Forward port to OpenVPN Client

port-forwarding iptables openvpn

6,265

Ok I know what was wrong:

I had more than one VPNClient with the same IPAddress. So I gave each of them a static IPAddress

Define a directory where the client scripts should be stored , e.g. /etc/openvpn/staticclients and create the directory
mkdir /etc/openvpn/staticclients
Add this directory as option to your openvpn configfile at the server:
client-config-dir /etc/openvpn/staticclients
For each client you have to create a file. The filename must match the common name attribute that was specified at the certificate of the client. This command gets the CN from the computers certificate:

This example pushs the IPAddress 10.1.134.110/10.1.134.109 to the Client with the common name TESTCLIENT and also pushes a additional route for subnet 10.1.135.0.
cat /etc/openvpn/staticclients/TESTCLIENT

ifconfig-push 10.1.134.110 10.1.134.109
push "route 10.1.135.0 255.255.255.0 10.1.134.62"

http://www.yougetsignal.com/tools/open-ports/ and http://canyouseeme.org/ didn't correctly detects the ports. I had to additionally start my application on the client, that the websites were able to see these ports.
No need of additionally SNAT rules. Only these rules were needed:

sysctl -w net.ipv4.ip_forward=1

iptables -t nat -A PREROUTING -p tcp --dport 28006 -j DNAT --to 10.1.134.110

6,265

Dominic Jonas

Updated on September 18, 2022

Comments

Dominic Jonas over 1 year
I have an OpenVPN server on my vps running. Now I want to forward some specific ports to my clients. I have already added some rules to my iptableswithout any success. Maybe someone can have a look.

IP - Forwarding is already enabled
```
sysctl -w net.ipv4.ip_forward=1
```
Thanks!
- Admin about 7 years
  
  Sureley there’s no need to censor the addresses because they’re supposed to be VPN-internal.