Wireguard server and openvpn client - Forward traffic from wg0 to tun0 (openvpn tunnel)

I have a raspberry pi running an OpenVPN client connecting to a VPN provider and also a Wireguard server so I can connect to my home LAN from outside. I want to connect to my home through wireguard and send all the traffic through Openvpn connection.

This is my ifconfig output

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.5  netmask 255.255.255.0  broadcast 192.168.1.255

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 172.1.1.1  netmask 255.255.255.0  destination 172.1.1.1

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.8.17  netmask 255.255.255.0  destination 10.8.8.17

eth0 - is the gateway to the internet (connected to my home router)

When I connect to wireguard server without OpenVPN client running I can reach my internal LAN (192.168.1.X) and also get my requests forwarded to internet through raspberry pi (eth0). When I enable OpenVPN client (tun0 up) I cannot reach internal LAN and also I cannot reach Internet.

What I want to do is to connect to my home through wireguard and get all the traffic tunnelled through the openvpn connection (tun0).

This is my output from "route -n":

Before OpenVPN starts (wireguard works OK):

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    202    0        0 eth0
172.1.1.0       0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.1.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0

After openVPN tun0 starts (wireguard connection does not reach internet and LAN clients):

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.8.1        128.0.0.0       UG    0      0        0 tun0 
0.0.0.0         192.168.1.1     0.0.0.0         UG    202    0        0 eth0 
10.8.8.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0 
95.142.172.143  192.168.1.1     255.255.255.255 UGH   0      0        0 eth0 
128.0.0.0       10.8.8.1        128.0.0.0       UG    0      0        0 tun0 
172.1.1.0       0.0.0.0         255.255.255.0   U     0      0        0 wg0  
192.168.1.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0 

My firewall rules:

-A FORWARD -i wg0 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE

Are there any firewall rules missing or any routes I have to add for this to work? What should I had?

Thanks!!


In short: The solution

Create a new routing table:

ip route add default via 192.168.1.5 dev eth0 table 7
ip rule add fwmark 0x55 priority 1000 table 7
ip route flush cache

Where 192.168.1.5 is the IP of your external interface (eth0). Now add this to your wg0.conf:

FwMark = 0x55

Now you will be able to connect to your home-server via WireGuard even when it's OpenVPN tunnel is open.

A longer explanation

When you start your OpenVPN tunnel, a new route is set into the main routing table. This route might look like this: 0.0.0.0/1 via 10.8.8.1 dev tun0 and mean, that all your internet-traffic should be sent out through the tunnel.

This is great, but whenever you want to communicate with your routing machine over the unprotected interface, the answers of your machine would also be sent into the tunnel. That is why you can no longer reach your server over https, even if you had forwarded port 443 to it. It's answers would simply be sent into the tunnel and be lost.

Whith setting up a second routing table which can be viewed via ip route show table 7 and the 0x55-rule we've basically told your machine to route every marked packet over the normal, unprotected eth0 interface. The rest will still be sent into the tunnel.

What else could be done?

OpenVPN-server

I actually found the solution back then when I hadn't even heared of WireGuard. I wanted to connect to my home network via OpenVPN at the time and was unable to do that, when the server had it's tunnel up. However, my own OpenVPN-server was listening on Port 993 so I marked every packet with "0x55" that passed through that port:

sudo iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 993 -j MARK --set-mark 0x55

That made a VPN-connection to my VPN-connected server possible.

E-Mail Ports not protected

My VPN-provider does not allow sending mails through it's VPN because there had been SPAM problems. This rule would route the connection to my mail-accounts without passing them through the tunnel:

iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 0x55

MAC-addresses without VPN

You might want a complete device being "unprotected". If you where using a swedish server and don't want to see swedish youtube ads on your tablet, you might want to do this:

iptables -t mangle -A PREROUTING -m mac --mac-source 4c:h7:9f:0l:17:k1 -j MARK --set-mark 0x55

you'd have to use your tablet's MAC address of course.