I've been trying to setup a double-hop VPN connection. First step is an Open VPN connection from this guide: https://github.com/mr-canoehead/vpn_client_gateway/wiki/Installation-Guide
It gives an option to use Mullvad and select different servers from a web UI. It works great alongside PiHole.
After that, I wanted to use Wireguard to establish a server on that same Pi, so I could connect with my laptop and my phone when I am away and not only access LAN, but also use the VPN connection from the gateway. I assumed this double-hop would be difficult (tried to do it before with two OpenVPN conf, but failed), so I looked up and found this: Wireguard server and openvpn client - Forward traffic from wg0 to tun0 (openvpn tunnel)
This gave me hope and decided to give Wireguard a go. Everything went great, both laptop and phone connect without problems, but they don't have internet access. First I thought I had to add the rule to table 4 instead of 7 (as in the 2nd link), but didn't work. Then I tried 10 and 11, also no luck. Tried to comment on that solution, so I maybe get help there, but don't have enough rep.
This is my route -n output:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.16.0.1 128.0.0.0 UG 0 0 0 tun-outgoing
0.0.0.0 10.0.1.1 0.0.0.0 UG 202 0 0 eth0
0.0.0.0 10.0.1.1 0.0.0.0 UG 303 0 0 wlan0
10.0.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 303 0 0 wlan0
10.9.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
10.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun-outgoing
128.0.0.0 10.16.0.1 128.0.0.0 UG 0 0 0 tun-outgoing
185.212.170.162 10.0.1.1 255.255.255.255 UGH 0 0 0 eth0
This is my iconfig output:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.1.2 netmask 255.255.255.0 broadcast 10.0.1.255
inet6 fe80::e871:c051:3610:acb4 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:c7:2f:28 txqueuelen 1000 (Ethernet)
RX packets 1006 bytes 258399 (252.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 657 bytes 92999 (90.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 2422 bytes 156903 (153.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2422 bytes 156903 (153.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun-outgoing: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.16.0.3 netmask 255.255.0.0 destination 10.16.0.3
inet6 fe80::b100:7525:9bb7:31c1 prefixlen 64 scopeid 0x20<link>
inet6 fdda:d0d0:cafe:1302::1001 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 161 bytes 55317 (54.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 182 bytes 24177 (23.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.9.0.1 netmask 255.255.255.0 destination 10.9.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 4 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.1.3 netmask 255.255.255.0 broadcast 10.0.1.255
inet6 fe80::94f8:3b8:7b18:6c6f prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:92:7a:7d txqueuelen 1000 (Ethernet)
RX packets 547 bytes 133449 (130.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 103 bytes 16134 (15.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Note: tun-outgoing is the VPN gateway, wg0 is Wireguard server.
Also, I've setup ddclient to update Cloudflare and have a port forwarded over Mullvad, but since connecting clients is working, I guess that is not the problem.
So, to sum it up:
- VPN gateway over OpenVPN – working.
- PiHole – working.
- Wireguard – connects, but clients have no internet connection if the gateway is up.
Does anyone have any idea what might I do? I have a feeling I'm missing some dumb obvious thing, but can't figure it out. Any help would be greatly appreciated.
