VPNs. Always a task to setup, until you have a working configuration. If you setup VPNs you are bound to run into the following gotchas.
Recurring Things to Watch for with VPNs
- keys must be created on client and server. Both client and server must have some key of the others.
- if doing a full traffic vpn (not ptp) firewall rules must change traffic on server WAN interface, so that any packets from VPN tunnel must appear to come from server WAN iface. [exceptions below]. ptp can be easier, so you want to get that working first.
- ipv4 forwarding must be enabled. (some dists handle this, some do not.) for full traffic vpns.
- wguard: routes must be properly setup (test p2p first, then full wan forwarding after a baseline working config is established).
- wguard: ping to start conversation from client to server (assuming client is not wan accessible).
- firewall: other clients downstream of client router must have access through firewall (one of the easier and more obvious items to manage)
Exceptions with full traffic VPNs. Some configurations (e.g 2 x Openwrt and wireguard) this NAT'ing is handled for you. Others, (debian wireguard, or openvpn on any dist) you are expected to manage it with a rule similar to: iptables-legacy -t nat -A POSTROUTING -s <vpnsubnet> -o <vpnwaniface> -j SNAT --to-source <vpnwanip>