first scenario, double VPN, works
https://www.vpnusers.com/viewtopic.php? ... 838#p97123
### first hop (server A)
- no bridge
- no SecureNAT
- no L3
- no VPN Azure
- yes IPsec/L2TP
- yes OpenVPN/MS-SSTP
- add VPN users
- cascade connection to server B
### second hop (server B)
- no bridge
- yes SecureNAT (with all defaults)
- no L3
- no VPN Azure
- no IPsec/L2TP
- no OpenVPN/MS-SSTP
- add only 1 VPN user
second scenario, double VPN + WG, works
https://www.vpnusers.com/viewtopic.php? ... 958#p97596
### first hop (server A)
- yes bridge (i.e. tag_tap) wg0 is routed to to tap_tap
- no SecureNAT
- no L3
- no VPN Azure
- yes IPsec/L2TP
- yes OpenVPN/MS-SSTP
- add VPN users
- cascade connection to server B
and on this server there is WG server (wg0)
- ip rule for tap_tap, wg0
- ip custom table (e.g 1000) for wg0
and wg0 incoming traffic is routed to SE bridge tap_tap which is cascaded to second hop (server B)
### second hop (server B)
- no bridge
- yes SecureNAT (with all defaults)
- no L3
- no VPN Azure
- no IPsec/L2TP
- no OpenVPN/MS-SSTP
- add only 1 VPN user
third scenario, double vpn + WG + dnsmasq (on server B) , WG has no access to second hop (server B)
### first hop
- yes bridge (i.e. tag_tap) wg0 is routed to to tap_tap
- no SecureNAT
- no L3
- no VPN Azure
- yes IPsec/L2TP
- yes OpenVPN/MS-SSTP
- add VPN users
- cascade connection to server B
and on this server there is WG server (wg0)
- ip rule for tap_tap, wg0
- ip custom table (e.g 1000) for wg0
and wg0 incoming traffic is routed to SE bridge tap_tap which is cascaded to second hop (server B)
the same as second scenario.
### second hop
- yes bridge (i.e. tap_tap)
- using dnsmasq as DHCP (no SecureNAT )
- no L3
- no VPN Azure
- no IPsec/L2TP
- no OpenVPN/MS-SSTP
- add only 1 VPN user
Summary
- server A (no Secure-NAT + Cascade Connection) =====> Server B (yes Secure-NAT) [ okay ]
- server A (no Secure-NAT + Cascade Connection + Bridge + WG) =====> Server B (yes Secure-NAT) [ okay ]
- server A (no Secure-NAT + Cascade Connection + Bridge + WG) =====> Server B (dnsmasq instead of Secure-NAT) [ WG does not work ]
Actually second scenario and third are alike except that with third scenario on server B, dnsmasq has been used instead of Secure-NAT
And no longer WireGuard works, but if Secure-NAT be enabled works fine.
I do not think it is bug, but more misconfiguration.
WG just can ping its gateway on server B. (i.e 10.168.129.1)
Does anyone have any idea?
Regards
### commands ###
Server A - ip rule added
Code: Select all
/usr/sbin/dhclient tap_tap
/usr/sbin/ip route add default via 10.11.120.1 dev tap_tap table 1000
/usr/sbin/ip rule add iif tap_tap lookup 1000
/usr/sbin/ip route add 10.168.129.0/24 dev wg0 table 1000
/usr/sbin/ip rule add iif wg0 lookup 1000
Code: Select all
ip rule show
0: from all lookup local
32764: from all iif wg0 lookup 1000
32765: from all iif tap_tap lookup 1000
32766: from all lookup main
32767: from all lookup default
Code: Select all
ip route show
default via X.X.X.1 dev eth0 proto static
10.11.120.0/24 dev tap_tap proto kernel scope link src 10.11.120.157
10.168.129.0/24 dev wg0 proto kernel scope link src 10.168.129.1
X.X.X.0/24 dev eth0 proto kernel scope link src X.X.X.X
Gateway of server B in server A
Code: Select all
ping -c4 10.11.120.1
PING 10.11.120.1 (10.11.120.1) 56(84) bytes of data.
64 bytes from 10.11.120.1: icmp_seq=1 ttl=64 time=250 ms
64 bytes from 10.11.120.1: icmp_seq=2 ttl=64 time=195 ms
64 bytes from 10.11.120.1: icmp_seq=3 ttl=64 time=183 ms
64 bytes from 10.11.120.1: icmp_seq=4 ttl=64 time=255 ms
Code: Select all
-A POSTROUTING -s 10.168.129.0/24 -o eth0 -m comment --comment wire-guard-rule -j MASQUERADE
Code: Select all
interface=tap_tap
dhcp-range=10.11.120.10,10.11.120.250,12h
dhcp-option=3,10.11.120.1
dhcp-option=6,8.8.8.8
Code: Select all
-A POSTROUTING -s 10.11.120.0/24 -j SNAT --to-source X.X.X.X
Server A and B - sysctl
Code: Select all
sysctl -p
net.ipv4.ip_forward = 1