Hi, I am trying to setup a virtual server where I would like to have two VPN tunnels, each one sitting in its own rdomain != 0
In rdomain 0 I only want the real uplink. The first VPN is wireguard (wg1), that i have full control of. It connects a couple of home LANs with my virtual server. I am confident I was able to properly configure this. The second one is a corporate OpenVPN (tap3), to which I connect as a client. This is where I'm struggling. Moreover, I need traffic from the wireguard networks to be able to flow (sNAT-ted) to the openvpn rdomain. With the following setup I see a ping request entering from wireguard, exiting on openvpn. I also get the reply on tap3, but I don't see the reply written back to wg1. It looks like the state tracking is not working, but I am sure I obviously missed some important detail: I'm quite new to openbsd. This is what I found online, but it does not apply to my scenario https://dataswamp.org/~solene/2021-12-16-openbsd-openvpn-exit.html Here I found some useful information about how to "move" traffic from one rdomain to another: https://unfriendlygrinch.info/posts/openbsd-routing-tables-and-routing-domains/ Thank you in advance. Finally, my config: /etc/hostname.tap3 ``` rdomain 3 !openvpn --daemon --config /etc/openvpn/foo.ovpn up !route -T3 add -iface 10.0.1.0/24 10.0.1.1 -ifp tap3 !route -T3 add 10.0.0.0/8 10.0.1.1 ``` /etc/pf.conf ``` WAN = "vio0" OVPN = "tap3" wg1_networks = "{ 192.0.0.0/28, 192.168.0.0/24 }" ovpn_networks = "{ 10.0.0.0/8 }" set skip on lo match in all scrub (random-id) block in quick from urpf-failed to any block in quick from no-route to any block log all block out on $WAN from ! ($WAN) to any pass out on $WAN from ($WAN) to any table <blacklist> persist file "/etc/pf.blacklist" block drop in quick from <blacklist> # allow ssh + wireguard from WAN pass in quick on $WAN proto tcp to ($WAN) port 22 pass in quick on $WAN proto udp to ($WAN) port 12345 # allow intra-vpn routing pass on rdomain 1 from $wg1_networks to $wg1_networks # cross-vpn rdomain traversing pass out on $OVPN nat-to ($OVPN) pass in on rdomain 1 from $wg1_networks to $ovpn_networks match in on rdomain 1 to $ovpn_networks rtable 3 match in on rdomain 1 to $ovpn_networks nat-to ($OVPN) ```
