Full cone NAT on OpenVPN?

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
n4rky
OpenVpn Newbie
Posts: 3
Joined: Sat Dec 25, 2010 11:56 pm

Full cone NAT on OpenVPN?

Post by n4rky » Sun Dec 26, 2010 12:18 am

Hi,

I am running an OpenVPN on a low-end Linode which currently hosts most of my web site, mail, and a few other services. But it is at its limit. So my approach is to use a system on the VPN (actually, my old laptop) as a server. :roll:

It appears I need to set up full-cone NAT for this. But the instructions I'm finding in a Google search are getting me into trouble. Among other things, I stopped receiving mail (which I didn't notice for a while because most of it I fetch down from Gmail anyway). This is typical for my adventures with packet filtering related stuff--I just really and truly don't get it and need explanations that match the level of complexity of my perception of the problem rather than explanations that match the level of complexity of all the possibilities that are irrelevant to my problem.

So here's the client configuration for my old laptop:

Code: Select all

client
dev tun
proto udp
remote parts-unknown.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert graton.crt
key graton.key
ns-cert-type server
comp-lzo
verb 3
Here is its route table:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.9        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.9        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     2      0        0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlan0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
And the similar stuff on my server:

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.8.0.1"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
74.207.225.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
74.207.227.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         74.207.225.1    0.0.0.0         UG    0      0        0 eth0
And just because it's an obvious question, an excerpt from sysctl.conf that I've had there for a long time:

Code: Select all

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.all.forwarding=1
So first, how does one set up full cone NAT over OpenVPN? And second, is it absolutely necessary to change the default route on my old laptop? If so, the expected command, i.e.

Code: Select all

route add default gw 10.8.0.9 tun0
led me nowhere, but I suppose that might be because I can't figure out NAT to save my life and got it wrong.

Thanks!
Top
n4rky
OpenVpn Newbie
Posts: 3
Joined: Sat Dec 25, 2010 11:56 pm

Re: Full cone NAT on OpenVPN?

Post by n4rky » Mon Dec 27, 2010 6:04 am

I have apparently managed to solve my immediate problem using nginx as a web proxy. But the principle of the original question remains--in case I decide to bring up more services.

Thanks!
Top
User avatar
gladiatr72
Forum Team
Posts: 194
Joined: Mon Dec 13, 2010 3:51 pm
Location: Lawrence, KS

Re: Full cone NAT on OpenVPN?

Post by gladiatr72 » Mon Dec 27, 2010 4:23 pm

Hello,

I was a little murky on the whole "full-cone NAT business", so I looked it up. For the other terminologically impaired people in the room, it's a cool way to say "1 to 1 NAT".

Setting the default gateway of a client to the remote VPN end-point is as simple as using the "redirect-gateway" directive on the server side. I don't really think you need to push all the traffic from your laptop over the VPN link, but redirect-gateway will take care of it for you if that's the way you want to do it.

OpenVPN will not help you with NAT. If someone else wants to jump in here, it's all good, but that's an iptables configuration issue. I think it happens in the prerouting part of the input chain (at least that's where you configure port forwarding), but I haven't used this sort of configuration on a linux box before (Cisco IOS 8 or 9). So anyway, I'm going to direct you to one of the many iptables/netfilter sites for further information on setting this up.

Regards,
Stephen
[..]I used to think it was awful that life was so unfair. [...]Wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? -Marcus Cole
Top
Post Reply

Return to “Configuration”