This suggests that your OpenVPN client is configured to route all traffic to the remote side of the OpenVPN tunnel. That static route exempts the tunnel endpoint from the default routing, and without it, the tunnel would not work. It looks like tun0's peer address is 95.142.172.143 which has its own /32 route defined, so traffic for that is always sent directly to the Internet via eth0. When you start the OpenVPN server, your default route changes from 192.168.1.1 to 10.8.8.1, which is routed through tun0. I am interpreting it as "I want to connect to my home through wireguard and send ALL OTHER traffic through Openvpn connection." You said "I want to connect to my home through wireguard and send all the traffic through Openvpn connection", which doesn't make sense.
OPENVPN CONNECT MAC
You'd have to use your tablet's MAC address of course. If you where using a swedish server and don't want to see swedish youtube ads on your tablet, you might want to do this: iptables -t mangle -A PREROUTING -m mac -mac-source 4c:h7:9f:0l:17:k1 -j MARK -set-mark 0x55 You might want a complete device being "unprotected".
This rule would route the connection to my mail-accounts without passing them through the tunnel: iptables -t mangle -A PREROUTING -p tcp -dport 25 -j MARK -set-mark 0x55 My VPN-provider does not allow sending mails through it's VPN because there had been SPAM problems. That made a VPN-connection to my VPN-connected server possible. However, my own OpenVPN-server was listening on Port 993 so I marked every packet with "0x55" that passed through that port: sudo iptables -t mangle -A OUTPUT -p tcp -m multiport -sport 993 -j MARK -set-mark 0x55 I wanted to connect to my home network via OpenVPN at the time and was unable to do that, when the server had it's tunnel up. I actually found the solution back then when I hadn't even heared of WireGuard. The rest will still be sent into the tunnel. Whith setting up a second routing table which can be viewed via ip route show table 7 and the 0x55-rule we've basically told your machine to route every marked packet over the normal, unprotected eth0 interface. It's answers would simply be sent into the tunnel and be lost. That is why you can no longer reach your server over https, even if you had forwarded port 443 to it.
This is great, but whenever you want to communicate with your routing machine over the unprotected interface, the answers of your machine would also be sent into the tunnel. This route might look like this: 0.0.0.0/1 via 10.8.8.1 dev tun0 and mean, that all your internet-traffic should be sent out through the tunnel. When you start your OpenVPN tunnel, a new route is set into the main routing table. Now you will be able to connect to your home-server via WireGuard even when it's OpenVPN tunnel is open. Now add this to your wg0.conf: FwMark = 0x55 Where 192.168.1.5 is the IP of your external interface (eth0). Ip rule add fwmark 0x55 priority 1000 table 7 My firewall rules: -A FORWARD -i wg0 -j ACCEPTĪre there any firewall rules missing or any routes I have to add for this to work?Ĭreate a new routing table: ip route add default via 192.168.1.5 dev eth0 table 7 When I enable OpenVPN client (tun0 up) I cannot reach internal LAN and also I cannot reach Internet.
When I connect to wireguard server without OpenVPN client running I can reach my internal LAN (192.168.1.X) and also get my requests forwarded to internet through raspberry pi (eth0). Inet 10.8.8.17 netmask 255.255.255.0 destination 10.8.8.17Įth0 - is the gateway to the internet (connected to my home router) This is my ifconfig output eth0: flags=41 I want to connect to my home through wireguard and send all the traffic through Openvpn connection. I have a raspberry pi running an OpenVPN client connecting to a VPN provider and also a Wireguard server so I can connect to my home LAN from outside.