Forward OpenVPN traffic through server

Omid Shojaee

12/24/23, 12:56 PM

Here's my setup:

-------------------      -----------------------      -----------------------
| OpenVPN Client  |      | Ubuntu Server 22.04 |      | Ubuntu Server 22.04 |
| Windows 10      |----->| Local Datacenter    |----->| Linode Datacenter   |
| OpenVPN Connect |      | IP: a.b.c.d (1xNIC) |      | IP: w.x.y.z (1xNIC) |
|                 |      |                     |      | OpenVPN Server      |
-------------------      -----------------------      -----------------------

The outbound OpenVPN traffic is blocked for Windows 10 machine so it has no access to OpenVPN server.

The server in the middle is from a local datacenter. Nothing is blocked to/from it.

The OpenVPN server is listening on port 443/udp. Also ufw is disabled. It's tested and works 100%.

Now, here's what I've done on the server in the middle:

/etc/sysctl.conf:

net.ipv4.ip_forward = 1

And then:

sudo sysctl -p

And to verify:

sudo cat /proc/sys/net/ipv4/ip_forward
1

After that:

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -X

sudo iptables -t nat -A PREROUTING -p udp --dport 443 -j DNAT --to-destination w.x.y.z
sudo iptables -t nat -A POSTROUTING -p udp -d w.x.y.z --dport 443 -j SNAT --to-source a.b.c.d

As this is not working and OpenVPN connection from client times out, I need to know if the problem is in my rules, or I have to look somewhere else to find the issue.

291

0 + 3

iptables

networking

dummyuser

12/24/23, 1:57 PM

You want to setup an openvpn between your Windows Client and Server in the Linode Datacenter. There is another server in between doing some source and destination NAT. But the server in the middle is not an active part of your openvpn connection. Comment: A `MASQUERADE`in the `postrouting` rule should be fine - possibly like `iptables -t nat -A POSTROUTING -p udp -d w.x.y.z --dport 443 -j MASQUERADE` but this is not the root problem. You will need `ip-forwarding` and `MASQUERADE` in the openvpn server too.

dummyuser

12/24/23, 1:58 PM

According to your description you do not get a vpn connect. The root cause is unclear. Openvpn writes a nice logfile – please edit your question and add the content of your log. You may check if packets arrive on the server in the middle / openvpn Server with the following instruction: `tcpdump -n -c100 -i <INTERFACE> udp port 443` `<INTERFACE>` to be replaced with the mane of your interface. Do packets arrive on the server in the middle and the openvpn server?

Omid Shojaee

1/3/24, 1:12 PM

Sorry I'm lost here. What I understand is that I need to replace those two rules with your ```MASQUERADE``` rule? And on the VPN server I need to have ```iptables -t nat -A POSTROUTING -p udp -d a.b.c.d --dport 443 -j MASQUERADE``` and also ```net.ipv4.ip_forward = 1``` too?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Forward OpenVPN traffic through server

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.