I need to run a Wireguard server on a machine with an active OpenVPN client. Clients connected to the Wireguard server would be NATed to the OpenVPN client at 'tun0' and access the internet through that interface.
Previously, when I had to create setups like this with other VPN solutions that do NOT have their own tun/tap interface (like Shadowsocks), I would use iptables 'fwmark' to mark packets that would not be routed over the tun0 interface created by OpenVPN.
I would launch the follwing commands in order on a server with local IP 10.3.0.11 (with the VPN server on port 2000), I would be able to connect to my VPN server and browse the internet through the active OpenVPN client.
ip route add default via 10.3.0.11 dev eth0 table 7
ip rule add fwmark 0x55 priority 1000 table 7
ip route flush cache
iptables -t mangle -A OUTPUT -p udp --sport 2000 -j MARK --set-mark 0x55
iptables -I INPUT -p udp -m udp --dport 2000 -j ACCEPT
However, as Wireguard creates its own interface (wg0), this solution does not work. As soon as the OpenVPN client establishes a connection, the Wireguard server is unreachable.
I have checked that I have no firewall blocking the connection to my Wireguard server running on UDP port 3333, and the connection works just fine when the OpenVPN connection is not active.
This is the output of 'route -n' before the OpenVPN connection
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
10.33.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
169.254.0.0 0.0.0.0 255.255.0.0 U 1040 0 0 eth0
This is the output of 'route -n' AFTER the OpenVPN connection
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
10.8.8.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.33.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
128.0.0.0 10.8.8.1 128.0.0.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1040 0 0 eth0
<OVPN Server> 10.0.0.1 255.255.255.255 UGH 0 0 0 eth0
This is the configuration file for Wireguard
[Interface]
Address = 10.33.0.1/24
Address = fd33:3300::1/64
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
ListenPort = 3333
FwMark = 0x55
PrivateKey = <private key>
[Peer]
PublicKey = <public key>
AllowedIPs = 10.33.0.11/32, fd33:3300::11/128
How can I change the configuration of my server so that
- Clients can connect to the Wireguard server on UDP port 3333
- Clients can access the internet through the Wireguard server, which will route all internet traffic through tun0 (created by OpenVPN)
