Iptables – Routing OpenVPN tunnel in via public interface and out via NAT'd interface (to internet)


I want to Configure OpenVPN-AS (i.e. OpenVPN Access Server, NOT OpenVPN) to work on my VPS. The VPS is a KVM running Ubunto 10.04 LTS, with a very vanilla configuration. OpenVPN-AS is likewise installed with only minimal 'flavour'.

The server has two interfaces (both DHCP, eth1 does not have a default gateway configured, but there's one available):
– eth0 (a public IP address that IS NOT geolocated in the US), and
– eth1 (a private IP address that can NAT via a router that IS geolocated in the US)

Most traffic, including the OpenVPN tunnel (UDP/1194) come in via eth0, but the tunneled clients should go 'out' via eth1, to get the benefit of a US-based IP address. I think there are two separate issues:
1) configuring IP so there's a gateway for tunneled clients to leave via the NAT router
2) configuring OpenVPN-AS so the clients use that gateway for internet access

The file /etc/network/interfaces is a follows:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

# The internal (private) network interface
auto eth1
iface eth1 inet dhcp
  up   ip route add default via  dev eth1  table 100
  down ip route del default via  dev eth1  table 100
  up   ip rule  add        from iif eth1 lookup 100
  down ip rule  del        from iif eth1 lookup 100
  up   iptables -t nat -A POSTROUTING -s -j SNAT --to-source
  down iptables -t nat -D POSTROUTING -s -j SNAT --to-source

The network is as follows:

root@us-tunnel:~# ifconfig | grep -A 1 encap
as0t0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:  P-t-P:  Mask:
as0t1     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:  P-t-P:  Mask:
eth0      Link encap:Ethernet  HWaddr 00:16:3c:34:01:20
          inet addr:  Bcast:  Mask:
eth1      Link encap:Ethernet  HWaddr 00:16:3c:55:84:81
          inet addr:  Bcast:  Mask:
lo        Link encap:Local Loopback
          inet addr:  Mask:

The route table is as follows:

root@us-tunnel:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface    *        U     0      0        0 eth0         *        U     0      0        0 as0t0         *        U     0      0        0 as0t1      *          U     0      0        0 eth1
default         UG    100    0        0 eth0

You have a few steps you will need to do to get this working.

First, you have to setup routes in your config files to direct client traffic over the client adapter.

You can do this either by adding "route" lines to the client config file, or by adding


to the client config and then adding your routes to the server config.

"push route"
"push route"

Secondly, you need to configure your iptables to allow incoming packets from the vpn network, and enable masqurade and nat forwarding on the server side.

To enable packet forwarding and Nat

  1. enable packet forwarding in the kernel

    echo 1 > /proc/sys/net/ipv4/ip_forward
  2. enable NAT in iptables

    sudo iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
  3. enable forwarding for vpn interfaces

    sudo iptables --append FORWARD --in-interface as0t0 -j ACCEPT
    sudo iptables --append FORWARD --in-interface as0t1 -j ACCEPT

This is the basic config for the routing side, feel free to comment if you need more detailed help.

