Wireguard server + OpenVPN client, again

Hi everyone,

I need help with the setup of Wireguard server (providing LAN access on the go to my phone and laptop) and OpenVPN client (protecting my Raspberry behind ProtonVPN, configured via dietpi-vpn) on my Raspberry running DietPi.

There are a couple of forum posts about this:
DietPi #1
Dietpi #2
DietPi #3

And similar solutions elsewhere
Guide #1
Guide #2
Guide #3

But no luck so far, because it depends on your setup and goals, plus my knowledge of networking is limited. I just want to be able to access my local network via WireGuard, even when dietpi-vpn is active. It would also be nice if the traffic of the WireGuard clients could be additionally forwarded to ProtonVPN.

If someone can walk me through this, I’m happy to provide more information as required. Many thanks.

ping @trendy might be your domain :wink:

In a nutshell, a policy routing rule is needed to send via ISP the WireGuard server. Everything else can go through the ProtonVPN tunnel.
Personally I use OpenWrt for routing and VPN, there are some tools that make such configuration easier, although it is possible to make it on DietPi as well.

Hi trendy, thank you for the suggestion. I will look into OpenWrt for my next project, but for now I’d like to adjust the current DietPi installation to my needs. I understand that this is a matter of configuring iptables and iproute2?

Update: Ok, miraculously I seem to have got this partially working using iptables. Now I have access from my phone with WireGuard to the services on the raspberry, even with dietpi-vpn killswitch on. It would be nice to have an internet connection as well.

The rules I added (hope this doesn’t defeat the purpose of the killswitch):

   sudo iptables -A INPUT -d 10.0.0.0/8 -j ACCEPT
   sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
   sudo iptables -A OUTPUT -o eth0 -p udp --sport 51820 -j ACCEPT
   sudo iptables -A OUTPUT -o wg0 -j ACCEPT

This one makes sure the wireguard will use the ISP and not the VPN.
Then you need to masquerade wireguard IPs to the eth0 IP when the destination is in the lan, or to the openvpn client when the destination is the internet.

2 Likes