I want to route ocserv traffic to wireguard split tunnel
here is the net flow
[ (ocserv client) ] =====> [ server A (ocserv + wg server) ] <===== [ server B (wg client) ]
Because wg protocol is blocked by firewall (between server A and B), wg tunnel has been made from server B to server A (a reverse tunnel).
The goal is that an ocserv client should be able to access Internet on server B (the traffic originates from server B) through wireguard split tunnel (has been made between server A and B)
client
- full route to ocserv (server A)
server A
- ocserv network
192.168.200.0/24
- ocserv gateway
192.168.200.1
- wg server
192.168.250.1/24
wg server address
Address = 192.168.250.1/24
iptable
# source NAT
# 192.168.250.1 is wg server ip
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o wg_server -j SNAT --to-source 192.168.250.1
ip route (policy based routing)
# wg_out is just an name for routing table
ip rule show table wg_out
32752: from 192.168.200.0/24 lookup wg_out
### default route for wg_out
ip route show table wg_out
default via 192.168.250.2 dev wg_server
### 192.168.250.2
### is the wg client ip (other side of the tunnel)
tcpdump check
if ocserv client ping -c1 1.1.1.2
tcpdump -i any icmp and dst host 1.1.1.2
### 192.168.200.95
### ocserv client IP
17:53:01.693154 fun0 In IP 192.168.200.95 > 1.1.1.2: ICMP echo request, id 311, seq 4, length 64
### 192.168.250.1
### wg server IP
17:53:01.693173 wg_server Out IP 192.168.250.1 > 1.1.1.2: ICMP echo request, id 311, seq 4, length 64
server B
- wg client
192.168.250.2/24
iptables
### allow ocserv network
-A POSTROUTING -s 192.168.200.0/24 -j SNAT --to-source server-B-public-IP
ip route
allowing ocserv network to come via wg client
192.168.200.0/24 dev wg_client scope link
wg client AllowedIPs
AllowedIPs = 192.168.250.0/24,192.168.200.0/24
what should be added/changed so that ocserv client can access Internet on server B?
With this setup ocserv client has access to
- wg server
192.168.250.1
- wg client
192.168.250.2
but does not have access to Internet.