I've been trying to get OpenVPN setup for months and finally have it working! Except I had to resort to a NAT rule on the client rather than what I consider proper routing. Can somebody assist me that knows more about this than me?
So - I have on my home network (UK) an OpenVPN server running on a Raspberry Pi 3. On my client network which will eventually be a holiday home (in Cyprus), I have an ISP provided router (which I really can't change and not even sure we can configure it) which I will then plug in a DD-WRT router running OpenVPN client.
To simulate this I currently have the Raspberry Pi on my home network and another network setup for me to test. This is currently simulated as a USB 4/3G connection on a router with the said Belkin DD-WRT router plugged into it. It's working through the 4/3G to my home network but I've had to enable NAT on the Belkin OpenVPN config (iptables).
Here's a diagram of what I'm trying to achieve:
This is so my parents (in Cyprus) can leave everything as is, but simply connect another (the new DD-WRT) router from the WAN port into current ISP router LAN port. Then they can simply use VPN by connecting to a new Wi-Fi network. Everything else will be as it was. One main reason for this is they want to use Amazon Fire Stick for TV and I really tried to get OpenVPN for Android on it but it just wan't working - so dual router setup should be better and easier.
So, this is all working as I want - send everything (including DNS) down the OpenVPN tunnel. I just would like to understand exactly what routing info I'm missing. Or how do I configure the client side network routers to overcome this NAT issue (double NAT I guess??)?
I have opened 1194 UDP port into my home network. The pi is configured to forward IPv4. The iptables on the Pi is:
Code: Select all
# Dec 2016 - using this as it also allows internet access and local LAN
iptables -I FORWARD -i tun0 -o eth0 \
-s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
I have on the (simulated) holiday home main router added a static route to 192.168.20.0/24 via the static LAN address (192.168.10.50) or WAN address on the DD-WRT router. I have also added a rule on the DD-WRT 2nd router to allow it to forward requests to 192.168.10.0/24.
So, here's the IPTABLES on the Belkin DD-WRT which I don't feel is what I really want!
Code: Select all
iptables -I FORWARD -s 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
#This is the line I need for it to work but how to do it without this?
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
Can someone explain it to me and help me understand why I need the MASQUERADE? Is there any way around it with dual router client setup?
Thanks so much.
Regards,
Si.