Setting Up OpenVPN Relay to Hide Server IP

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
spicythunder
OpenVpn Newbie
Posts: 1
Joined: Tue Dec 14, 2021 10:45 pm

Setting Up OpenVPN Relay to Hide Server IP

Post by spicythunder » Tue Dec 14, 2021 11:07 pm

I'm trying to use OpenVPN to act as a relay for a game server I want to host locally. For privacy reasons, I want to hide my own public IP but I want to be able to allow other people online to connect to this server publicly and then route the traffic over a tunnel to reach my actual house.

I followed a setup guide and I have gotten as far as setting up the OVPN server, certs, firewall, etc. I also setup the OVPN client on my local game server and I have successfully connected to the OVPN/relay server. This is where I have hit a roadblock and exceeded my expertise in network routing. The goal is:

Game Client (Windows) -> Internet (via Public IP) -> Relay Server (OpenVPN server)(Debian) -> VPN Tunnel -> Game Server (OpenVPN client)(Windows)

The game runs on ports 2456-2458 TCP + UDP so my ultimate goal is that ONLY traffic on those ports is allowed through or directed across the VPN between the game server and the relay. I tried a variety of iptables alterations based on other forums online but I can't reach a state where the game will actually connect to the server over the public IP.

iptables -t nat -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
iptables -A INPUT -p tcp --match multiport --dports 2456:2458 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -d 10.8.0.6 --dport 2456:2458 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 2456:2458 -j DNAT --to 10.8.0.6

My OVPN config also has this line uncommented:

push "redirect-gateway def1 bypass-dhcp"

This level of routing between subnets is admittedly out of my depth so any help in the right direction is greatly appreciated.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Setting Up OpenVPN Relay to Hide Server IP

Post by openvpn_inc » Wed Jan 19, 2022 4:12 pm

Hello spicy,

Sorry that this has sat a month unanswered. I did try to get to it a couple of weeks ago, but work got busy. (Oh, and in case a boss is looking here, work is STILL busy! :) ) And before that, you know, holidays.
spicythunder wrote:
Tue Dec 14, 2021 11:07 pm
I'm trying to use OpenVPN to act as a relay for a game server I want to host locally. For privacy reasons, I want to hide my own public IP but I want to be able to allow other people online to connect to this server publicly and then route the traffic over a tunnel to reach my actual house.

I followed a setup guide and I have gotten as far as setting up the OVPN server, certs, firewall, etc. I also setup the OVPN client on my local game server and I have successfully connected to the OVPN/relay server. This is where I have hit a roadblock and exceeded my expertise in network routing. The goal is:

Game Client (Windows) -> Internet (via Public IP) -> Relay Server (OpenVPN server)(Debian) -> VPN Tunnel -> Game Server (OpenVPN client)(Windows)

The game runs on ports 2456-2458 TCP + UDP so my ultimate goal is that ONLY traffic on those ports is allowed through or directed across the VPN between the game server and the relay.
Then why would you use --redirect-gateway? That says "send ALL packets through the VPN."
spicythunder wrote:
Tue Dec 14, 2021 11:07 pm
I tried a variety of iptables alterations based on other forums online but I can't reach a state where the game will actually connect to the server over the public IP.

iptables -t nat -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
I'd use SNAT with --to-source, but that should work. Unless it does not. You did not share the IP addressing details.
spicythunder wrote:
Tue Dec 14, 2021 11:07 pm
iptables -A INPUT -p tcp --match multiport --dports 2456:2458 -j ACCEPT
You don't need multiport for a single port range. But here your real problem is accepting packets in INPUT that don't go to INPUT. They are in FORWARD.
spicythunder wrote:
Tue Dec 14, 2021 11:07 pm
iptables -t filter -A FORWARD -p tcp -d 10.8.0.6 --dport 2456:2458 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 2456:2458 -j DNAT --to 10.8.0.6
Here you did those without multiport.

What you may be missing here is the SNAT rule in nat/POSTROUTING which would keep the openvpn machine in the packet path for all the relevant packets.
spicythunder wrote:
Tue Dec 14, 2021 11:07 pm
My OVPN config also has this line uncommented:

push "redirect-gateway def1 bypass-dhcp"
See above. Why did you do this? Search the openvpn(8) manual for "--redirect-gateway" (with the leading dashes.)
spicythunder wrote:
Tue Dec 14, 2021 11:07 pm
This level of routing between subnets is admittedly out of my depth so any help in the right direction is greatly appreciated.
Basic routing is pretty simple. Packets need to be able to find their way to their destination, and the destination host needs to be able to get the replies back to the originating host. And of course, don't block any of the desired packets in the firewalls along the way!

If you're still working on this and still want help after all this time, please show your output of:

Code: Select all

ip addr list
ip route list
iptables-save -c
on the openvpn server host.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply