multi-hop vpn with wireguard while using dnsmasq [ solved ]

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
KatherineEddie
Posts: 25
Joined: Fri Nov 11, 2022 9:45 am

multi-hop vpn with wireguard while using dnsmasq [ solved ]

Post by KatherineEddie » Tue Dec 27, 2022 1:25 pm

There are three scenarios that fist two work fine, but third one no, and I would like to make work

first scenario, double VPN, works
https://www.vpnusers.com/viewtopic.php? ... 838#p97123

### first hop (server A)
- no bridge
- no SecureNAT
- no L3
- no VPN Azure
- yes IPsec/L2TP
- yes OpenVPN/MS-SSTP
- add VPN users
- cascade connection to server B

### second hop (server B)
- no bridge
- yes SecureNAT (with all defaults)
- no L3
- no VPN Azure
- no IPsec/L2TP
- no OpenVPN/MS-SSTP
- add only 1 VPN user


second scenario, double VPN + WG, works
https://www.vpnusers.com/viewtopic.php? ... 958#p97596

### first hop (server A)
- yes bridge (i.e. tag_tap) wg0 is routed to to tap_tap
- no SecureNAT
- no L3
- no VPN Azure
- yes IPsec/L2TP
- yes OpenVPN/MS-SSTP
- add VPN users
- cascade connection to server B

and on this server there is WG server (wg0)
- ip rule for tap_tap, wg0
- ip custom table (e.g 1000) for wg0

and wg0 incoming traffic is routed to SE bridge tap_tap which is cascaded to second hop (server B)

### second hop (server B)
- no bridge
- yes SecureNAT (with all defaults)
- no L3
- no VPN Azure
- no IPsec/L2TP
- no OpenVPN/MS-SSTP
- add only 1 VPN user



third scenario, double vpn + WG + dnsmasq (on server B) , WG has no access to second hop (server B)

### first hop
- yes bridge (i.e. tag_tap) wg0 is routed to to tap_tap
- no SecureNAT
- no L3
- no VPN Azure
- yes IPsec/L2TP
- yes OpenVPN/MS-SSTP
- add VPN users
- cascade connection to server B

and on this server there is WG server (wg0)
- ip rule for tap_tap, wg0
- ip custom table (e.g 1000) for wg0
and wg0 incoming traffic is routed to SE bridge tap_tap which is cascaded to second hop (server B)
the same as second scenario.

### second hop
- yes bridge (i.e. tap_tap)
- using dnsmasq as DHCP (no SecureNAT )
- no L3
- no VPN Azure
- no IPsec/L2TP
- no OpenVPN/MS-SSTP
- add only 1 VPN user


Summary
- server A (no Secure-NAT + Cascade Connection) =====> Server B (yes Secure-NAT) [ okay ]
- server A (no Secure-NAT + Cascade Connection + Bridge + WG) =====> Server B (yes Secure-NAT) [ okay ]
- server A (no Secure-NAT + Cascade Connection + Bridge + WG) =====> Server B (dnsmasq instead of Secure-NAT) [ WG does not work ]

Actually second scenario and third are alike except that with third scenario on server B, dnsmasq has been used instead of Secure-NAT
And no longer WireGuard works, but if Secure-NAT be enabled works fine.
I do not think it is bug, but more misconfiguration.
WG just can ping its gateway on server B. (i.e 10.168.129.1)
Does anyone have any idea?

Regards

### commands ###

Server A - ip rule added

Code: Select all

/usr/sbin/dhclient tap_tap
/usr/sbin/ip route add default via 10.11.120.1 dev tap_tap table 1000
/usr/sbin/ip rule add iif tap_tap lookup 1000
/usr/sbin/ip route add 10.168.129.0/24 dev wg0 table 1000
/usr/sbin/ip rule add iif wg0 lookup 1000
Sever A - ip rule show

Code: Select all

ip rule show 
0:	from all lookup local
32764:	from all iif wg0 lookup 1000
32765:	from all iif tap_tap lookup 1000
32766:	from all lookup main
32767:	from all lookup default
Sever A - ip route show

Code: Select all

ip route show 
default via X.X.X.1 dev eth0 proto static 
10.11.120.0/24 dev tap_tap proto kernel scope link src 10.11.120.157 
10.168.129.0/24 dev wg0 proto kernel scope link src 10.168.129.1 
X.X.X.0/24 dev eth0 proto kernel scope link src X.X.X.X
X.X.X.X is the server A public GW/IP address

Gateway of server B in server A

Code: Select all

ping -c4 10.11.120.1
PING 10.11.120.1 (10.11.120.1) 56(84) bytes of data.
64 bytes from 10.11.120.1: icmp_seq=1 ttl=64 time=250 ms
64 bytes from 10.11.120.1: icmp_seq=2 ttl=64 time=195 ms
64 bytes from 10.11.120.1: icmp_seq=3 ttl=64 time=183 ms
64 bytes from 10.11.120.1: icmp_seq=4 ttl=64 time=255 ms
Server A - iptables for WG

Code: Select all

-A POSTROUTING -s 10.168.129.0/24 -o eth0 -m comment --comment wire-guard-rule -j MASQUERADE
Sever B - dnsmasq

Code: Select all

interface=tap_tap
dhcp-range=10.11.120.10,10.11.120.250,12h
dhcp-option=3,10.11.120.1
dhcp-option=6,8.8.8.8
Server B - iptables

Code: Select all

-A POSTROUTING -s 10.11.120.0/24 -j SNAT --to-source X.X.X.X
X.X.X.X is the server B public IP address

Server A and B - sysctl

Code: Select all

sysctl -p
net.ipv4.ip_forward = 1
Last edited by KatherineEddie on Wed Dec 28, 2022 6:37 am, edited 1 time in total.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: multi-hop vpn with wireguard while using dnsmasq

Post by solo » Wed Dec 28, 2022 2:37 am

KatherineEddie wrote:
Tue Dec 27, 2022 1:25 pm
Does anyone have any idea?
...
Server A - iptables for WG

Code: Select all

-A POSTROUTING -s 10.168.129.0/24 -o eth0 -m comment --comment wire-guard-rule -j MASQUERADE
Remove "-o eth0"

KatherineEddie
Posts: 25
Joined: Fri Nov 11, 2022 9:45 am

Re: multi-hop vpn with wireguard while using dnsmasq

Post by KatherineEddie » Wed Dec 28, 2022 6:36 am

solo wrote:
Wed Dec 28, 2022 2:37 am
KatherineEddie wrote:
Tue Dec 27, 2022 1:25 pm
Does anyone have any idea?
...
Server A - iptables for WG

Code: Select all

-A POSTROUTING -s 10.168.129.0/24 -o eth0 -m comment --comment wire-guard-rule -j MASQUERADE
Remove "-o eth0"

You made me feel stupid :|
Solved, thanks dear solo

Post Reply