Wireguard server over OpenVPN client

[xexapar227]

Hi,

I am trying to set a wireguard server (autonomous host, not the wireguard within opnsense) over an existing  OpenVPN connection, sadly without success.
I've tried to sum it up with: (WAN is the upstream gateway. )

+---------+
| Gateway |
+---------+
| WAN*    |
| VPN     |
+---------+

+-----------+
| Interface |
+-----------+
| WAN_I     |
| VPN_I     |
| WG_I      |
+-----------+

Outboud NAT
+-----------+------------+-------------------+
| Interface |   Src      |     NAT addr      |
+-----------+------------+-------------------+
| VPN_I     | WG_I_NET:* | Interface address |
+-----------+------------+-------------------+

Port forward
+-----------+-------+-----+-----------------------+-----------------+
| Interface | Proto | Src |         Dest          |       NAT       |
+-----------+-------+-----+-----------------------+-----------------+
| VPN_I     | UDP   | *:* | This firewall:WG_PORT | WG_HOST:WG_PORT |
+-----------+-------+-----+-----------------------+-----------------+

VPN_I Rules
+-------+-----+-----------------+---------+
| Proto | Src |      Dest       | Gateway |
+-------+-----+-----------------+---------+
| UDP   | *:* | WG_HOST:WG_PORT | *       | Auto generated by the port forward rule
+-------+-----+-----------------+---------+

WG_I Rules
+---------+----------+--------+---------+
|  Proto  |   Src    |  Dest  | Gateway |
+---------+----------+--------+---------+
| TCP/UDP | WG_NET:* | !Local | VPN     |
+---------+----------+--------+---------+


What confuses me is that I have no issue going through the VPN gateway from the wireguard host in TCP and if I traceroute from the wireguard host/interface/srcport to outside in udp I go through the VPN Gateway.
Wireguard host receives the udp packets coming in on VPN_I and answers, however, here is my issue, the return packet goes through the WAN gateway.

Anyone to put me on the right track ? I can't figure this out.
Thanks for the help.

[bartjsmit]

VPN links on the firewall are easier, since it is the default gateway for the network.

If you're trying to reach a host across the tunnel with a VPN server on your LAN, you need to have a static route through the VPN server, or the VPN server tunnel endpoint needs to have a NAT on your LAN.

Bart...

[xexapar227]

Thank you.

VPN links on the firewall are easier, since it is the default gateway for the network.

I actually had the same issue with the internal wireguard, I was trying to split it to identify the issue.

If you're trying to reach a host across the tunnel with a VPN server on your LAN, you need to have a static route through the VPN server, or the VPN server tunnel endpoint needs to have a NAT on your LAN.

Isn't it what the outbound NAT rule VPN_I - WG_I_NET would be doing ?

[bartjsmit]

Can you draw a diagram of the tunnel with both endpoints?

https://online.visual-paradigm.com/diagrams/solutions/free-network-diagram-software/

Bart...

[xexapar227]

Here it is, hope it's understandable.

[bartjsmit]

I think your issue is with the tunnel inside a tunnel. BTW, I'm not entirely sure why you want to double encrypt your traffic 

Normally, OpenVPN creates a TUN device which is fine for most traffic. If wireguard uses anything other than that, you may have to change OpenVPN to a TAP device.

Bart...