How I can forward port throught OpenVPN correctly?

Question

I'm trying to forward a port through OpenVPN (with Ethernet Bridging) but I can't.

Below is a "simple" network diagram. A server contains 2 virtual machines, the principal server is connected with OpenVPN to another server. I need forward a port from 10.10.10.2 (a Virtual Machine) to public IP of the external server with IP 10.10.10.11 (see diagram).

The bridge vmbr0 is including a three interfaces: tap0, eth0 (public IP) and vlan1 (10.10.10.0/24).

The rule I used in 10.10.10.11 server is

iptables -t nat -D PREROUTING -p tcp -d [public ip here] --dport 80 -j DNAT --to-destination 10.10.10.2:80

In the image below you can see that packets "enter" but not "exit" through the interface tap0.

This is a dump of tap0 interface:

The packets are entering correctly from tap0, but packets are routed to vmbr0 and never get to tap0.

How can I resolve this problem?

Answer 1

Bridges essentially turn a number of NICs into a virtual switch.

If you want devices to talk across a bridge, they need to be on the same subnet, as they would on a real switch. If they are not on the same subnet, you need a router, not a switch or bridge.

So bridging your public IP eth0 and tap0 or vlan1 NICs won't work unless you have 2 public IPs from your ISP - allowing you to put both of them on the same subnet.

You can put both your virtual machines on a bridge - and they can talk since they'll be on the same subnet.

Your system then needs to route and do NAT, using eth0 as the "WAN" NIC and vmbr0 as the "LAN" NIC. Any guide you find on doing iptables with NAT can be used, just substitute vmbr0 for eth1 or the LAN-facing NIC.