OpenVPN server to forward incoming connection to client

linux windows networking port-forwarding openvpn

26,747

Fortunately I have found the answer in this ServerFault question.

Some configuration I took from this DigitalOcean tutorial.

Having port forwarding enabled in sysctl I still needed to add some iptables rules added to /etc/ufw/before.rules, it looks something like this:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#


# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i eth0 -p tcp -m tcp --dport 50100 -j DNAT --to-destination [Client-1's vpn address]:50100
-A PREROUTING -i eth0 -p udp -m udp --dport 50100 -j DNAT --to-destination [Client-1's vpn address]:50100

# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES


# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
.
.
.
.
.
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT


# START OPENVPN RULES
-A FORWARD -d [Client-1's vpn address]/32 -p tcp -m tcp --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d [Client-1's vpn address]/32 -p udp -m udp --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# END OPENVPN RULES


# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

With the sysctl port forwarding enabled and the ip specific port forwarding iptables rules, now the 50100 port is open and forwarded to Client-1's port.

26,747

Ikon

Dad, Family Alpha, Software engineer, Gamer, Anime fan, Metal and Goa enthusiast.

Updated on September 18, 2022

Comments

Ikon over 1 year
Scenario:
- Server on the internet has OpenVPN server running.
- Client-1 at home has app running on port 5000 (UDP and TCP), connecting to Server on it's OpenVPN (app binds to 0.0.0.0).
- Client-2 at work want's to connect to Client-1's app through the internet, without connecting to the same OpenVPN network.
- Both Clients are using Windows and Server uses Linux (Ubuntu).
Client-1 <===TUN0===> SERVER <===ETH0===> Client-2

Question:

How can I configure OpenVPN to forward incoming connection requests coming to it's eth0 interface's port 5000 to Client-1's tun0 interface's 5000 port, so Client-1's app can serve content back to Client-2 both on UDP and TCP?
- MariusMatutiae almost 9 years
  
  This is the OpenVPN Howto, with the solution of your problem, openvpn.net/index.php/open-source/documentation/…
- Ikon almost 9 years
  
  Sorry @MariusMatutiae, that is not about what I have described. Think of the scenario if you would have a dumb router that cannot do port forwarding and you cannot reach inside to Client-1's port from Client'2. Then you would grab a VM out there, set up Openvpn to connect clients and also do the port forwarding for Client-1's specific port.
braincomb about 7 years

I have the same setup running OpenVPN on Debian, following DO's tutorial. But I am still not able to forward the port using your method above.
6rak0 about 7 years

To extend the accepted answer, you may need to add an enable to your server.conf file: push "redirect-gateway def1 bypass-dhcp"
Keith over 5 years

But does this forward through the VPN?
Vasya Milovidov over 5 years

@Ikon, please tell me what address 10.8.0.0 is there -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
Ikon over 5 years

@VasyaMilovidov If I remember correctly, that is the address range of the OpenVPN network used. It should match your network in your setup.