0

I have set up Wireguard peer and OpenVPN server on the same machine. Machine has a public IP so other Wireguard peers and OpenVPN clients can connect to it.

For Wireguard I am using subnet: 10.10.6.0/24. And for OpenVPN I am using subnet: 10.10.8.0/24.

Now... Wireguard peers can see (ping) each other. OpenVPN clients also can see (ping) each other.

BUT... Wireguard peers can not ping OpenVPN clients and vice versa. How to do that?

Right after Wireguard is activated, I am running this script:

#!/bin/bash
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"

IN_FACE="ens3"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC
SUB_NET="10.10.6.0/24"            # WG IPv4 sub/net aka CIDR
WG_PORT="51194"                  # WG udp port
SUB_NET_6="fd42:42:42:42::/112"  # WG IPv6 sub/net

## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT

# Peers can see each other
$IPT -I FORWARD -i $WG_FACE -o $WG_FACE -j ACCEPT

In /etc/ufw/before.rules I have (before *filter section):

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.8.0/24 -o ens3 -j MASQUERADE
COMMIT

Any help will be highly appreciated.

Matthai
  • 1

1 Answers1

0

You generally need to do three things:

1. Add routes for the OpenVPN network to the WireGuard clients.

In each WireGuard client config, you probably already have an entry like the following to allow the WireGuard client to access the other peers in its network:

AllowedIPs = 10.10.6.0/24

Add a similar entry to each WireGuard client for the OpenVPN network:

AllowedIPs = 10.10.6.0/24
AllowedIPs = 10.10.8.0/24

2. Add routes for the WireGuard network to the OpenVPN clients.

For this, you can just add an entry in your OpenVPN server config to push the routes for the WireGuard network to each OpenVPN client:

push "route 10.10.6.0 255.255.255.0"

Alternately, you could manually update each OpenVPN client's config with the route:

route 10.10.6.0 255.255.255.0

3. Allow forwarded connections between networks through the server's firewall.

Looks like you've followed one of the many OpenVPN tutorials that instruct you to use UFW to manage the server's firewall. Most of those tutorials tell you to allow the server to forward all connections indiscriminately, by setting DEFAULT_FORWARD_POLICY="ACCEPT" in /etc/default/ufw. If you did that, you don't need to do anything else.

However, if you want to lock down the server so that the only connection forwarding you allow is within your OpenVPN and WireGuard networks, revert that change (and the change to your /etc/ufw/before.rules that enables your OpenVPN clients to masquerade as the server on its LAN and probably also the Internet), stop using that extra iptables script for WireGuard, and instead add these UFW rules (run as root; adjust 1194 to your OpenVPN server's actual port, and tun0 to its actual interface name):

# allow access to server's OpenVPN service
ufw allow 1194/udp
# allow access to server's WireGuard service
ufw allow 51194/udp
# allow OpenVPN clients to access other OpenVPN clients
ufw route allow in on tun0 out on tun0
# allow WireGuard clients to access other WireGuard clients
ufw route allow in on wg0 out on wg0
# allow OpenVPN clients to access WireGuard clients
ufw route allow in on tun0 out on wg0
# allow WireGuard clients to access OpenVPN clients
ufw route allow in on wg0 out on tun0

For remote administration of the server itself, you may also want to add one or more of these rules:

# allow access to server's SSH service
ufw allow ssh
# allow access to any service on server itself from OpenVPN clients
ufw allow in on tun0
# allow access to any service on server itself from WireGuard clients
ufw allow in on wg0

If you add all these rules to UFW, and run ufw status, this is what you'd see:

Status: active

To                         Action      From
--                         ------      ----
1194/udp                   ALLOW       Anywhere
51194/udp                  ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
Anywhere on tun0           ALLOW       Anywhere
Anywhere on wg0            ALLOW       Anywhere

Anywhere on tun0           ALLOW FWD   Anywhere on tun0
Anywhere on wg0            ALLOW FWD   Anywhere on wg0
Anywhere on wg0            ALLOW FWD   Anywhere on tun0
Anywhere on tun0           ALLOW FWD   Anywhere on wg0
Justin Ludwig
  • 1,006
  • 7
  • 8
  • In fact I already had `AllowedIPs = 0.0.0.0/0` in WG and `push "route 10.10.6.0 255.255.255.0"` in OpenVPN. Sorry, I forgot to mention that. Also, I already had `DEFAULT_FORWARD_POLICY="ACCEPT"` in `/etc/default/ufw`, but it is still not working – Matthai Jul 26 '22 at 06:54