Wireguard server + OpenVPN client, again

Hi everyone,

I need help with the setup of Wireguard server (providing LAN access on the go to my phone and laptop) and OpenVPN client (protecting my Raspberry behind ProtonVPN, configured via dietpi-vpn) on my Raspberry running DietPi.

There are a couple of forum posts about this:
DietPi #1
Dietpi #2
DietPi #3

And similar solutions elsewhere
Guide #1
Guide #2
Guide #3

But no luck so far, because it depends on your setup and goals, plus my knowledge of networking is limited. I just want to be able to access my local network via WireGuard, even when dietpi-vpn is active. It would also be nice if the traffic of the WireGuard clients could be additionally forwarded to ProtonVPN.

If someone can walk me through this, I’m happy to provide more information as required. Many thanks.

ping @trendy might be your domain :wink:

In a nutshell, a policy routing rule is needed to send via ISP the WireGuard server. Everything else can go through the ProtonVPN tunnel.
Personally I use OpenWrt for routing and VPN, there are some tools that make such configuration easier, although it is possible to make it on DietPi as well.

Hi trendy, thank you for the suggestion. I will look into OpenWrt for my next project, but for now I’d like to adjust the current DietPi installation to my needs. I understand that this is a matter of configuring iptables and iproute2?

Update: Ok, miraculously I seem to have got this partially working using iptables. Now I have access from my phone with WireGuard to the services on the raspberry, even with dietpi-vpn killswitch on. It would be nice to have an internet connection as well.

The rules I added (hope this doesn’t defeat the purpose of the killswitch):

   sudo iptables -A INPUT -d -j ACCEPT
   sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
   sudo iptables -A OUTPUT -o eth0 -p udp --sport 51820 -j ACCEPT
   sudo iptables -A OUTPUT -o wg0 -j ACCEPT

This one makes sure the wireguard will use the ISP and not the VPN.
Then you need to masquerade wireguard IPs to the eth0 IP when the destination is in the lan, or to the openvpn client when the destination is the internet.


Hello, hope it’s ok to bump this old topic, but I solved it! I ditched OpenVPN entirely, configuring my Raspberry Pi 3 as both WireGuard client and server according to this guide: Reddit - Dive into anything

Now from my phone I have access to my local DietPi services like Nextcloud, while my external IP appears that of my ProtonVPN.

Update: You can even use dietpi-software to do most of the config work!

  1. Using dietpi-software, install WireGuard as client.

  2. Grab the WireGuard config file from your VPN provider and put it in the folder /etc/wireguard/. To avoid confusion (when selecting interface to bind in qbittorrent :slight_smile:) name it vpn-client.conf

  3. Modify vpn-client.conf: under section [Interface] add line: FwMark = 51820. I think this can be anything (correct me if I’m wrong) but this value is recognizable as the default WireGuard port. Don’t forget to activate it with sudo systemctl enable --now wg-quick@vpn-client

  4. Using dietpi-software, install PiVPN, using WireGuard, using port 51821 to avoid conflict (assuming your vpn-client.conf is configured with default port 51820).

  5. Modify the WireGuard server config, /etc/wireguard/wg0.conf. Add the following lines under [Interface]:

FwMark = 51820

# forwarding
PostUp  = iptables -A FORWARD -o eth0 ! -d -j REJECT
PostUp  = iptables -A FORWARD -i %i -j ACCEPT
PostUp  = iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
PostUp  = iptables -A FORWARD -j REJECT
PreDown = iptables -D FORWARD -o eth0 ! -d -j REJECT
PreDown = iptables -D FORWARD -i %i -j ACCEPT
PreDown = iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
PreDown = iptables -D FORWARD -j REJECT

PostUp  = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp  = iptables -t nat -A POSTROUTING -o vpn-client -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o vpn-client -j MASQUERADE

where is my own local network, although I understand more commonly people have; and eth0 is the interface through which my Raspberry gets its internet (in my case an Ethernet connection).

  1. Now generate your (phone) client config as usual with pivpn add.

  2. On your (phone) client install the config (easiest with pivpn -qr if the WireGuard app lets you scan QR codes) and activate tunnel.

  3. On your (phone) client with tunnel activated verify: 1) you can access DietPi ssh, services, admin webpage etc.; 2) you can access the Internet for normal browsing; 3) your IP address appears to be that from your VPN provider (not your phone’s IP as it appears without the tunnel, and not your home network’s external IP!)

1 Like