1

I use a RaspberryPi as a DHCP and DNS server for my home network as well as a wireguard server to gain remote access to my network.

My setup is as follows: 192.168.1.4 - ISP Router 192.168.1.1 - Raspi 4 running Raspbian

On the Raspberry Pi I run: pi-hole in a Docker container Wireguard DNSmasq HostAPd OpenVPN client

The interfaces on the Raspi are as follows: br0 has 192.168.1.1 and bridges eth0 and wlan0 for HostAPd, DNSmasq and the Wireguard server. tun0 is created by the OpenVPN client.

What I want to achieve is, that the raspi routes internet traffic from my home network via the OpenVPN client while keeping the wireguard server functioning.

So far I have only managed to use the OpenVPN with the script from here for running all traffic through the VPN tunnel. This however leads to the Wireguard server no longer responding to any traffic. I assume this is because OpenVPN changes the default route for all internet traffic by default.

My other try was to add the 'route-nopull' option to the OpenVPN config and to enable masquerading with the following commands:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT

However, with that setup I couldn't get any traffic over the connection.

So, what I want in the end is a configuration that either allows:

All outbound traffic, including the one from the RaspberryPi via the OpenVPN tunnel while allowing the inbound traffic via the normal gateway.

or

Only the traffic from the private network via OpenVPN while not changing the routes for the RaspberryPi.

Thank you for any help!

Edit: addinf the output of

ip route show table main:

default via 172.21.2.1 dev tun0 
default via 192.168.1.4 dev br0 src 192.168.1.1 metric 204 
10.10.10.0/24 dev wg0 proto kernel scope link src 10.10.10.1 
146.255.57.19 via 192.168.1.4 dev br0 
169.254.0.0/16 dev vethcf887f2 scope link src 169.254.226.72 metric 210 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-743f216227c9 proto kernel scope link src 172.18.0.1 
172.21.2.0/24 dev tun0 proto kernel scope link src 172.21.2.43 
192.168.1.0/24 dev br0 proto dhcp scope link src 192.168.1.1 metric 204

The current state is, that all network traffic leaves via the VPN connection, which is fine. Now I'd just like to have all inbound traffic going to the RaspberryPi directly.

Adrixan
  • 11
  • 3
  • I think the best would be to add a routing rule for your Wireguard network, to narrow it down to one single IP address or a small range eg: `ip route add 192.168.x.x/32 dev eth0`, and then OpenVPN will add its own rules on top and redirect the rest of the traffic. – Kate Jan 19 '20 at 17:06
  • Im thinking you have maybe a conflicting routing rule? What is the output from `ip route show table main`? – Lasse Michael Mølgaard Jan 19 '20 at 23:16
  • @LasseMichaelMølgaard ``` default via 172.21.2.1 dev tun0 default via 192.168.1.4 dev br0 src 192.168.1.1 metric 204 10.10.10.0/24 dev wg0 proto kernel scope link src 10.10.10.1 146.255.57.19 via 192.168.1.4 dev br0 169.254.0.0/16 dev vethcf887f2 scope link src 169.254.226.72 metric 210 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 172.18.0.0/16 dev br-743f216227c9 proto kernel scope link src 172.18.0.1 172.21.2.0/24 dev tun0 proto kernel scope link src 172.21.2.43 192.168.1.0/24 dev br0 proto dhcp scope link src 192.168.1.1 metric 204 ``` – Adrixan Jan 20 '20 at 18:25
  • Two default route entries in main routing table looks strange. When my OpenVPN server is configured with `push "redirect-gateway def1"` it generates the following entries: `0.0.0.0/1 via 192.168.100.1 dev tun-ipv6 default via 192.168.1.254 dev eth0 src 192.168.1.136 metric 202`. The ip address `192.168.100.1` is the OpenVPN servers VPN ip address in my network. The ip address `192.168.1.254` is my main router to the Internet. It is the default setup from my ISP - go figure. – Lasse Michael Mølgaard Jan 20 '20 at 23:11
  • I hope someone comes up with some routing magic at one point. For now, I'm giving up on the issue. :( – Adrixan Jan 23 '20 at 20:23

0 Answers0