hi everyone,
I got a VPS running Ubuntu (22.04.3 LTS), which is running a Wireguard Server.
At home I got an Ubuntu VM running Wireguard client connecting to the VPS, so I can share services without opening ports at my home. That is working fine.
Now I want to run an OpenVPN Server on the same VPS, because I have some clients who don’t support Wireguard (Synology). That server is running fine, I can connect and open services hosted on the VPS itself. But I can’t figure out, how to get the routing right, so that an OpenVPN client can reach my home network.
I made a sketch of my setup. (some things are in German, but the relevant stuff should be clear)
Also I am running UFW, and applied those rules. I removed the open ports I am using.
Status: active
To Action From
-- ------ ----
[ 8] Anywhere on wg0 ALLOW IN 192.168.22.0/24
[ 9] Anywhere on wg0 ALLOW IN 10.200.0.0/24
[10] Anywhere on tun0 ALLOW IN 10.86.70.0/24
maybe someone can point me in the right direction.
It has been some time since I last configured Wireguard/Openvpn.
If I understand you correctly you have three networks:
Home Network: 192.168.22.0/24
Wireguard: 10.200.0.0/24
OpenVPN: 10.86.70.0/24
And you want to access a service in your home network from an OpenVPN client.
For example: 10.86.70.10 → 192.168.22.20
The first things that come to my mind:
Wireguard AllowedIPs: Since your Wireguard connection is already working, I guess you have something like this: VPS: AllowedIPs: 192.168.22.0/24 Wireguard GW (home): AllowedIPs: 10.200.0.0/24
If you want to allow Clients from your OpenVPN (without any NAT) your Wireguard GW also needs to allow 10.86.70.0/24 .
→ Wireguard GW (home): AllowedIPs: 10.200.0.0/24, 10.86.70.0/24
Your OpenVPN Clients need a route for 192.168.22.0/24.
For this I would try to extend the OpenVPN server configuration to push routes to connected clients. In your OpenVPN server config you would add something like this: push "route 192.168.22.0 255.255.255.0"
This should tell all clients connecting to the OpenVPN server to route traffic to 192.168.22.0/24 via the OpenVPN gw.
Your clients in the home network (or the default gw) need to have a route to the OpenVPN network. I guess this is already configured (looking at your sketch)
Unfortunately I even can’t get your step 1 to work. So I added the OpenVPN IP Range to the config file. With that in there I couldn’t get the Wireguard Service to start. So I turned off auto routing in the Wireguard config for testing (“Table = off”). Turns out, when trying to add the route for the OpenVPN Client range, I get an error message, see below. Not sure how to fix that.
default via 172.31.1.1 dev eth0 proto dhcp src MYIP metric 100
10.86.70.0/24 dev tun0 proto kernel scope link src 10.86.70.1
10.200.0.0/24 dev wg0 proto kernel scope link src 10.200.0.1
172.31.1.1 dev eth0 proto dhcp scope link src MYIP metric 100
185.12.64.1 via 172.31.1.1 dev eth0 proto dhcp src MYIP metric 100
185.12.64.2 via 172.31.1.1 dev eth0 proto dhcp src MYIP metric 100
192.168.22.0/24 dev wg0 scope link
# ip -4 route add 10.86.70.0/24 dev wg0
# RTNETLINK answers: File exists
Sorry the late reply.
If I understand your setup correctly the config above is from the Wireguard VPS. I meant for you to add 10.86.70.0/24 to the Wireguard gw config in “Heimnetz”
