OpenVPN Client (Pull Filter) + Server IPTable port forwarding

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
NaXal
OpenVpn Newbie
Posts: 2
Joined: Fri Feb 18, 2022 4:35 am

OpenVPN Client (Pull Filter) + Server IPTable port forwarding

Post by NaXal » Fri Jul 14, 2023 1:55 pm

Hello,

I have a Cloud VPS running Ubuntu Server 22 LTS with OpenVPN Server installed. I have multiple client configuration files created from there. One of which is for my Home Server.

All clients have CCD static IP pushed into them

I have following IP table rule running in that server for my home server to allow forward all incoming traffic of Port 80 / 443 to my home server via this VPN tunnel.

Code: Select all

iptables -t nat -A PREROUTING -i enp0s6 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.45:80 && iptables -t nat -A PREROUTING -i enp0s6 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.45:443
It works without any issue.

Now I wish to ensure that my home server should bypass the VPN getaway for accessing the internet to conserve bandwidth usage of that VPS. Like for example, if I am downloading something in that home server (suppose a Docker contain and such), it should do that via local getaway (bypassing the VPN getaway).

I have tried to add following line in my home server configuration file,

Code: Select all

pull-filter ignore redirect-gateway
Now it does bypass the VPN getaway for accessing the web but it also breaks my DNAT forwarding. URLs aren't receiving any response back from my home server.

Without that line, accessing a URL pointed to my VPS IP address do get forwarded to my home server but when I run that pull-filter ignore rule, URLs stops working.

Following is my client configuration

Code: Select all

client
proto udp
explicit-exit-notify
remote 1xx.xx0.Xx4.Xx 331
dev tun
pull-filter ignore redirect-gateway # This is the issue
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_EAcCWo3G32eRK2sC name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxxx
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxx
-----END OpenVPN Static key V1-----
</tls-crypt>
My goal is following,

1. I wish to forward port 80/443 from OpenVPN server to my local home server so that my domains continue to work from my local server via that VPN tunnel
2. I wish to route that local home server internet traffic via local internet getaway (For ex. downloading docker containers)

I am unable to do both together.

Can anyone help me out here.

Thanks in advance.
Top
Post Reply

Return to “Routing and Firewall Scripts”