NAT for multiple servers with iptables over OpenVPN

Question

I have successfully created an OpenVPN Network (server hosted in a VPS) 10.8.0.0/255.255.0.0 for my home needs, and clients that support OpenVPN clients can connect through the server and connect between them successfully.

There are also some machines (like NAS) that do not support OpenVPN but I want to connect with them through the VPN network. My solution was to have a small machine (like a Raspberry Pi [IP address: 192.168.1.109]) being an OpenVPN client and forwarding correctly the packets to the target machines, but I don't like the solution proposed here because:

I don't want to have subnet conflicts between different local networks (and my home);
There are some machines in my home that don't want to be accessible through the VPN.

So I created 1 client certificate per machine to be connected to VPN (2 for my case), and try through iptables to do a NAT to access these machines by using the VPN IP address. I have managed to connect successfully to the VPN. Here is the output of ifconfig of the Raspberry Pi:

eth0      Link encap:Ethernet  HWaddr b8:27:eb:40:44:76
          inet addr:192.168.1.109  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::ed10:b13d:8e57:7a64/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:208623 errors:0 dropped:10506 overruns:0 frame:0
          TX packets:183838 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:181180734 (172.7 MiB)  TX bytes:35462529 (33.8 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1175 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1175 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:69061 (67.4 KiB)  TX bytes:69061 (67.4 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.26  P-t-P:10.8.0.25  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:83 errors:0 dropped:0 overruns:0 frame:0
          TX packets:82 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:8940 (8.7 KiB)  TX bytes:9786 (9.5 KiB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.34  P-t-P:10.8.0.33  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:912 (912.0 B)  TX bytes:0 (0.0 B)

With the help of iptables I want to map the IPs 10.8.0.26 to 192.168.1.201 and 10.8.0.34 to 192.168.1.202. After many tries I have managed to create the rules described below (using the command iptables -t nat --list):

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       all  --  anywhere             10.8.0.26            to:192.168.1.201
DNAT       all  --  anywhere             10.8.0.34            to:192.168.1.202

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.8.0.0/16          192.168.1.0/24       to:192.168.1.109

If I put the rules for one the machines, they work correctly. When I put them both (as stated above) the second NAT doesn't work (in this case the 10.8.0.34 to 192.168.1.202)!

What do you think is the possible problem? My best guess is that in the second case, while the response should return as from 10.8.0.34, it probably sends it through the wrong interface (tun0). The ip route command returns this:

0.0.0.0/2 via 192.168.1.1 dev eth0
0.0.0.0/1 via 10.8.0.25 dev tun0
default via 192.168.1.1 dev eth0  metric 202
10.8.0.0/24 via 10.8.0.25 dev tun0
10.8.0.25 dev tun0  proto kernel  scope link  src 10.8.0.26
10.8.0.33 dev tun1  proto kernel  scope link  src 10.8.0.34
64.0.0.0/2 via 192.168.1.1 dev eth0
81.XXX.YYY.ZZZ via 192.168.1.1 dev eth0
128.0.0.0/2 via 192.168.1.1 dev eth0
128.0.0.0/1 via 10.8.0.25 dev tun0
192.0.0.0/2 via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.109  metric 202

What do you think is a possible solution?

Edit 1:

I present here a small diagram of the Network, in order to clarify better the topology.

/---------------------------\
| OpenVPN Server            |                  /-----------------------------------\
| Public IP: 81.XXX.YYY.ZZZ |  ----- ... ----- | Home Router Local Ip: 192.168.1.1 | 
| VPN IP: 10.8.0.1          |                  \-----------------------------------/
\---------------------------/                      |   |   |   |   |   |   |   |  
                                                   |   |   |   |   |   |   |   |
                                                  /--\/--\/--\/--\/--\/--\/--\/--\
                                                  |S1||S2||S3||S4||S5||S6||S7||S8|
                                                  \--/\--/\--/\--/\--/\--/\--/\--/

S[*]: All machine have local ip in 192.168.1.0/255.255.255.0
S1: Server that has capabilities to run OpenVPN client (for example 10.8.0.12)
S2: The Raspberry PI that runs the 2 instances of OpenVPN Client (10.8.0.26, 10.8.0.34)
S3-4: The local servers where the are not capable for running the OpenVPN client (192.168.1.201, 192.168.1.202)
S5-8: Local server that I don't want to be availiable in the OpenVPN network.

Edit 2: I have asked the question ton superuser, which is more appropriate.

Well, I'll read it at least three times and I still think, that I do not understand fully your topology. Try to do some simple network diagram. Why do you use 1:1 destination NAT instead destination (P)NAT? If you're choosing NAT over simple network readdressing and you try to use NAT to protect some resources instead build a firewall you obviously do it in a wrong way. You should: do some traffic dumps (tshark, tcpdump) with ICMP traffic and don't guess, try to understand what has happen (where the traffic goes). Then present the results (traffic dumps). — Michal Sokolowski, Aug 30 '16 at 03:15
And by the way, this question doesn't belong to serverfault because: http://serverfault.com/help/on-topic — Michal Sokolowski, Aug 30 '16 at 03:16
Most important, what do you try to accomplish and what's your goal? — Michal Sokolowski, Aug 30 '16 at 03:27
Thanks for all the info Michal Sokolowski. Probably you are right that my question doesn't belong to serverfault but I was redirect here from stackexchange. Do you know a better place to ask this question? — hargikas, Aug 30 '16 at 05:56
I have added the network topology, in order to clarify my situation a little bit more. The problem is that if I want to connect to these servers (NAS) through my work I can't use this solution: https://openvpn.net/index.php/open-source/documentation/howto.html#scope because at work we have the same private ip range as home (192.168.1.0/255.255.255.0) — hargikas, Aug 30 '16 at 05:58
@MichalSokolowski What excalty is (P)NAT? What I actually want is to have access through the VPN to all the ports (udp & tcp) of the machines in question. — hargikas, Aug 30 '16 at 06:00
Much better, good job. I'll answer your questions after work. PS. Superuser'd be better place. — Michal Sokolowski, Aug 30 '16 at 06:36
Sorry for late answer, did you figure that out, or still need an answer? — Michal Sokolowski, Aug 31 '16 at 18:03
Not yet. I think the culprit lies in that the tun1 interface has 0 bytes ( TX bytes:0 (0.0 B))! — hargikas, Sep 01 '16 at 05:50

NAT for multiple servers with iptables over OpenVPN

0 Answers0