PiHole, Wireguard, OVPN Client

Hey guys,

I have a RPI2b running dietpi with PiHole and PiVPN Wireguard.
I can reach my home network from outside and have the advantage of Ad Blocking. Really cool :slight_smile:
But my goal is to also have an openvpn connection running as client to route all outgoing traffic though VPN provider.
So my mobile devices should be able to be part of my home network from outside, have the advantage from ad blocking and use the OpenVPN connection for outgoing traffic as long as I’m connected to the Wireguard VPN.
I read couple of tutorials about this double hop thing but really I’m not familar enough with this to configure that.
Could someone please tell me what I have to edit / configure to let outgoing traffic pass through an OpenVPN client connection besides Wireguard and PiHole…


many thanks for your request. I guess you would need to configure iptables that way, that all traffic is forwarded between the VPN interfaces. Maybe trendy could help on this network forwarding stuff.

thank you for your reply Joulinar .
Would be very nice if trendy could advice me on how to configure iptables correct for this usecase :slight_smile:

It is a bit more complicated than just some iptables rules I am afraid.
Currently you have only one gateway, your ISP, so everything works through that.
However when you add the OpenVPN client, it will push the default gateway through that. This will break you wireguard server, as replies will be routed via OpenVPN and not the ISP. So you’ll need to filter the default gateway from the VPN and manually route whatever you wish to be routed via the VPN. To do that you need to create a new routing table, which will contain the local subnet and the VPN as default gateway (usually you can do that with route-up scripts). Finally you need to add a few policy routing rules to mark the source IPs which will be using the VPN routing table.
iptables should not be much of an issue, just allow lan and remote hosts towards the VPN and drop everything else.

This scenario is when the Wireguard and OpenVPN run on the router. If the device is inside the LAN then it is more complicated if you want to route via VPN also lan hosts, apart from remote.

If you are still interested, let me know exactly the topology as well as if only remote or lan hosts should use the OpenVPN.

thank you for the reply trendy
The VPN runs inside my lan not direct on router. As mentioned its dietpi running pihole pivpn and ovpn.
I want all traffic from inside lan or lets better say the lan devices I tell to use this pi as gateway and all clients from extern that are connected per wireguard as “home devices” to route the outgoing traffic through the ovpn connection.

Configure the dhcp server with option 3 for those specific hosts to use the Pi as default gateway.
Alternatively use static IP/mask/GW/DNS.

First step is to filter the default gateway from the VPN.
Second, create a rule for all the IPs of the WG server to use a custom routing table:

ip rule add from <allow_net> to <lan_net> lookup main prio 16000
ip rule add from <allow_net> to default lookup 101 prio 16010

Setup the default gateway for the custom routing table

ip route add to default via <gateway> table 101

if the gateway is not standard you can try with “dev wg0” or whatever your WG interface is.

On top of all these you’d need to setup the firewall accordingly to:

  1. Protect your network
  2. NAT the internal network when you access the internet

Had some time to do the project but little different then I had planned.
Running 2 seperate Pi now. A 2b with wireguard server and pihole for beeing part of my lan from outside and this dns thing :slight_smile:
Second is a 3b with Hotspot (60) and openvpn client installed.
I applied these iptables →
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
With that I have a WiFi Hotspot with all traffic routed through the vpn and its working perfekt for my needs.
The device is still reachable from within lan.

Guys I’m going to mark this as solved. Feel free to continue your interesting discussion :slight_smile: