Prerequisites: This example assumes that you already have installed OpenVPN server/client and generated certificates or keys . This example also assumes that you have a basic IPTABLES firewall in place such as the one at: Board index » Scripting and Customizations » Routing and Firewall Scripts » IPTABLES secure Internet tunnel.
Overview: First we'll modify server.conf, then we'll create client connect and disconnect script.
Server.conf insert:
Code: Select all
client-connect /etc/openvpn/clientconnect.sh
client-disconnect /etc/openvpn/clientdisconnect.sh
script-security 2
Code: Select all
#!/bin/bash
PORT = 12000
iptables -A FORWARD -p tcp -i eth0 -d $ifconfig_pool_remote_ip --dport $PORT -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d $ifconfig_local --dport $PORT -j DNAT --to-destination $ifconfig_pool_remote_ip:$PORT
Code: Select all
#!/bin/bash
PORT=12000
iptables -D FORWARD -p tcp -i eth0 -d $ifconfig_pool_remote_ip --dport $PORT -j ACCEPT
iptables -t nat -D PREROUTING -p tcp -d $ifconfig_local --dport $PORT -j DNAT --to-destination $ifconfig_pool_remote_ip:$PORT
Notes: You can only forward a port such as "12000 tcp" to a single client at any one time. You will need to get creative with your port management when you have multiple clients. A simple line such as "PORT 12000" wont be sufficient for a setup with many clients who need ports forwarded. A suggestion would be to look at using a database or flat-file with client/port allocations.
Thanks colin for the memo to add "#!/bin/bash", very important line.
Further notes from the OpenVPN man page:
ifconfig_local
The local VPN endpoint IP address specified in the --ifconfig option (first parameter). Set prior to OpenVPN calling the ifconfig or netsh (windows version of ifconfig) commands which normally occurs prior to --up script execution.
ifconfig_pool_remote_ip
The remote virtual IP address for the TUN/TAP tunnel taken from an --ifconfig-push directive if specified, or otherwise from the ifconfig pool (controlled by the --ifconfig-pool config file directive). This option is set on the server prior to execution of the --client-connect and --client-disconnect scripts.