Hello everyone,
I have a somewhat complex VPN setup involving a Ubuntu-based VPN
gateway ("vpn-gw") that terminates multiple VPNs based on WireGuard
and OpenVPN. Also involved is a core router ("gw01") that performs
routing among different VLANs comprising the LAN. One of the OpenVPN
interfaces ("tun252") requires masquerading, which I implemented
through the following nftables config snippet:
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept
[...]
oifname "tun252" counter masquerade
}
}
This works fine if traffic originates on the LAN. Things start acting
weird (i.e., no masquerading is applied when the traffic is forwarded
to tun252) when the traffic originates on one of the WireGuard
interfaces. The path of the packets in this case is: vpn-gw[wireguard]
-> vpn-gw[eth0.250] -> gw01[eth0.250] -> gw01[eth0.252] ->
vpn-gw[eth0.252] -> vpn-gw[tun252]
In contrast, traffic that takes the following course is masqueraded
correctly: gw01[eth0.10] -> gw01[eth0.252] -> vpn-gw[eth0.252] ->
vpn-gw[tun252]
Any idea what may be causing this and how to fix this?
Thanks,
Thilo
