NAT all traffic from VPN to Client side

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
evildani00
OpenVpn Newbie
Posts: 1
Joined: Wed Sep 19, 2018 7:43 pm

NAT all traffic from VPN to Client side

Post by evildani00 » Wed Sep 19, 2018 7:52 pm

Hello Guys,

I have a OpenVPN network that works really well. But I have one client that has the following:
eth0 publicIP
eth1 local lan
eth1.1 another router from another ISP

eth1 is 192.168.60.0/24
eth1.1 is 10.218.40.192/30

I need to connect to 10.208.26.20 via 10.218.40.193. And 10.208.26.20 needs to connect to what it believes is 10.218.40.194, but in fact is an IP on another node on the openVPN network, 192.168.40.25.

I can ping 10.208.26.20 from 10.218.40.194, and I can see traffic trying to reach 10.218.40.194 from 10.208.26.20. Any node on the network can ping 10.218.40.194.

My outbound nat to the internet works fine.

This is Ubuntu 16 I think....

I have tried all sorts of NATs, SNAT, DNATs but I can seem to make it work, my IP tables are:

# Generated by iptables-save v1.4.4 on Wed Sep 19 14:21:02 2018
*filter
:INPUT ACCEPT [6788:2084242]
:FORWARD ACCEPT [7164:2381996]
:OUTPUT ACCEPT [6778:1928371]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth1.1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o eth1.1 -j ACCEPT
COMMIT
# Completed on Wed Sep 19 14:21:02 2018
# Generated by iptables-save v1.4.4 on Wed Sep 19 14:21:02 2018
*nat
:PREROUTING ACCEPT [3391:931431]
:POSTROUTING ACCEPT [129:9807]
:OUTPUT ACCEPT [8:1057]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1.1 -j MASQUERADE
COMMIT
# Completed on Wed Sep 19 14:21:02 2018


As you can see I want to MASQUERADE from OpenVPN to eth1.1, so that 10.208.26.20 sees a source of 10.218.40.194. And when 10.208.26.20 tries to connect to 10.218.40.194 traffic is forwarded to 192.168.40.25.

Any help will be greatly appreciated,

Daniel

Post Reply