0

Here's my scenario:

  1. Remote OpenVPN server v2.3.2, 1 public IP, CentOS 6.4, 2.6.32-042stab079.6
  2. Tunnelblick (OpenVPN client)

What I want to do is route all the client traffic through the VPN - and I accomplished that. I'm however experiencing problems in port forwarding clients port through the VPN.

e.g. I need port 5780 for hosting a game match on the client, but I'm behind the VPN, therefore the VPN gets the packets. I'd like the VPN to forward every packet on port 5780 to my client IP address.

How can I do so? Please note that the remote server runs CSF+LFD.

markkuit
  • 43
  • 1
  • 8

1 Answers1

0

You should NAT the packets to your client via iptables:

iptables -t nat -A PREROUTING -p tcp --dport 5780 -i $external_Interface -j DNAT --to-destination $VPN_client_IP
iptables -t nat -A POSTROUTING -o $vpn_Interface -j MASQUERADE

Update: You will also need a FORWARD rule in place if your FORWARD policy is set to DROP. As you can see here, the FORWARD takes place between the PREROUTING and POSTROUTING, therefore the DNAT is already done. This should work:

iptables -I FORWARD -i $external_Interface -d $VPN_client_IP --dport $port -j ACCEPT
alexei
  • 103
  • 3
etagenklo
  • 5,694
  • 1
  • 25
  • 31
  • I added the following rules: `sbin/iptables -t nat -A PREROUTING -p tcp --dport 51413 -i eth0 -j DNAT --to-destination 10.8.0.6 /sbin/iptables -t nat -A PREROUTING -p udp --dport 51413 -i eth0 -j DNAT --to-destination 10.8.0.6 /sbin/iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE ` but the packets don't seem to get forwarded looking at tcpdump. – markkuit Nov 27 '13 at 15:51
  • Is IP forwarding enabled? Check `cat /proc/sys/net/ipv4/ip_forward`. As you're running CSF+LFD , there are probably a lot more rules, you should check your whole iptables configuration. – etagenklo Nov 27 '13 at 20:50
  • Yes, it is. It's in sysctl.conf as well – markkuit Nov 27 '13 at 21:05
  • Check your iptables config. What else is in there? – etagenklo Nov 27 '13 at 21:08
  • As iptables -L states: http://sprunge.us/jjFP – markkuit Nov 27 '13 at 23:13
  • And `iptables -t nat -L` ? I'd also suggest to completely turn off the firewall for testing and only establish the NAT rules to see if it works. – etagenklo Nov 28 '13 at 09:23
  • Nat rules: http://sprunge.us/dGRM I'd prefer not to turn off the firewall unless really needed for testing – markkuit Nov 28 '13 at 13:14
  • Any idea by looking at the nat rules? I tried looking at csf options as well but I don't seem to find anything related. – markkuit Nov 28 '13 at 16:19
  • the nat rules seem ok, but I'd still suggest to temporarily disable the firewall completely for debugging. – etagenklo Nov 28 '13 at 16:20
  • I completely disabled the firewall and tried, but it still doesn't work. tcpdump lets me see the packet arriving to the remote IP, but no packet gets then sent to the local IP, as if no forwarding had been set. – markkuit Nov 28 '13 at 16:28
  • I found something. Apparently there needs to be a FORWARD rule, 'cause with default policy ACCEPT for the FORWARD chain it works. Any ideas? – markkuit Nov 28 '13 at 16:40
  • I've updates my answer. – etagenklo Nov 28 '13 at 17:03
  • There's no nat table in the FORWARD chain, so I had to take out the -t parameter. Anyway, this solved it. I basically had previously added a ACCEPT rule for the -s way but not for the -d (in fact, the packet simply didn't get forward at all). Thank you for your help! – markkuit Nov 28 '13 at 18:35
  • oops, the nat is caused by copy&paste, of course it doesn't belong there ;) – etagenklo Nov 28 '13 at 19:22