVPN server on the same machine. Machine has a public IP so other Wireguard peers and OpenVPN clients can connect to it.

For Wireguard I am using subnet: 10.10.6.0/24. And for OpenVPN I am using subnet: 10.10.8.0/24.

Right after Wireguard is activated, I am running this script:

Code: Select all

#!/bin/bash
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"

IN_FACE="ens3"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC
SUB_NET="10.10.6.0/24"            # WG IPv4 sub/net aka CIDR
WG_PORT="51194"                  # WG udp port
SUB_NET_6="fd42:42:42:42::/112"  # WG IPv6 sub/net

## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT

# Peers can see each other
$IPT -I FORWARD -i $WG_FACE -o $WG_FACE -j ACCEPT
In Wireguard peers I have AllowedIPs = 0.0.0.0/0

In OpenVPN server I have push "route 10.10.6.0 255.255.255.0"

In /etc/ufw/before.rules I have (before *filter section):

Code: Select all

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.8.0/24 -o ens3 -j MASQUERADE
COMMIT
And in /etc/default/ufw I have DEFAULT_FORWARD_POLICY="ACCEPT"

Now the problem... Wireguard peers can see (ping) each other. OpenVPN clients also can see (ping) each other. BUT: Wireguard peers can not ping OpenVPN clients and vice versa. How to do that?
Top
MatejKovacic
OpenVPN User
Posts: 44
Joined: Wed Jun 19, 2013 9:43 am

Re: Routing between Wireguard and OpenVPN

Post by MatejKovacic » Wed Jul 27, 2022 1:37 pm

Additional info. I have IPv4 forwarding enabled (on a Debian server).

I also had:

Code: Select all

iptables -I FORWARD -i tun0 -o wg0 -j ACCEPT
iptables -I FORWARD -i wg0 -o tun0 -j ACCEPT
...but was not working.
Top
MatejKovacic
OpenVPN User
Posts: 44
Joined: Wed Jun 19, 2013 9:43 am

Re: Routing between Wireguard and OpenVPN

Post by MatejKovacic » Wed Jul 27, 2022 3:50 pm

I tried to ping WG peer 10.10.6.150 FROM OVPN client (10.10.8.9).

On a server I ran:

Code: Select all

tcpdump -i wg0 icmp -v
This is the result:

Code: Select all

tcpdump: listening on wg0, link-type RAW (Raw IP), snapshot length 262144 bytes
17:45:17.094051 IP (tos 0x0, ttl 63, id 64300, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.8.9 > 10.10.6.150: ICMP echo request, id 18, seq 1, length 64
17:45:18.148764 IP (tos 0x0, ttl 63, id 64534, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.8.9 > 10.10.6.150: ICMP echo request, id 18, seq 2, length 64
Also:

Code: Select all

tcpdump -i tun0 icmp -vvv

Code: Select all

tcpdump: listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
17:49:09.209674 IP (tos 0x0, ttl 64, id 42726, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.8.9 > 10.10.6.150: ICMP echo request, id 21, seq 1, length 64
17:49:10.210760 IP (tos 0x0, ttl 64, id 42829, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.8.9 > 10.10.6.150: ICMP echo request, id 21, seq 2, length 64
Top
MatejKovacic
OpenVPN User
Posts: 44
Joined: Wed Jun 19, 2013 9:43 am

Re: Routing between Wireguard and OpenVPN

Post by MatejKovacic » Wed Jul 27, 2022 3:54 pm

Also, pinging from WG peer to OVPN client:

Code: Select all

tcpdump -i wg0 icmp -vvv

Code: Select all

tcpdump: listening on wg0, link-type RAW (Raw IP), snapshot length 262144 bytes
17:53:06.700000 IP (tos 0x0, ttl 64, id 58982, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.6.9 > 10.10.8.150: ICMP echo request, id 22, seq 1, length 64
17:53:07.715717 IP (tos 0x0, ttl 64, id 59203, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.6.9 > 10.10.8.150: ICMP echo request, id 22, seq 2, length 64

Code: Select all

tcpdump -i tun0 icmp -vvv

Code: Select all

tcpdump: listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
17:53:25.759672 IP (tos 0x0, ttl 63, id 59298, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.6.9 > 10.10.8.150: ICMP echo request, id 23, seq 1, length 64
17:53:26.783552 IP (tos 0x0, ttl 63, id 59300, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.6.9 > 10.10.8.150: ICMP echo request, id 23, seq 2, length 64
Top
MatejKovacic
OpenVPN User
Posts: 44
Joined: Wed Jun 19, 2013 9:43 am

Re: Routing between Wireguard and OpenVPN

Post by MatejKovacic » Wed Jul 27, 2022 3:58 pm

OK, here is another thing.

Code: Select all

ping 10.10.8.151
PING 10.10.8.151 (10.10.8.151) 56(84) bytes of data.
^C
--- 10.10.8.151 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2037ms
On a OpenVPN client 10.10.8.151 tcpdump says:

Code: Select all

sudo tcpdump -i tun0 icmp -vvv

Code: Select all

tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
17:55:57.016135 IP (tos 0x0, ttl 63, id 42350, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.6.9 > 10.10.8.151: ICMP echo request, id 24, seq 1, length 64
17:55:58.099301 IP (tos 0x0, ttl 63, id 42416, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.6.9 > 10.10.8.151: ICMP echo request, id 24, seq 2, length 64
So the traffic comes to the final client...
Top
Post Reply

Return to “Server Administration”