Tunnel to local services on OpenVPN server - iptables

[a_kemper]

I have a pretty normal routed OpenVPN installation, i.e. with the client using tun interfaces and the server doing IP masquerading. The only exception from a standard setup is using encrypted TCP instead of UDP packets. So far everything is nice and easy.
Now I would like to configure the client for tunneling also requests to other local (IMAP) services running on the VPN-gateway. These are accessible by either the gateway public IP or alternatively the OpenVPN internal IP (10.8.0.1).
From client perspective (Thunderbird) I'd always like to use the gateway public IP, which in case of the VPN tunnel being established needs some kind of translation to the internal IP (10.8.0.1). Initially I thought I'd be able to do this by configuring the server with "redirect-gateway block-local", but this only prevents the (Ubuntu) client from bypassing any traffic outside the tunnel.

Instead I most likely need DNAT on the client. With respect to http://l7-filter.sourceforge.net/PacketFlow.png I assume this should be something like

Code: Select all

iptables -t nat -A OUTPUT -p tcp ! --dport 1194 -j DNAT --to 10.8.0.1

But this doesn't work. Can anyone give me a hint what is missing there or where I have a misunderstanding?

Thx,
Andreas

[maikcat]

From client perspective (Thunderbird) I'd always like to use the gateway public IP,

so you want when your vpn connected client connects to your openvpn servers PUBLIC ip on imap service
you want the openvpn to respond via its vpn interface?

Michael.