1
Involved Devices: a VPS, a router, and several devices that connected to the router.
Final Aim: Base on the OpenVPN client which has connected to the server on the VPS, specify only one local device to access the Internet through the VPN, and forward some ports of the VPS to the specified device.
VPS Network:
Public IP: 157.7.201.X
Router Network:
WAN: 192.168.178.207/27
LAN: 192.168.1.0/24
VPN:
DHCP: 10.168.1.0/29
VPS: 10.168.1.1 (static)
Client: 10.168.1.2 (static)
The IP of the specified device is 192.168.1.123 (static)
(You can jump over the following detailed configurations to see my situation now directly, because it's a little long and not all the lines are useful.)
And here's the iptables of my VPS:
root@VPS:~# iptables -t nat -L POSTROUTING -vn
Chain POSTROUTING (policy ACCEPT 24 packets, 2860 bytes)
pkts bytes target prot opt in out source destination
6280 663K SNAT all -- * * 10.168.1.0/29 0.0.0.0/0 to:157.7.201.X
The route table of my router:
root@Onee3:/tmp/home/root# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.178.193 * 255.255.255.255 UH 0 0 0 vlan1
157.7.201.85 192.168.178.193 255.255.255.255 UGH 0 0 0 vlan1
10.168.1.1 * 255.255.255.255 UH 0 0 0 tun11
10.168.1.0 10.168.1.1 255.255.255.248 UG 0 0 0 tun11
192.168.178.192 * 255.255.255.224 U 0 0 0 vlan1
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.178.193 0.0.0.0 UG 0 0 0 vlan1
The iptables of my router:
root@Onee3:/tmp/home/root# iptables -t nat -L POSTROUTING -vn
Chain POSTROUTING (policy ACCEPT 5 packets, 709 bytes)
pkts bytes target prot opt in out source destination
75 14012 SNAT all -- * br0 192.168.1.0/24 192.168.1.0/24 to:192.168.1.233
12828 1438K SNAT all -- * vlan1 192.168.1.100 0.0.0.0/0 to:192.168.178.207
27 1764 SNAT all -- * tun11 0.0.0.0/0 10.168.1.0/29 to:10.168.1.2
33 1980 SNAT all -- * vlan1 192.168.1.222 0.0.0.0/0 to:192.168.178.207
0 0 SNAT all -- * tun11 192.168.1.123 0.0.0.0/0 to:10.168.1.2
My situation now is:
Router itself can access the Internet via the physical network, and it can access any host including 10.168.1.1, which is the virtual IP of the VPS.
Any device connected to the router can access the router and the virtual IP of VPS normally. Devices included in the iptables of the router which are set to use vlan1 can access the Internet normally, for example, 192.168.1.100 in the list. Others not included can't because the default MASQUERADE record was deleted manually.
So now I have added a record into the iptables of the router to do an ip forward from 192.168.1.123 to 10.168.1.2 by SNAT(in the list above) or MASQUERADE(also tried), but the result is that 192.168.1.123 can only access the hosts in LAN or the virtual IP of the VPS.
In one word, I'm now being stuck on my halfway(or even less) to the final aim. Please help me, thanks.