We have some clients (networks) which are connected via VPN to our server network.
Let's say client has e.g. 192.168.0.1/32 and our server network is on 10.1.0.0/24.
So the issue now with this client is, that they're already using the 10.1.0.0/24 themselvs, so we cannot have our range on the clients side. Please note, that configuring the clients network is not in our hand.
To avoid issues, we decided to map our network with the following iptables rule
NETMAP all -- any any 10.1.0.0/24 192.168.0.1 to:192.168.101.0/24
for simplicity i skip the other direction aswell as the swanctl configuration details, but connection works both ways.
So far everything is fine for us in this setup.
Now on top of that we have another network, lets says 192.168.1.0/24 which needs to have access to this client and all other sites available from 10.1.0.0/24 - but not the other way round.
So to avoid adding the route everywhere on all the VPNs and servers, we use
MASQUERADE all -- any ens18 192.168.1.0/24 anywhere
to replace the source IPs.
Both rules are on the VPN Gateway, the MASQUERADE rule comes first.
So as far as i understand, the MASQUERADE rule in my setup on the POSTROUTING chain is terminating and is the only rule which will be applied during POSTROUTING from incoming packages from 192.168.1.0/24.
Is that correct?
This would mean, that there is no way to have my packages MASQUERADING and NETMAP 'ed in one step?
Does anyone have an alternative approach for this issue?
