Routing / nat-ting / VPN - stuck in finding good solution

kuumaur · February 13, 2025, 7:09am

Hi,
I am stucked in thinking / finding a good solution for Routing or nat-ing.
Currently trying to migrate from classic VPN to Zerotier.

Trying to explain my setup:

  ┌──────────────────────┐
  │Zerotier Network (ZN) │
  │192.168.189.0/24      │
  └──────────────────────┘
            |
  ┌──────────────────────────────────────────┐
  │ Router R8                                │
  │  192.168.189.8/24 (ZN, if=vpn)           │
  │  192.168.193.8/24 (LAN, if=lan)          │──────────►| not used yet |             │
  │  0.0.0.0/0 (CGNAT) (MOBILE, if=wwan, lte)│──────────►| backup
  │  192.168.194.8/24 (WAN, if=wan, masq)    │
  └──────────────────────────────────────────┘
            |
            ├───────────────────────────────┐
            |                               |
┌───────────────────┐              ┌────────────────────────────────┐
│ Router R2         │              │ Router R7                      │
│  192.168.194.2/24 │              │  192.168.194.100/24            │
│  0.0.0.0/0        │              │  192.168.200.2/24 (Server Net) │
└───────────────────┘              └────────────────────────────────┘
          |                                  |
┌─────────────────────┐             ┌─────────────────────┐
│ Internet & VPN(old) │             │ Server('s)          │
│  0.0.0.0/0          │             │  192.168.200.102/24 │
│  fibre (primary)    │             │  192.168.200.xx/24  │
└─────────────────────┘             └─────────────────────┘

I would like to access the Server from clients from ZeroTier Network.
I want to know the individual client ip that is accessing the server, because not every ZN client need access to every resource in the server network.

I thought about some SNAT rules, but that would hide the client ip from the ZN clients, as far as I know. Or can I setup multiple src_dip to identify individual clients?

SNAT Example:
config redirect
option target SNAT
option src vpn
option dest wan
option proto tcp
option src_ip 192.168.189.20
option src_dip 192.168.194.8
option dest_ip 192.168.200.102
option dest_port 443
option enabled 1

Additionally I thought about a Tunnel-In-Tunnel solution. First establish a ZeroTier connection and the establish a Wireguard connection to R7. Feels like a overkill and too complicated for the users.

Looking forward for some feedback. Thanx in advance.

┌───────────────┐
│               │
│               │
│               │
│               │
└───────────────┘

┌───────────────┐
│               │
│               │
│               │
│               │
└───────────────┘

─►└─►◄─┐◄─┘
├┤┴┬┼

wilsonyan · February 13, 2025, 10:02am

if you have access to the vpn server you just static route 192.168.193.0/24 via 192.168.189.8 then you don't need nat

I'm probably reading your graph wrong though.

_bernd · February 13, 2025, 10:13am

Yeah me too. I don't see any conflicting numbers, so @kuumaur just needs to properly set static routes for everything...

kuumaur · February 13, 2025, 4:19pm

Thank you, for the quick answers.
Sometimes you can't see the forest for the trees.
Yes, I did not paste the whole picture. I was thinking about routing the traffic thru 192.168.193.0 network, but I was curious about security and config changes. I have some firewall rules for the current VPN Clients, as they get IP's out of the 192.168.194.0 network and I did not want to touch on these rules. But when all VPN Clients are migrated to ZN, I could reduce the firewall ruleset.
I give it a try and route the traffic from 192.168.189.0/24 to 192.168.200.0/24 via 192.168.193.0 network.
Thank you