You generally need to do three things:
1. Add routes for the OpenVPN network to the WireGuard clients.
In each WireGuard client config, you probably already have an entry like the following to allow the WireGuard client to access the other peers in its network:
AllowedIPs = 10.10.6.0/24
Add a similar entry to each WireGuard client for the OpenVPN network:
AllowedIPs = 10.10.6.0/24
AllowedIPs = 10.10.8.0/24
2. Add routes for the WireGuard network to the OpenVPN clients.
For this, you can just add an entry in your OpenVPN server config to push the routes for the WireGuard network to each OpenVPN client:
push "route 10.10.6.0 255.255.255.0"
Alternately, you could manually update each OpenVPN client's config with the route:
route 10.10.6.0 255.255.255.0
3. Allow forwarded connections between networks through the server's firewall.
Looks like you've followed one of the many OpenVPN tutorials that instruct you to use UFW to manage the server's firewall. Most of those tutorials tell you to allow the server to forward all connections indiscriminately, by setting DEFAULT_FORWARD_POLICY="ACCEPT"
in /etc/default/ufw
. If you did that, you don't need to do anything else.
However, if you want to lock down the server so that the only connection forwarding you allow is within your OpenVPN and WireGuard networks, revert that change (and the change to your /etc/ufw/before.rules
that enables your OpenVPN clients to masquerade as the server on its LAN and probably also the Internet), stop using that extra iptables script for WireGuard, and instead add these UFW rules (run as root; adjust 1194
to your OpenVPN server's actual port, and tun0
to its actual interface name):
# allow access to server's OpenVPN service
ufw allow 1194/udp
# allow access to server's WireGuard service
ufw allow 51194/udp
# allow OpenVPN clients to access other OpenVPN clients
ufw route allow in on tun0 out on tun0
# allow WireGuard clients to access other WireGuard clients
ufw route allow in on wg0 out on wg0
# allow OpenVPN clients to access WireGuard clients
ufw route allow in on tun0 out on wg0
# allow WireGuard clients to access OpenVPN clients
ufw route allow in on wg0 out on tun0
For remote administration of the server itself, you may also want to add one or more of these rules:
# allow access to server's SSH service
ufw allow ssh
# allow access to any service on server itself from OpenVPN clients
ufw allow in on tun0
# allow access to any service on server itself from WireGuard clients
ufw allow in on wg0
If you add all these rules to UFW, and run ufw status
, this is what you'd see:
Status: active
To Action From
-- ------ ----
1194/udp ALLOW Anywhere
51194/udp ALLOW Anywhere
22/tcp ALLOW Anywhere
Anywhere on tun0 ALLOW Anywhere
Anywhere on wg0 ALLOW Anywhere
Anywhere on tun0 ALLOW FWD Anywhere on tun0
Anywhere on wg0 ALLOW FWD Anywhere on wg0
Anywhere on wg0 ALLOW FWD Anywhere on tun0
Anywhere on tun0 ALLOW FWD Anywhere on wg0