openvpn port forwarding for SNAT or DNAT with Iptables?
Works fine for me. A couple things to check:
- This won't NAT connections made from the VPN server itself, for this you need the rule in the OUTPUT chain.
- Is the client configured to route all traffic through the VPN? If not you may find that the response packets are not being sent back through the VPN.
- Are you sure you're using the client side IP address, and not the server's side of that client's point-to-point connection?
- You want to match a specific destination IP in the rule otherwise you'll catch other connections on that port number.
- NATing all connections to 10.8.0.1 is likely to cause problems, since all clients route traffic through this IP.
Related videos on Youtube
Mik R
Automation Enthusiast, scripter extraordinaire, and Linux Whisperer. Currently working on Toolkit and multiplatform desktop app for Tech Support Agents.
Updated on September 18, 2022Comments
-
Mik R over 1 year
I have managed to get openvpn setup and get it to issue static internal ips to clients. Now the trouble i have is I'm now trying to assign open port per client as they now have static internal ip it makes it easy be ready to add rules. Where im running into issues is with how to do this properly via iptables.
Client's pushed internal static ip 10.8.0.10 example would be to have port 1234 forwarded
I have tried this with no luck vpn does use udp and on port 1194 but have tried the below rules modified as udp and as tcp and both together. Please note vpn already works and has the masquerade rules but other then that iptables is empty.
iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 10.8.0.10 iptables -A FORWARD -s 10.8.0.10 -p tcp --dport 1234 -j ACCEPT
I have also tried 10.8.0.1 being gateway and 10.8.0.10 being client needing port all ports forwarded
iptables -t nat -A PREROUTING -d 10.8.0.1 -j DNAT --to-destination 10.8.0.10
I'm trying to accomplish 2 things first being able to forward a port per client and if necessary a static public ip if they need all ports forwarded.
openvpn server.conf
local 123.123.123.123 #- your_server_ip goes here port 1194 #- port proto udp #- protocol client-config-dir /etc/openvpn/ccd push "route 10.8.0.0 255.255.0.0" ifconfig-pool-persist /etc/openvpn/openvpn.dhcp 30 dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push redirect-gateway def1 push dhcp-option DNS 8.8.8.8 push dhcp-option DNS 8.8.4.4 keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3
iptables-save
:# Generated by iptables-save v1.3.5 on Sun Aug 26 14:27:12 2012 *nat :PREROUTING ACCEPT [4834:503608] :POSTROUTING ACCEPT [1000:70847] :OUTPUT ACCEPT [1000:70847] -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE COMMIT # Completed on Sun Aug 26 14:27:12 2012 # Generated by iptables-save v1.3.5 on Sun Aug 26 14:27:12 2012 *filter :INPUT ACCEPT [21545:23742094] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [14867:1938275] COMMIT # Completed on Sun Aug 26 14:27:12 2012