Forward OpenVPN packets from one server to another

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Magvegva
OpenVpn Newbie
Posts: 3
Joined: Wed Apr 26, 2023 5:14 pm

Forward OpenVPN packets from one server to another

Post by Magvegva » Wed Apr 26, 2023 5:57 pm

Hello!
I need to hide real OpenVPN Server IP in client configuration file. Is there any way to do it?
I set up two Linux servers.
The first one ("PROXY") have real IP address and this address is in the client config.
The second server ("VPN") is a real OpenVPN server that routes clients into the local private network.
I tried to redirect tcp port (as well as a UDP variant with "proto udp" option is server config) from first server to second using iptables:

$IPTABLES -t nat -A PREROUTING -p tcp -i ens192 -d "PROXY IP ADDRESS" --dport 9876 -j DNAT --to-destination "VPN IP ADDRESS"
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 9876 -j MASQUERADE

but client can not connect and I can see this messages in OpenVPN log:

2023-04-26 20:11:12 "PROXY IP ADDRESS":63454 TLS: Initial packet from [AF_INET]"PROXY IP ADDRESS":63454, sid=1b8250fb 21c2a2e0
2023-04-26 20:11:12 "PROXY IP ADDRESS":63454 tls-crypt unwrap error: packet authentication failed
2023-04-26 20:11:12 "PROXY IP ADDRESS":63454 TLS Error: tls-crypt unwrapping failed from [AF_INET]"PROXY IP ADDRESS":63454

It seems that iptables change net packets and openvpn server can not decrypt them.

So the question is: is there any way to set up ONE ip address on client config and redirect this client to second server where OpenVPN actually runs?

Maybe someone has solve this problem?

Post Reply