I would like to use a my linux workstation as VPN gateway for my local network. The same workstation is being used as webserver. When I connect the workstation to VPN it is not possible anymore to reach this webserver from an outside network.
My setup is as follows:
ISP router - ip 192.168.0.1 (default gateway, port mapping enabled to use non standard public port)
Linux workstation - fixed ip 192.168.0.20 (dhcp server as my router does not allow to change the gateway address, openvpn, apache, dns server)
output of "ip route show"
0.0.0.0/1 via 10.8.3.1 dev tun0
default via 192.168.0.1 dev eth0 src 192.168.0.20 metric 202
10.8.3.0/24 dev tun0 proto kernel scope link src 10.8.3.12
37.120.143.221 via 192.168.0.1 dev eth0 (VPN external IP)
128.0.0.0/1 via 10.8.3.1 dev tun0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.20 metric 202
Configuration as follows:
net.ipv4.ip_forward = 1
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
One thing I notice is that when VPN is enabled on the workstation, my ISP router does not list the correct local ip address for my linux workstation in the list of connected clients. Sometimes it is correct, but sometimes it just looks like a random IP.
If I add the following route: EXTERNAL_IP via 192.168.0.1 dev eth0 (where EXTERNAL_IP is WAN ip) then I can reach the webserver on the local network, but still not from another network.