Rout Ports from OpenVPN Client to local IP

[PynkChimp]

Hi there,

I'm new to all of this network stuff.
Here is what I have:

• Asus Router with latest Merlin version installed.
  • Router is behind a NAT from the provider so I do not have a public IP
• External Open VPN Server hostet with Public IPv4
  • Incoming Ports (3030) forwarded via NAT from public IP to internal VPN Client IP 10.8.0.2:3030
• VPN Client 3 connected to the external VPN Server

What I would like to archive:

• Reach a website hostet on a Raspberry Pi via the Public IP of the VPN Server

What I'm not aware of, is what rule I have to apply to nat-start to archive this. All the examples at the documentation are, in my 2 days not really understanding brain, not applicable for my setup.

Would be great if some on could help me, creating the right iptables NAT rule.

 

[PynkChimp]

if tried the following, but that doesn't work:
nat-start file:

#!/bin/sh

sleep 10  # During the boot process nat-start may run multiple times so this is required

# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999$VPN_ID  2>/dev/null
   done

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark


iptables -t nat -A PREROUTING -i tun13 -p tcp -m tcp -m tcp --dport 3030 -j DNAT --to-destination 192.168.188.60:3030

 

[eibgrad]

To put things more succinctly, it seems all you're trying to do is port forward over your OpenVPN client rather than the WAN.

Based on the information provided so far, this appears to be a site-to-site configuration (e.g., the tunnel is NOT NAT'd, Inbound Firewall is set to "Allow"). As such, in order for any traffic initiated from the OpenVPN client side to get replies from the server side, the latter would already have to be configured w/ a static route for the 192.168.188.0/24 network (I assume this is the local IP network on the OpenVPN client side given your attempt to add a PREROUTING rule based on that same network). And if that's the case, any attempt to initiate traffic from the server side to some device on the 192.168.188.0/24 network should already be working ***provided*** the OpenVPN server is configured w/ an appropriate iroute directive for that same network.

https://community.openvpn.net/openvpn/wiki/RoutedLans

IOW, without the iroute directive, the OpenVPN server doesn't know which OpenVPN client (since there could be many concurrent OpenVPN clients, all w/ different local IP networks) is actually hosting the 192.168.188.0/24 network.

Granted, you may have already done this, but since we have ZERO information about how the OpenVPN server has been configured, it remains an open question.

 

[eibgrad]

P.S. If you're using Merlin to support the OpenVPN server, the CCD directory and iroute directives are configured (indirectly) via the Manage Client-Specific Options section.

 

[PynkChimp]

Hello eibgrad,

Tank you for your reply.

To put things more succinctly, it seems all you're trying to do is port forward over your OpenVPN client rather than the WAN.

Yes, the plan is to access the network from outside to some services (on different devices). But due to the fact, that I'm in a provider internal network DynDNS is not an option. So If you have any other Ideas I'm solution open.

To the OpenVPN Server, server.conf:

port 59867
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_GhnoaAfTeEdwxer6.crt
key server_GhnoaAfTeEdwxer6.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

This is what i applied to iptables:

 sudo iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 3030 -j DNAT --to-destination 10.8.0.2:3030

The vServer has a Firewall managing system at the provider web GUI, there i opend the port 3030.

(e.g., the tunnel is NOT NAT'd, Inbound Firewall is set to "Allow")

That was just to see if this will change anything. But to be honest, I do not have any idea, what these options actually do.

192.168.188.0/24 network (I assume this is the local IP network on the OpenVPN client side given your attempt to add a PREROUTING rule based on that same network). And if that's the case, any attempt to initiate traffic from the server side to some device on the 192.168.188.0/24 network should already be working ***provided*** the OpenVPN server is configured w/ an appropriate iroute directive for that same network.

Correct
IF I understand you correct, the iroute is not configured in the right way on the OpenVPN Server.
And IF I understand your provided URL correct I have to add the following lines to the config:

route 10.8.0.2 255.255.255.0
push "route 10.8.0.2 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
client-to-client

P.S. If you're using Merlin to support the OpenVPN server, the CCD directory and iroute directives are configured (indirectly) via the Manage Client-Specific Options section.

If I'm correct the Client Specific Rules Section got replaced by the VPN Director? I can't find this option in my Merlin anymore.

 

[eibgrad]

Well given that you've now stated you did NOT intentionally disable NAT and unblock the Inbound Firewall, perhaps it's NOT your intention to establish a site-to-site tunnel. Then all this iroute business does NOT apply.

When you configure a unidirectional (i.e., NON site-to-site) tunnel, you typically NAT the tunnel on the OpenVPN client side and block the Inbound Firewall. Just like when accessing any commercial OpenVPN provider (e.g., NordVPN). If that commercial OpenVPN provider offers port forwarding, then you typically configure port forwarding on the provider's firewall through some means, and port forwarded locally on the router over the OpenVPN client's network interface via a nat-start script.

#!/bin/sh
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 3030 -j DNAT --to 192.168.188.60:3030

 

[PynkChimp]

Hello eibgrad,

thank you, I will try this later today.