Iptables – Forward all traffic from one IP address through OpenVPN

What I have… A virtual machine with two IP addresses, call 'em 1.1.1.1 and 1.1.1.2 as eth0 and eth0:1. It's running OpenVPN now and works fine doing normal stuff using just eth0.

What I want… Use the second IP address at eth0:1 for all VPN traffic in and out, and route all TCP, UDP and hopefully even ICMP packets through the VPN to the protected host on the inside at 10.8.0.10. So basically anything directed at 1.1.1.2 instead goes to 10.8.0.10.

Sounds easy. But I'm getting kinda nowhere. Packet forwarding isn't wanting to work for me, and routing isn't working (while I can get inbound traffic to come in on 1.1.1.2–duh, that's trivial–I can't get it to use 1.1.1.2 outbound).

Hints? Pointers to "RTFM" (better than "here's the OpenVPN doc and here's the iptable doc and here's the route command")?

-A PREROUTING -d 1.1.1.2/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.8.0.10:80 -A PREROUTING -d 1.1.1.2/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.8.0.10:443 -A POSTROUTING -p tcp -m tcp --dport 80 -j MASQUERADE -A POSTROUTING -p tcp -m tcp --dport 443 -j MASQUERADE

Best Answer

If I understand your right, you want to have such network design:

eth0 - 1.1.1.1
eth0:1 - 1.1.1.2
eth0:2 - 1.1.1.3
eth0:3 - 1.1.1.4

Then all traffic that come to 1.1.1.2 you want route to 10.8.0.10 and so on.

If you don't have problems with OpenVPN, then you should use NAT! Your rules for one address should look like this one in nat section:

And for sure, you should enable forwarding in your sysctl setting.

Best Answer

Related Solutions

Linux – OpenVPN working – but how to route all traffic down it

Iptables – Routing OpenVPN exit traffic to multiple interfaces

Related Topic