I am still working on different ways to create double-vpn connections. Maybe someone can tell me if this concept would work.
The goal is to have the possibility to choose between a single hop or a VPN connection via 2 hops - encrypted all the way.
Setup looks like this: Client / Server 1 / Server 2 / Server 3
What I have done so far:
All servers and the client operate in the 10.10.0.0/24 subnet.
S1 = 10.10.0.1 /// S2 = 10.10.0.2 /// S3 = 10.10.0.3 /// Client = 10.10.0.100
All servers listen on port 53.
All Servers have the other servers and the client listed in the [Peer] section.
My idea is to assign each endpoint a unique fwmark so if I use a client config with FwMark = X the servers know that this traffic has to be routed via server X.
Example: FwMark = (10002) this FwMark is assigned to Server 2.
Client connects via wireguard tunnel to Server 1 and marks packets with FwMark 10002 - Server 1 then forwards the traffic via the existing tunnel between S1 and S1 on interface wg0 to 10.10.0.2 Server 2 knows it’s supposed to be the last hop and routes the traffic to the internet.
It is important for me, that all connections between Client and all Servers are routed via wireguard tunnels.
If the client connects via wireguard to Server 2 with the same FwMark Server 2 simply routes all to the internet as in any single hop setup with
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Would a setup like this work?
And can someone help me to create the proper IPTABLES for the FwMark based forwarding to a 2nd hop? 