OpenVPN and Iptable configuration - Forward Configuration

Arturbio

12/6/23, 11:51 AM

I got 2 VPS. The first one got OpenVPN and I need to access from my VPN to the eth1 on the second VPS.

VPS N°1

eth0-WAN xxx.xxx.19.106
eth1-LAN 10.108.0.2/20
tun0 - OpenVPN 10.8.0.1/24

VPS N°2

eth1-LAN 10.108.0.3/20

here is de diagram

I need to know the iptables configuration for the VPS N°1, so i can access from the openVPN (tun0-10.8.0.1/24) to the eth1-LAN 10.108.0.3/20 on the 2nd VPS. I'm trying to SSH the 2nd VPS from a computer connected with OpenVPN and I can't. But I access SSH the 1stVPS and from the console SSH the 2nd VPS i can access it.

SSH (port22)
eth1-LAN (10.108.0.2/20) => eth1-LAN (10.108.0.3/20)........Working

SSH (port22)
tun0-OpenVPN (10.8.0.1/24) => eth1-LAN (10.108.0.3/20)........NOT Working

Thanks Arturbio

167

1 + 0

configuration

iptables

openvpn

Score:0

Server

Arturbio

1/12/24, 9:23 PM

In order to allow SSH access from the OpenVPN interface (tun0) to the LAN interface (eth1) of the second VPS, you will need to configure iptables on the first VPS to forward traffic from the OpenVPN interface to the LAN interface. Here are the iptables commands you can use to accomplish this:

iptables -A FORWARD -i tun0 -o eth1 -d 10.108.0.3/20 -p tcp --dport 22 -j ACCEPT - This command will add a rule to the FORWARD chain that allows traffic from the OpenVPN interface (tun0) to the LAN interface (eth1) of the second VPS, if the destination IP is in the 10.108.0.3/20 range and the destination port is 22 (for SSH).

iptables -A FORWARD -i eth1 -o tun0 -s 10.108.0.3/20 -p tcp --sport 22 -j ACCEPT - This command will add a rule to the FORWARD chain that allows traffic from the LAN interface (eth1) of the second VPS to the OpenVPN interface (tun0), if the source IP is in the 10.108.0.3/20 range and the source port is 22 (for SSH).

iptables -A POSTROUTING -t nat -o eth1 -s 10.8.0.0/24 -j SNAT --to-source 10.108.0.2 - This command will add a rule to the POSTROUTING chain that will allow to change the source IP address of the packet to the IP address of the eth1 interface of the first VPS (10.108.0.2) before it leaves the eth1 interface so that it appears to come from the first VPS's IP.

iptables -A INPUT -i tun0 -p tcp --dport 22 -j ACCEPT - This command will add a rule to the INPUT chain that allows incoming SSH traffic on the tun0 interface,

iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT - This command will add a rule to the INPUT chain that allows incoming SSH traffic on the eth1 interface,

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT - This command will add a rule to the INPUT chain that allows incoming SSH traffic on the eth0 interface,

iptables -A INPUT -i lo -j ACCEPT - This command will add a rule to the INPUT chain that allows incoming traffic on the loopback interface,

iptables -P INPUT DROP & iptables -P FORWARD DROP & iptables -P OUTPUT DROP - These commands will set the default policy for the INPUT, FORWARD and OUTPUT chains to DROP. This means that any traffic that does not match any of the previous rules will be dropped.

To make these rules persistent across reboots, you will need to use the iptables-save and iptables-restore commands.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: OpenVPN and Iptable configuration - Forward Configuration

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.