How to route traffic between L2TP/IPSec and WireGuard tunnels?

I have a KVM VPS running Ubuntu 18.04 which is simultaneously:

  1. L2TP server (xl2tpd + strongswan) with IP 192.168.42.1/24
  2. Wireguard client with IP 192.168.73.3/24 (server's IP is 192.168.73.1/24)

Both L2TP and Wireguard connections work pretty well separately from each other.

I want to allow to redirect the traffic from L2TP clients to Wireguard server, i.e. 192.168.42.x <===> 192.168.73.1

Wireguard config on VPS:

~# cat /etc/wireguard/wg0.conf 
[Interface]
PrivateKey = <....>
Address = 192.168.73.3/24

[Peer]
PublicKey = <...>
Endpoint = <....>
AllowedIPs = 192.168.73.0/24
PersistentKeepalive = 15

L2TP server has been set up using this awesome script. It creates following iptables rules:

~# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i ens3 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o ens3 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -j DROP

IP forwarding is obviously enabled

~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Routing table (with 1 L2TP client connected) is:

~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         X.X.X.X         0.0.0.0         UG        0 0          0 ens3
XXX.XXX.XXX.XXX 0.0.0.0         255.255.255.0   U         0 0          0 ens3
X.X.X.X         0.0.0.0         255.255.255.255 UH        0 0          0 ens3
192.168.42.10   0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
192.168.73.0    0.0.0.0         255.255.255.0   U         0 0          0 wg0

XXX - confidential gateway and external IPs.

I've tried to add following rules:

~# iptables -D FORWARD -j DROP
~# iptables -A FORWARD -i ppp+ -o wg0 -j ACCEPT    
~# iptables -A FORWARD -i ppp+ -o wg0 -j ACCEPT
~# iptables -A FORWARD -j DROP

But forwarding ppp0 <===> wg0 still does not work.

Which iptables rules should I add to allow such kind of forwarding?


Solution 1:

You need to add route on the L2TP VPN clients, which tells that packets to 192.168.73.0/24 should be sent via 192.168.42.1.

Also, you need to add route on Wireguard server, which tells that packets to 192.168.42.0/24 should be sent via 192.168.73.3.

The issue with your iptables command is that you are adding the rules after -j DROP rule. This means that those rules are never hit and packaets are dropped.

You should use -I to insert the rules first in the chain.

You also need to check Wireguard client firewall configuration.