I have an issue with my Linux-based server regarding VPN and port forwarding. I am also a beginner is this area, so forgive me for any mistake.
First, let me describe you the infrastructure. I have a Linux VPS server (S1) with openvpn properly configured, and a machine with Linux (C1) also with openvpn properly configured. THe are connected using port number 1194. This is basically the scheme:
S1
[ip: X.X.X.221]
[tun0 ip: 10.8.0.1]
C1
[ip: Y.Y.Y.19]
[tun0 ip: 10.8.0.6]
When I say it is all properly configured is because I can successfully ping 10.8.0.1 from C1.
Now, it comes the problem…
I have a service P1 running on port 1800 in S1, and a client for that service in C1. I can successfully give the IP address X.X.X.221:1800 to the client in C1, but I want the client to acess P1 via VPN connection. Is that a way to do it?
At first I thought this was simply a port forwarding problem, and all I needed to do was to forward every request from port 1194 to port 1800, and I found this command to do it (btw, venet0 is my interface):
iptables -t nat -A PREROUTING -i venet0 -p udp --dport 1194 -j REDIRECT --to-port 1800
But this won't work.
Any help? Thanks 🙂
EDIT1:
Result of issuing netstat -rn
and 10.8.0.6
in S1:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 venet0
traceroute to 10.8.0.6 (10.8.0.6), 30 hops max, 60 byte packets
1 10.8.0.6 (10.8.0.6) 116.769 ms 119.000 ms 120.618 ms
Result of issuing netstat -rn
and traceroute 10.8.0.1
in C1:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
traceroute to 10.8.0.1 (10.8.0.1), 30 hops max, 38 byte packets
1 10.8.0.1 (10.8.0.1) 83.825 ms 83.639 ms 86.877 ms
EDIT 2:
Configuration file for S1 (I believe what starts with a ; is not considered):
;local a.b.c.d
port 1194
proto udp
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option WINS 8.8.4.4"
;client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 300
user root
group root
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20
Configuration file for C1
client
remote 176.9.192.221 1194
ca ca.crt
cert client.crt
key client.key
cipher BF-CBC
comp-lzo
dev tun
proto udp
nobind
persist-key
persist-tun
user root
group root
Best Answer
You could manually remove the existing static routes on C1 for
10.8.0.1
and10.8.0.5
; example:Then add a new route on C1 using:
See if that works. Remember to keep track of your old routes, in case you need to re-add them. This should fix your VPN routing issue.
Your other issue is that your VPN network can't talk to the network where the OpenVPN's server's NIC sits on. You can fix this by adding a new static route on each side for those networks.
On C1:
On S1:
Note: I wouldn't recommend this unless you can revert your changes; in case it doesn't work.
You can also try using the
push route
option in your OpenVPN config. For example:Lastly, if none of that works, you can try adding something in your IPTABLES to forward the traffic from your VPN network (NAT) to your local network on S1. Something like: