Port forward to VPN Client?
You need to do three things on your VPN server (the Linode) to make this work:
You must enable IP forwarding:
sysctl -w net.ipv4.ip_forward=1Set up destination NAT (DNAT) to forward the port. You've probably already figured this out because it's standard port forwarding stuff, but for completeness:
iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 6000 -j DNAT --to-dest y.y.y.100:6000Set up source NAT (SNAT) so that from your VPN client's perspective, the connection is coming from the VPN server:
iptables -t nat -A POSTROUTING -d y.y.y.100 -p tcp --dport 6000 -j SNAT --to-source y.y.y.1
The reason you need the SNAT is because otherwise your VPN client will send its return packets straight to the host which initiated the connection (z.z.z.z) via its default gateway (i.e. Verizon 3G), and not via the VPN. Thus the source IP address on the return packets will be your Verizon 3G address, and not x.x.x.x. This causes all sorts of problems, since z.z.z.z really initiated the connection to x.x.x.x.
In most port forwarding setups, the SNAT is not needed because the host performing the port forwarding is also the default gateway for the destination host (e.g. a home router).
Also note that if you want to forward port 6000 to a different port (say 7000), then the SNAT rule should match on 7000, not 6000.
I also had this problem and tried to solve it for hours.. Here is my solution:
- I had more than one
VPNClientwith the sameIPAddress. So I gave each of them a staticIPAddress
Define a directory where the client scripts should be stored , e.g. /etc/openvpn/staticclients and create the directory
mkdir /etc/openvpn/staticclientsAdd this directory as option to your openvpn configfile at the server:
client-config-dir /etc/openvpn/staticclientsFor each client you have to create a file. The filename must match the
common nameattribute that was specified at the certificate of the client. This command gets the CN from the computers certificate:This example pushs the
IPAddress10.1.134.110/10.1.134.109 to the Client with thecommon nameTESTCLIENT and also pushes a additional route for subnet 10.1.135.0.cat /etc/openvpn/staticclients/TESTCLIENT ifconfig-push 10.1.134.110 10.1.134.109 push "route 10.1.135.0 255.255.255.0 10.1.134.62"
http://www.yougetsignal.com/tools/open-ports/ and http://canyouseeme.org/ didn't correctly detects the ports. I had to additionally start my application on the client, that the websites were able to see these ports.
No need of additionally
SNATrules. Only these rules were needed:
sysctl -w net.ipv4.ip_forward=1 iptables -t nat -A PREROUTING -p tcp --dport 28006 -j DNAT --to 10.1.134.110
Most servers have ip forwarding disabled in default configuration. You need to enable it if you want to redirect incoming connections through your VPN.
Try this:
sysctl -w net.ipv4.ip_forward = 1
I mean in addition to iptables configuration.