4

I ran into the same problem described Port forwarding using VPN client, but unsuccessfully.

I have a OpenVPN access server version 2.5 and a client configured with a site-to-site routing. Both client and server can communicate with each other by using the private IP addresses. On the client, there is an Apache server which listen on port 8081.

The goal is to be able to connect to the OpenVPN server public IP, and have it forward the connection to the client, so that the user can access the Apache server behind

My current setup is:

enter image description here

sysctl -w net.ipv4.ip_forward=1

iptables -t nat -A PREROUTING -d 50.xxx.xxx.xxx -p tcp --dport 8081 -j DNAT --to-dest 192.168.2.86:8081

iptables -t nat -A POSTROUTING -d 192.168.2.86 -p tcp --dport 8081 -j SNAT --to-source 10.0.2.42

Is there something simple I'm doing incorrectly? Thank you.

kym8886
  • 91

2 Answers2

5

The issue was related with the iptables rules. By adding the following rules, everything works as expected:

iptables -t nat -I PREROUTING 1 -d {SERVER_LOCAL_IP_ADDRESS} -p tcp --dport {CLIENT_PORT} -j DNAT --to-dest {CLIENT_LOCAL_IP_ADDRESS}:{CLIENT_PORT}

iptables -t nat -I POSTROUTING 1 -d {CLIENT_LOCAL_IP_ADDRESS} -p tcp --dport {CLIENT_PORT} -j SNAT --to-source {VPN_GATEWAY_IP}

iptables -I FORWARD 1 -d {CLIENT_LOCAL_IP_ADDRESS} -p tcp --dport {CLIENT_PORT} -j ACCEPT

kym8886
  • 91
0

Your SNAT matches a different port number DNAT will and a diagram so this setup will only work if the OpenVPN client as a router back to the internet via the OpenVPN server.

You should probably replace 32400 with 8081.

Timothy Baldwin
  • 432
  • Thanks @timothy-baldwin for the reply. Actually, I copied the wrong port . The correct one is 8081, as you pointed out. – kym8886 Jun 14 '18 at 20:56