How to specify a certain device to access the Internet via the OpenVPN client of router?

1

Involved Devices: a VPS, a router, and several devices that connected to the router.

Final Aim: Base on the OpenVPN client which has connected to the server on the VPS, specify only one local device to access the Internet through the VPN, and forward some ports of the VPS to the specified device.

VPS Network:

Public IP: 157.7.201.X

Router Network:

WAN: 192.168.178.207/27
LAN: 192.168.1.0/24

VPN:

DHCP: 10.168.1.0/29
VPS: 10.168.1.1 (static)
Client: 10.168.1.2 (static)

The IP of the specified device is 192.168.1.123 (static)

(You can jump over the following detailed configurations to see my situation now directly, because it's a little long and not all the lines are useful.)

And here's the iptables of my VPS:

root@VPS:~# iptables -t nat -L POSTROUTING -vn
Chain POSTROUTING (policy ACCEPT 24 packets, 2860 bytes)
pkts bytes target prot opt in out source destination
6280 663K SNAT all -- * * 10.168.1.0/29 0.0.0.0/0 to:157.7.201.X

The route table of my router:

root@Onee3:/tmp/home/root# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.178.193 * 255.255.255.255 UH 0 0 0 vlan1
157.7.201.85 192.168.178.193 255.255.255.255 UGH 0 0 0 vlan1
10.168.1.1 * 255.255.255.255 UH 0 0 0 tun11
10.168.1.0 10.168.1.1 255.255.255.248 UG 0 0 0 tun11
192.168.178.192 * 255.255.255.224 U 0 0 0 vlan1
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.178.193 0.0.0.0 UG 0 0 0 vlan1

The iptables of my router:

root@Onee3:/tmp/home/root# iptables -t nat -L POSTROUTING -vn
Chain POSTROUTING (policy ACCEPT 5 packets, 709 bytes)
pkts bytes target prot opt in out source destination
75 14012 SNAT all -- * br0 192.168.1.0/24 192.168.1.0/24 to:192.168.1.233
12828 1438K SNAT all -- * vlan1 192.168.1.100 0.0.0.0/0 to:192.168.178.207
27 1764 SNAT all -- * tun11 0.0.0.0/0 10.168.1.0/29 to:10.168.1.2
33 1980 SNAT all -- * vlan1 192.168.1.222 0.0.0.0/0 to:192.168.178.207
0 0 SNAT all -- * tun11 192.168.1.123 0.0.0.0/0 to:10.168.1.2

My situation now is:

Router itself can access the Internet via the physical network, and it can access any host including 10.168.1.1, which is the virtual IP of the VPS.

Any device connected to the router can access the router and the virtual IP of VPS normally. Devices included in the iptables of the router which are set to use vlan1 can access the Internet normally, for example, 192.168.1.100 in the list. Others not included can't because the default MASQUERADE record was deleted manually.

So now I have added a record into the iptables of the router to do an ip forward from 192.168.1.123 to 10.168.1.2 by SNAT(in the list above) or MASQUERADE(also tried), but the result is that 192.168.1.123 can only access the hosts in LAN or the virtual IP of the VPS.

In one word, I'm now being stuck on my halfway(or even less) to the final aim. Please help me, thanks.

Frederick Zhang

Posted 2014-04-16T19:08:41.267

Reputation: 459

Answers

0

It seems that the problem really has none business with pre-routing or post-routing

I finally solved the problem by adding a new route table

route add default gw 192.168.178.193 # to add a default route of the local physical network, notice that it should be above the one of the VPN
ip route del default via 10.168.1.1 dev tun11 table main # delete the VPN route from the main route table
ip route add table 200 via 10.168.1.1 dev tun11 # create a new table numbered 200 to use the VPN
ip rule add from 192.168.1.200/32 table 200 # add devices which are expected to be connected to the VPN
ip rule add from 192.168.1.222/32 table 200

Then for the port forwarding, I referred https://unix.stackexchange.com/questions/55791/port-forward-to-vpn-client

Frederick Zhang

Posted 2014-04-16T19:08:41.267

Reputation: 459

Asked: 2014-04-16T19:08:41.267

Viewed: 236 times

Active: 2014-04-17T08:31:01.143