Forward traffic from one VPN to another

[yurka]

Hi,
I have two sites with WireGuard VPN in between them (SiteA, SiteB). Users connect to SiteA with OpenVPN clients, but in need to communicate with PCs in SiteB too. Is it possible to do so? Route data from OpenVPN to WireGuard when destination is SiteB?
Thanks

[bartjsmit]

Yes, absolutely. You need everybody to agree on routing both ways and you need to allow the protocol/port in your firewall policy

[yurka]

Nice, now how to do so?
Let's assume:
SiteA - 10.0.1.0/24
SiteB - 10.0.2.0/24
WireGuard Tunnel - 10.200.0.0/24
OpenVPN Tunnel - 10.50.0.0/24

How and where can I setup routing?

I did created allow rules for following interfaces:
SiteB-WireGuard: Allow
Source: 10.50.0.0/24, 10.200.0.0/24, Dest: 10.0.2.0/24,
Source: 10.0.2.0/24 Dest:10.50.0.0/24, 10.200.0.0/24

SiteA-WireGuard: Allow
Source: 10.50.0.0/24, Dest: 10.0.2.0/24
Source: 10.0.2.0/24, Dest: 10.50.0.0/24

SiteA-OpenVPN: Allow
Source: 10.50.0.0/24, Dest: 10.0.2.0/24
Source: 10.0.2.0/24,10.200.0.0/24 Dest: 10.50.0.0/24

This is not working. I see in Logs, on interface OpenVPN access allow. The I see on SiteA-WireGuard access allow, but on SiteB I do not see the package at all. Nor in Deny and not in Allow.

[bartjsmit]

OpenVPN clients need a route to Site A and B as well as the tunnel. Add these lines to your OpenVPN conf file (or set them manually on each client)

push "route 10.0.1.0 255.255.255.0"
push "route 10.0.2.0 255.255.255.0"
push "route 10.200.0.0 255.255.255.0"

If the WireGuard endpoints are default gateways for Sites A and B, you just need a static route on Site B for 10.50.0.0/24 to go via te WireGuard IP address of the firewall in Site A

[yurka]

1. My gateways for WireGuard on SiteA and SiteB wasn't properly configured. I needed to add the WireGuard's Local Tunnel Address for each Site.
2. Then I configured on SiteA route for 10.0.2.0/24 to WireGuard gateway
3. On SiteB's WireGuard Endpoint I added the OpenVPN range (10.50.0.0/24) to Allow IPs

Now it working as planned.

10x