OpenVPN and IPTABLES - How to assign lan (vpn) gateway to clients

Question

I am trying to set up my openvpn network but I have a problem.

My LAN configuration is as follows:

• main router Zyxel 192.168.1.1 acting as gateway (vdsl connection) and access point;
• openwrt router TD-W8970 192.168.1.2 acting as access point and vpn server (10.212.79.1)

What I want to do is to create a VPN network with clients that must send internet requests only through my LAN gateway (192.168.1.1); in other words, I want that the clients public IP shown on internet is the one of my LAN gateway (192.168.1.1) and not the one assigned to them by their ISP.

Here below my openvpn configuration.

server.conf

user nobody
group nogroup
dev tun
port 1194
proto udp
server 10.212.79.0
255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
verb 3
push "persist-tun"
push "persist-key"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 192.168.1.0 255.255.255.0"
ca /etc/easy-rsa/pki/ca.crt
cert /etc/easy-rsa/pki/issued/server.crt
key /etc/easy-rsa/pki/private/server.key
dh /etc/easy-rsa/pki/dh.pem
tls-auth /etc/easy-rsa/pki/ta.key 0

client.conf

dev tun
proto udp
remote myserver_xyz.com 1194 udp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

The openvpn network is established correctly and the client 10.212.79.2 is able to ping vpn server 10.212.79.1 and navigate in Internet.

The problem is that the public client IP shown on Internet is the one assigned by its ISP and not the one of the LAN gateway (192.168.1.1) where the vpn server (192.168.1.2 / 10.212.79.1) is located.

I tried to perform some changes in server configuration but with no success.

I also tried to put push "redirect-gateway def1" or push "redirect-gateway autolocal" but in this cases the client stopped to navigate in internet at all.

If it is not an openvpn issue, is it an issue related to the correct configuration of IPTABLES?

Can you please help me?

Thanks in advance :)

Answer 1

It is difficult to answer without the whole picture. Has the openwrt (server) router have a public IP address directly bind to it ?

I see one issue with your configuration : the 192.168.1.0/24 address range is shared by 2 different networks. Then when the server see a 193.168.1.3 IP address, it can’t route it adequately. I am a bit puzzled by the push "route…" for this reason.

One way to resolve this may be, on the client side : iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE. This will make all packets from the client network seen by the server as a 10.212.79.0/24 address. Note also that forwarding should be enabled. This masquerading could be avoided with a let’s say 192.168.2.0/24 range somewhere.

10.212.79.0/24 adresses are not public, then you will need an other masquerading, but I guess you have already setup one for the Wifi PC connected directly to your server router and access point.

One of your redirect-gateway option will be needed on the client side. (Or pushed from the server).