Routing OpenVPN tunnel in via public interface and out via NAT'd interface (to internet)
You have a few steps you will need to do to get this working.
First, you have to setup routes in your config files to direct client traffic over the client adapter.
You can do this either by adding "route" lines to the client config file, or by adding
"--pull"
to the client config and then adding your routes to the server config.
"push route 0.0.0.0 5.5.0.1"
"push route 0.0.0.0 5.5.8.1"
Secondly, you need to configure your iptables to allow incoming packets from the vpn network, and enable masqurade and nat forwarding on the server side.
To enable packet forwarding and Nat
enable packet forwarding in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
enable NAT in iptables
sudo iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
enable forwarding for vpn interfaces
sudo iptables --append FORWARD --in-interface as0t0 -j ACCEPT sudo iptables --append FORWARD --in-interface as0t1 -j ACCEPT
This is the basic config for the routing side, feel free to comment if you need more detailed help.
Related videos on Youtube
zxdavb
Updated on September 18, 2022Comments
-
zxdavb almost 2 years
I hope someone can help...
I want to Configure OpenVPN-AS (i.e. OpenVPN Access Server, NOT OpenVPN) to work on my VPS. The VPS is a KVM running Ubunto 10.04 LTS, with a very vanilla configuration. OpenVPN-AS is likewise installed with only minimal 'flavour'.
The server has two interfaces (both DHCP, eth1 does not have a default gateway configured, but there's one available): - eth0 (a public IP address that IS NOT geolocated in the US), and - eth1 (a private IP address that can NAT via a router that IS geolocated in the US)
Most traffic, including the OpenVPN tunnel (UDP/1194) come in via eth0, but the tunneled clients should go 'out' via eth1, to get the benefit of a US-based IP address. I think there are two separate issues: 1) configuring IP so there's a gateway for tunneled clients to leave via the NAT router 2) configuring OpenVPN-AS so the clients use that gateway for internet access
The file /etc/network/interfaces is a follows:
# The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp # The internal (private) network interface auto eth1 iface eth1 inet dhcp up ip route add default via 172.16.0.254 dev eth1 table 100 down ip route del default via 172.16.0.254 dev eth1 table 100 up ip rule add from 172.16.0.0/16 iif eth1 lookup 100 down ip rule del from 172.16.0.0/16 iif eth1 lookup 100 up iptables -t nat -A POSTROUTING -s 5.5.0.0/20 -j SNAT --to-source 172.16.191.125 down iptables -t nat -D POSTROUTING -s 5.5.0.0/20 -j SNAT --to-source 172.16.191.125
The network is as follows:
root@us-tunnel:~# ifconfig | grep -A 1 encap as0t0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:5.5.0.1 P-t-P:5.5.0.1 Mask:255.255.248.0 -- as0t1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:5.5.8.1 P-t-P:5.5.8.1 Mask:255.255.248.0 -- eth0 Link encap:Ethernet HWaddr 00:16:3c:34:01:20 inet addr:209.141.60.114 Bcast:209.141.60.255 Mask:255.255.255.0 -- eth1 Link encap:Ethernet HWaddr 00:16:3c:55:84:81 inet addr:172.16.191.125 Bcast:172.16.255.255 Mask:255.255.0.0 -- lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0
The route table is as follows:
root@us-tunnel:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 209.141.60.0 * 255.255.255.0 U 0 0 0 eth0 5.5.0.0 * 255.255.248.0 U 0 0 0 as0t0 5.5.8.0 * 255.255.248.0 U 0 0 0 as0t1 172.16.0.0 * 255.255.0.0 U 0 0 0 eth1 default 209.141.60.1 0.0.0.0 UG 100 0 0 eth0
-
SmallClanger over 12 yearsA few of questions: Why two tunnel adaptors, is this a quirk of AS? Why such odd P-t-P addresses, wouldn't another RFC1918 subnet be best, here? Have you considered the
MASQUERADE
target instead ofSNAT
? Finally, I assume all you're looking for is a default route out via eth1 for all traffic arriving on one of the tunnel interfaces? -
SuperBOB over 12 yearsInspect the route tables of the VPN clients themselves. Are you pushing the routes to them? (Presumably through OpenVPN-AS)
-