I'm in the process of setting up an OpenVPN network for my home use.
The OpenVPN server (running on Debian) is behind a router, on which I've configured a static route (10.8.7.0/24 -> 192.168.100.5) and opened the external port via port forwarding. I've also enabled IP forwarding on the OpenVPN server.
The server (192.168.100.5) I have configured with tun & topology subnet, by default the clients get an address in the 10.8.7.0/24 network.
Code: Select all
dev tun
topology subnet
server 10.8.7.0 255.255.255.0
push "route 192.168.100.0 255.255.255.0"
[...]From the Bridging & Routing website (https://community.openvpn.net/openvpn/w ... AndRouting) I've taken these iptables rules:
Code: Select all
# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o eth0 -s 10.8.7.0/24 -d 192.168.100.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTI can ping and access the VPN client (for example 10.8.7.178) from the local network (for example 192.168.100.7) without any problems.
However, I cannot access or ping any clients in the local network (for example 192.168.100.7) from the VPN client.
So I was guessing something is wrong with my iptables settings and the server doesn't forward the packets coming FROM the VPN clients TO the local network correctly.
After searching for a while I came across these iptables settings and tried them:
Code: Select all
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPTIs there anything I can change with my iptables settings? Is it a good idea to use MASQUERADE with my setup? (server behind router)
Thanks in advance!