0

Here's the basic setup of what I'm trying to do:

Client (any machine) ---> VPN Client (Raspberry Pi) ---> OpenVPN Server ---> Internet

The VPN Client (Rpi) may be using an untrusted network, but in this case, I'd like to forward all traffic from the internet on port 4443 back to the client so the client responds.

I have everything else working properly - the client connects to the pi and successfully appears to be part of the VPN I've created but I can't figure out the return path by any means.

Thanks!

Improve this question
0

2 Answers 2

Reset to default
0

I am missing some information to be able to specifically answer your question, but I will try to sort out some things to help you further.

[...] I'd like to forward all traffic from the internet on port 4443 back to the client so the client responds.

You can not forward other data to a port that does not have a suitable service for the data.

VPN works by creating a virtual network, which includes virtual network interfaces. For the virtual network interface to work, a VPN software must be running (client or server). When the VPN software receives data/packets from the virtual network interface, the data is repackaged and traditionally encrypted and then transferred by the physical network, and vice versa when data is received.

VPN works by creating a virtual network Physical Ethernet is wan interfaces.

Due to VPN characteristics you got two networks. A physics and virtual with each their ip address. With these networks you can do all the common things you can do with a network.

Client (any machine) ---> VPN Client (Raspberry Pi) ---> OpenVPN Server ---> Internet

VPN The Physical Ethernet and Physical Ethernet 0 is wan interface. The Physical Ethernet 1 is to connect with the Client (machine).

I assume you are using an ethernet cable to connect Client (machine) to VPN Client (Raspberry Pi), and you have iptables on the Raspberry Pi...

To set up NAT forwarding between the two networks Physical Ethernet 1 and Virtuel Ethernet, I assume that Physical Ethernet 1 has the name eth0 and the Virtuel Ethernet has the name tun0.

# Set default policies
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# NAT
iptables -A POSTROUTING -o tun0 -j MASQUERADE # Enable NAT

# Forwarding
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT # Allow forwarding from client to vpn
iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT # Allow forwarding from client to client
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow forwarding from vpn to client, for already established connections

See also How to configure a simple router with iptables in Ubuntu

I do not know which OS you use on the machine with the VPN server. I can therefore not go into detail on how to NAT forward...

Improve this answer
0

I actually figured it out!

I wrote an entire post on how to do this - https://virtualprivatepi.com/diy/

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .