Routing between ovpn-tun0[10.8.0.0/24] and hw-interface[172.16.0.0/16] issue

Question

I have a problem that I cannot figure out alone. I was able to find very similar issues but none seems to focus on my particular endingsituation.

What do we have? 3 machines with their own networks, defined as follows:

• Computer1 Role: GW of 172.16.0.0/16 eth0 172.16.2.1/16 eth1 wanip/29

• Computer2 Role: ovpnserver eth0 172.16.20.247/16 tun0 10.8.0.1/24

• Computer3 Role: remote pc that wants to ping Computer1 eth0 10.0.0.236/24 [connected to its gw 10.0.0.150/24] tun0 10.8.0.6/24

I was able to accomplish these tasks:

• successful ovpn setup, so Computer3 pings every interface in Computer2
• successfully enabled routing on Computer2
• successfully instructed Computer1 routing table to reach 10.8.0.0/24 via 172.16.20.247 (ip route add)
• Ping Computer3 from Computer1 (ping 10.8.0.6 actually responds)

I was NOT able to accomplish these ones:

• instruct Computer3 routing table to reach 172.16.0.0/16 via 10.8.0.1 (Error: Nexthop has invalid gateway.)
• ping Computer1 from Computer3

What am I doing wrong? What am I missing?

Thanks in advance Sincerely Marco

Answer 1

I did it! So I decided to share my experience, there were some important details that I discovered only late being essential to identify the problem and ofcourse for the solution.

The omitted details:

• OpenVPN server was installed on a virtual machine;
• Network interface communicating with Gataway1 from OVPN-Server was a USB Adapter.

My individual research revealed that USB passtrough enabled via VmWare could cause some issues (to be verified...).

Preliminary STEP 1: I removed the USB-NetworkAdapter and I've installed a PCI-ex 1x network car inside my VmWare physical host.

Preliminary STEP 2: I removed OpenVPN and I've installed WireGuard, a more linux-friendly VPN service.

Now I'll write down my setup diary:

1 - Setting WireGuard keys and ip-ranges, enabling its port (51820) inside my FireWall;

2 - Enable forwarding for ipv4;

3 - Install WireGuard on Computer3;

4 - ClientSetup: into AllowedIPs parameters, inside wg0.conf

AllowedIPs = 172.16.0.0/16, 10.8.0.0/24

Where the first ip range is the Computer1 Network (aka: Site1) The second ip range is WG Network (linking Site1 to Site2)

5 - ServerSetup: PostUp and PreDown inside wg0.conf

[Interface]
PrivateKey = myprivatekey
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = true
PostUp = ufw route allow in on wg0 out on enp4s0
PostUp = iptables -t nat -I POSTROUTING -o enp4s0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on enp4s0
PreDown = iptables -t nat -D POSTROUTING -o enp4s0 -j MASQUERADE

Where enp4s0 is my WAN interface

6 - Additional forwarding rules to allow services and ports to freely get through

iptables -A FORWARD -i wg0 -o enp2s0 -j ACCEPT

iptables -A FORWARD -i enp2s0 -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE

(where enp2s0 is my brand new PCI-ex card, phisically connected to Computer1)

7 - Computer 1 routing: ip route add 10.8.0.0/24 via 172.16.24.239 Where: 10.8.0.0/24 => WG network 172.16.24.239 => enp2s0 IP, installed inside Computer2 (aka wg server)

GG to all

<------UPDATE!----------->

And why not adding an additional site, called "Site3" managed by "Computer4" as Site3 GW? Then fix routing on Computer4 (GW of site3), following the sam logic for Computer1 in site1.

Then you need to appen a little integration to iptables as follows:

iptables -A FORWARD -i wg0 -o enp2s0 -j ACCEPT && iptables -A FORWARD -i enp2s0 -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT && iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE && iptables -A FORWARD -i wg0 -o enp3s0 -j ACCEPT && iptables -A FORWARD -i enp3s0 -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT && iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE

Where enp3s0 is the phisical card linking wireguard server to site3.

Then add in your wg clients configuration the ip/sub fir site3, in my previous example the resoult will be:

AllowedIPs = 172.16.0.0/16, 172.18.190.0/24, 10.8.0.0/24