Wireguard - iptables rules

[kwiatek1001r]

Hello, we have a problem with the correct NAT of traffic in this case - Wireguard client VPN connection to networks reachable behind the IPSecVPN tunnel.

The 172.16.0.0/24 network is the client VPN address. It connects to a VPN server that has access to local VLANs 192.168.0.0/24, 192.168.10.0/24 - this traffic is carried out correctly. However, the Wireguard server itself also has an IPSec tunnel set up to the 10.168.106.0/24 network and traffic from 172.16.0.0/24 to this network does not work.
In the second phase of IPSec there is no client VPN class - 172.16.0.0/24 and I can't add it because I don't have access to the other side, so it can be done through NAT addressing 172.16.0.0/24 to any address that exists in the second phase, e.g. 192.168 .10.250 if traffic is routed to 10.168.106.0/24.
Unfortunately, I don't know which iptables rules I should use to implement this.

 

[vs2-free-users]

Hi,

here is a running example of my nat config

#enable ip forward in kernel
vim /etc/sysctl.conf
###
check and set net.ipv4.ip_forward=1
###
#reload sysctl
sysctl -p
#set nat rules in iptables eth0 is the exit interface vpn0 the internal interface

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i vpn0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o vpn0 -j ACCEPT