How to allow access from OpenVPN set on eth0 to wlan0

Question

So I have the following configuration:

                    +---------------------+      +----------------------------------+
                    |      10.10.10.*     |      |            192.168.100.*         |
                    |---------------------|      |----------------------------------|
                    |                     |      |                                  |
                    |              +------|------|------+                           |
                    |              |    Raspberry Pi    |                           |
                    |              |------|------|------|                           |
                    |              |      |      |      |                           |
                    |              |  +--------------+  |                           |
                    |              |  |   |      |   |  |                           |
                    |              |  v   |      |   v  |                           |
                    | +--------+   |------|------|------|   +--------+   +----+     |
         Internet   | |Router 1|   | eth0 |      |wlan0 |   |Router 2|   | PC |     |
                    | +--------+   +------|------|------+   +--------+   +----+     |
            ^       |    ^  ^         ^   |      |  ^          ^  ^        ^        |
            |       +----|--|---------|---+      +--|----------|--|--------|--------+
            |            |  |         |             |          |  |        |
            |            |  |         |             |          |  |        |
            +------------+  +---------+             +----------+  +--------+

I've installed and configured OpenVPN on the Raspberry PI, and I can connect to it from external. When i'm connected the ip is in 10.8.0.* range, and I have no problem accessing any computer that is connected to "Router 1", but what I'm trying is to access PC that is connect to "Router 2", and I'm stuck :). Everything that is behind Router 2 shouldn't have internet access, but I do want to have access to them when needed from a remote location. I do have access to both routers for configuration.

I assume is some routes or iptable configuration, but I'm quite a noob in this.

If it helps this are my routes:

0.0.0.0         10.10.10.1      0.0.0.0         UG    202    0        0 eth0
0.0.0.0         192.168.100.1   0.0.0.0         UG    303    0        0 wlan0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.10.10.0      0.0.0.0         255.255.255.0   U     202    0        0 eth0
192.168.100.0   0.0.0.0         255.255.255.0   U     303    0        0 wlan0

and my iptable config (i'm using iptable-persistent)

# Generated by iptables-save v1.6.0 on Thu Apr 18 16:52:58 2019
*filter
:INPUT ACCEPT [952:111277]
:FORWARD ACCEPT [36:3024]
:OUTPUT ACCEPT [675:99113]
-A INPUT -i tun0 -j ACCEPT
-A POSTROUTING -o tun0 -j MASQUERADE
-A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
COMMIT
# Completed on Thu Apr 18 16:52:58 2019
# Generated by iptables-save v1.6.0 on Thu Apr 18 16:52:58 2019
*nat
:PREROUTING ACCEPT [20:3877]
:INPUT ACCEPT [17:3625]
:OUTPUT ACCEPT [146:9653]
:POSTROUTING ACCEPT [147:9737]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Apr 18 16:52:58 2019

And my /etc/openvpn/server.conf

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 127.0.0.1"
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.100.0 255.255.255.0"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3

Answer 1

Because we have access to the router I will use clean routing, not using NAT. This way we have control about communication in both directions and can use advanced routing if needed.

You have a working environment with a running VPN tunnel. So I will focus on routing and only link to setups that I need to build my test environment. I always use Raspbian/Debian examples for all devices because I don't know something about your router and VPN client. So you have to "translate" it into the settings of your device, mostly to set a static route. This is often done within a web interface of the router. You have to find the page to set static routes and at least fill in the gateway or next hop and the (destination) network. For example if I define a static route like this:

router ~$ sudo ip route add 10.8.0.0/24 via 192.168.50.2 dev eth0 proto static src 192.168.50.1

then the gateway (or next hop, or via) is 192.168.50.2 and the (destination) network is 10.8.0.0./24. dev eth0 and src 192.168.50.1 are name and ip address of the interface on which you can reach the next hop. I don't know if you can set them. It's mostly not needed because the ip address of the next hop determines the interface.

Due to my test environment I use subnet 192.168.50.0/24 instead of 10.10.10.0/24 and this ip addresses:

                   router1 eth0  192.168.50.1/24
                       RPi eth0  192.168.50.2/24
                       RPi wlan0 192.168.100.2/24
                   router2 wlan0 192.168.100.1/24
      RPi vpn tunnel entry tun0  10.8.0.1/32
vpnclient vpn tunnel entry tun0  10.8.0.2/32

Because these addresses are gateways in routing rules we have to set them static.

Setup the Raspberry Pi as router

Now I setup a router on the RPi using systemd-networkd. For reference I use Raspbian Stretch Lite 2019-04-08 updated with sudo apt update && sudo apt full-upgrade && sudo reboot on 2019-04-27. Then executed these commands and created files:

# disable classic networking
rpi ~$ sudo -Es
rpi ~# systemctl mask networking.service
rpi ~# systemctl mask dhcpcd.service
rpi ~# mv /etc/network/interfaces /etc/network/interfaces~
rpi ~# sed -i '1i resolvconf=NO' /etc/resolvconf.conf

# enable systemd-networkd
rpi ~# systemctl enable systemd-networkd.service
rpi ~# systemctl enable systemd-resolved.service
rpi ~# ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

# configure wpa_supplicant
rpi ~# cat > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf <<EOF
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=DE

network={
    ssid="RPiNet"
    psk="Password"
    key_mgmt=WPA-PSK
}
EOF

rpi ~# chmod 600 /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
rpi ~# systemctl disable wpa_supplicant.service
rpi ~# systemctl enable wpa_supplicant@wlan0.service

# configure interfaces
rpi ~# cat > /etc/systemd/network/04-eth0.network <<EOF
[Match]
Name=eth0
[Network]
Address=192.168.50.2/24
Gateway=192.168.50.1
IPForward=yes
EOF

rpi ~$ cat > /etc/systemd/network/08-wlan0.network <<EOF
[Match]
Name=wlan0
[Network]
Address=192.168.100.2/24
EOF

After reboot I have this routing tables. Please note that Router 2 must not have a default route.

router1 ~$ ip route
default via <provider-ip> dev wan0 proto static   # provider gateway to the internet
192.168.50.0/24 dev eth0 proto kernel scope link src 192.168.50.1

rpi ~$ ip route
default via 192.168.50.1 dev eth0 proto static
192.168.50.0/24 dev eth0 proto kernel scope link src 192.168.50.2
192.168.100.0/24 dev wlan0 proto kernel scope link src 192.168.100.2

router2 ~$ ip route
192.168.100.0/24 dev wlan0 proto kernel scope link src 192.168.100.1

Check connections:

router1 ~$ ping 8.8.8.8           # success internet
router1 ~$ ping 192.168.50.2      # success RasPi
router1 ~$ ping 192.168.50.237    # success any client50
client50 ~$ ping 192.168.100.251  # fail any client100
client50 ~$ ping 8.8.8.8          # success internet
router1 ~$ ping 192.168.100.2     # fail RasPi
router1 ~$ ping 192.168.100.1     # fail router2
router1 ~$ ping 192.168.100.251   # fail any client100

rpi ~$ ping 192.168.50.1          # success router1
rpi ~$ ping 192.168.50.237        # success any client50
rpi ~$ ping 192.168.100.1         # success router2
rpi ~$ ping 192.168.100.251       # success any client100
rpi ~$ ping 8.8.8.8               # success internet

router2 ~$ ping 192.168.100.2     # success RasPi
router2 ~$ ping 192.168.50.2      # fail RasPi
router2 ~$ ping 192.168.50.1      # fail router1
router2 ~$ ping 192.168.50.237    # fail any client50
router2 ~$ ping 8.8.8.8           # fail internet
router2 ~$ ping 192.168.100.251   # success any client100
client100 ~$ ping 192.168.50.237  # fail any client50
client100 ~$ ping 8.8.8.8         # fail internet

Setup routing between subnets

Don't do this if you do not want that clients on subnet 192.168.100.0/24 can connect to clients on subnet 192.168.50.0./24 and vice versa. Skip to next section Setup VPN client.

Setup (additional) routing on Router 1 and Router 2. We have to set a static route to the known local subnets. Ip forwarding must be enabled on both router. Please note that Router 2 does not have a default route, so it send packages only to known subnets and not to the internet.

router1 ~$ sudo ip route add 192.168.100.0/24 via 192.168.50.2 dev eth0 proto static src 192.168.50.1
router1 ~$ ip route
default via <provider-ip> dev wan0 proto static   # provider gateway to the internet
192.168.50.0/24 dev eth0 proto kernel scope link src 192.168.50.1
192.168.100.0/24 via 192.168.50.2 dev eth0 proto static src 192.168.50.1

router2 ~$ sudo ip route add 192.168.50.0/24 via 192.168.100.2 dev wlan0 proto static src 192.168.100.1
router2 ~$ ip route
192.168.100.0/24 dev wlan0 proto kernel scope link src 192.168.100.1
192.168.50.0/24 via 192.168.100.2 dev wlan0 proto static src 192.168.100.1

Check connections:

router1 ~$ ping 8.8.8.8           # success internet
router1 ~$ ping 192.168.50.2      # success RasPi
router1 ~$ ping 192.168.50.237    # success any client50
client50 ~$ ping 192.168.100.251  # success any client100
client50 ~$ ping 8.8.8.8          # success internet
router1 ~$ ping 192.168.100.2     # success RasPi
router1 ~$ ping 192.168.100.1     # success router2
router1 ~$ ping 192.168.100.251   # success any client100

rpi ~$ ping 192.168.50.1          # success router1
rpi ~$ ping 192.168.50.237        # success any client50
rpi ~$ ping 192.168.100.1         # success router2
rpi ~$ ping 192.168.100.251       # success any client100
rpi ~$ ping 8.8.8.8               # success internet

router2 ~$ ping 192.168.100.2     # success RasPi
router2 ~$ ping 192.168.50.2      # success RasPi
router2 ~$ ping 192.168.50.1      # success router1
router2 ~$ ping 192.168.50.237    # success any client50
router2 ~$ ping 8.8.8.8           # fail internet
router2 ~$ ping 192.168.100.251   # success any client100
client100 ~$ ping 192.168.50.237  # success any client50
client100 ~$ ping 8.8.8.8         # fail internet

Setup VPN client

So far. so good. We have the local network environment configured. Now we have to integrate the openVPN interface tun0. I create an openvpn tunnel as described at Simple openVPN with static keys. Then I connect a vpn-client to the internet with mobile phone and USB-Tethering.

Next I setup routing on the vpn-client. We want to send packages for the known two subnets through the VPN tunnel. So we add two static routes to them. We have also to tell Router 1 and Router 2 how to send packages to the VPN client with an additional static route on each router.

vpnclient ~$ sudo ip route add 192.168.50.0/24 via 10.8.0.1 dev tun0 proto static src 10.8.0.2
vpnclient ~$ sudo ip route add 192.168.100.0/24 via 10.8.0.1 dev tun0 proto static src 10.8.0.2

router1 ~$ sudo ip route add 10.8.0.0/24 via 192.168.50.2 dev eth0 proto static src 192.168.50.1

router2 ~$ sudo ip route add 10.8.0.0/24 via 192.168.100.2 dev wlan0 proto static src 192.168.100.1

That's it.