Forward OpenVPN packets from one server to another
Posted: Wed Apr 26, 2023 5:57 pm
Hello!
I need to hide real OpenVPN Server IP in client configuration file. Is there any way to do it?
I set up two Linux servers.
The first one ("PROXY") have real IP address and this address is in the client config.
The second server ("VPN") is a real OpenVPN server that routes clients into the local private network.
I tried to redirect tcp port (as well as a UDP variant with "proto udp" option is server config) from first server to second using iptables:
$IPTABLES -t nat -A PREROUTING -p tcp -i ens192 -d "PROXY IP ADDRESS" --dport 9876 -j DNAT --to-destination "VPN IP ADDRESS"
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 9876 -j MASQUERADE
but client can not connect and I can see this messages in OpenVPN log:
2023-04-26 20:11:12 "PROXY IP ADDRESS":63454 TLS: Initial packet from [AF_INET]"PROXY IP ADDRESS":63454, sid=1b8250fb 21c2a2e0
2023-04-26 20:11:12 "PROXY IP ADDRESS":63454 tls-crypt unwrap error: packet authentication failed
2023-04-26 20:11:12 "PROXY IP ADDRESS":63454 TLS Error: tls-crypt unwrapping failed from [AF_INET]"PROXY IP ADDRESS":63454
It seems that iptables change net packets and openvpn server can not decrypt them.
So the question is: is there any way to set up ONE ip address on client config and redirect this client to second server where OpenVPN actually runs?
Maybe someone has solve this problem?
I need to hide real OpenVPN Server IP in client configuration file. Is there any way to do it?
I set up two Linux servers.
The first one ("PROXY") have real IP address and this address is in the client config.
The second server ("VPN") is a real OpenVPN server that routes clients into the local private network.
I tried to redirect tcp port (as well as a UDP variant with "proto udp" option is server config) from first server to second using iptables:
$IPTABLES -t nat -A PREROUTING -p tcp -i ens192 -d "PROXY IP ADDRESS" --dport 9876 -j DNAT --to-destination "VPN IP ADDRESS"
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 9876 -j MASQUERADE
but client can not connect and I can see this messages in OpenVPN log:
2023-04-26 20:11:12 "PROXY IP ADDRESS":63454 TLS: Initial packet from [AF_INET]"PROXY IP ADDRESS":63454, sid=1b8250fb 21c2a2e0
2023-04-26 20:11:12 "PROXY IP ADDRESS":63454 tls-crypt unwrap error: packet authentication failed
2023-04-26 20:11:12 "PROXY IP ADDRESS":63454 TLS Error: tls-crypt unwrapping failed from [AF_INET]"PROXY IP ADDRESS":63454
It seems that iptables change net packets and openvpn server can not decrypt them.
So the question is: is there any way to set up ONE ip address on client config and redirect this client to second server where OpenVPN actually runs?
Maybe someone has solve this problem?