0

I have a VPS with a interface eth0, that has 2 IPs, 10.0.0.3 (default) and 10.0.0.5. The 2 IPs are mirrored to external IP by ISP, 1.0.0.10, 2.0.0.20. (Google and Oracle Cloud have the similar mechanism as I know).

I only know how to NAT tun0 to the eth0 with only one IP.

sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Now I want to NAT tun0 to eth0 (10.0.0.5), how can I do it?

Improve this question

1 Answer 1

Reset to default
0

tun interface can not be bridged, because it doesn't emulate any link layer protocol. tap interface emulates Ethernet, which can be bridged.

However, you only use tap and bridge when you are certain you need exactly it, because tun is better supported (it's the only supported on Android devices, for example) and it is more efficient, because it doesn't need to encapsulate link layer headers, leaving more room to the useful data.

tun will have its own address (whichever you set up in the VPN server config file). But if VPN packets are routed out via eth0 they will be translated to some address you set on the eth0. Which one? Right now it is random; if you want to NAT your VPN users to address 10.0.0.5, remove your MASQUERADE rule and add the following SNAT rule:

iptables -t nat -A POSTROUTING -s <vpn-network> -o eth0 -j SNAT --to-source 10.0.0.5

vpn-network is something like 10.8.0.0/24 or whatever you set it to be in the server config.

Also, it seems you are confusing the bridge term with the bind term.

If you want OpenVPN to only receive (encrypted) packets on 10.0.0.5 and to send them back using 10.0.0.5, you need to bind it to this address. Add to the server configuration file:

local 10.0.0.5

Or specify it on the command line: --local 10.0.0.5.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .