I have a VPS running an OpenVPN Access Server and a Raspberry Pi running an OpenVPN Client. The client is connected to the server, and I would like to access the client via SSH through the server. Thus, I forward port 667 on the server to port 22 on the client with the following two rules:
sudo iptables -t nat -I PREROUTING 1 -d {WAN-IP} -p tcp --dport 667 -j DNAT --to-dest 172.27.200.2:22
sudo iptables -t nat -I POSTROUTING 1 -d 172.27.200.2 -p tcp --dport 667 -j SNAT --to-source {WAN-IP}
However, the connection attempt hangs. tcpdump shows that the [S] packets are coming in from the source initiating the connection, but there is no response on the end of the server – not even a "connection refused". I also cannot ping the server's VPN-IP from the client. Clearing the server's existing iptables rules and then applying the new ones fixes this, but breaks the functionality of the VPN, rendering the client unable to access the internet.
These are the iptables rules which cause the connection to hang. What would be the way to fix this without breaking the functionality of the VPN?
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere {WANIP} tcp dpt:667 to:172.27.200.2:22
AS0_NAT_PRE_REL_EST all -- anywhere anywhere state RELATED,ESTABLISHED
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere 172.27.200.2 tcp dpt:667 to:172.27.232.1
AS0_NAT_POST_REL_EST all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_NAT_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
Chain AS0_NAT (3 references)
target prot opt source destination
SNAT all -- anywhere anywhere to:{WAN-IP}
ACCEPT all -- anywhere anywhere
Chain AS0_NAT_POST_REL_EST (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain AS0_NAT_PRE (1 references)
target prot opt source destination
AS0_NAT all -- anywhere anywhere mark match 0x8000000/0x8000000
AS0_NAT_TEST all -- anywhere 169.254.0.0/16
AS0_NAT_TEST all -- anywhere 192.168.0.0/16
AS0_NAT_TEST all -- anywhere 172.16.0.0/12
AS0_NAT_TEST all -- anywhere 10.0.0.0/8
AS0_NAT all -- anywhere anywhere
Chain AS0_NAT_PRE_REL_EST (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain AS0_NAT_TEST (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere mark match 0x4000000/0x4000000
ACCEPT all -- anywhere 172.27.200.0/24
ACCEPT all -- anywhere 172.27.224.0/20
AS0_NAT all -- anywhere anywhere
KEY: VPS WAN-IP = {WANIP}, VPS VPN-IP = 172.27.232.1, Client VPN-IP = 172.27.200.2
EDIT: Here are the results of iptables-save.
# Generated by iptables-save v1.8.7 on Tue Aug 2 05:18:22 2022
*mangle
:PREROUTING ACCEPT [3503:176762]
:INPUT ACCEPT [9309:2594148]
:FORWARD ACCEPT [16:920]
:OUTPUT ACCEPT [8990:4483087]
:POSTROUTING ACCEPT [8994:4483331]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Tue Aug 2 05:18:22 2022
# Generated by iptables-save v1.8.7 on Tue Aug 2 05:18:22 2022
*filter
:INPUT ACCEPT [3179:157338]
:FORWARD ACCEPT [1:52]
:OUTPUT ACCEPT [8988:4482919]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j AS0_ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 172.27.224.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
-A AS0_IN_NAT -j ACCEPT
-A AS0_IN_POST -d 172.27.200.2/32 -j ACCEPT
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 169.254.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
-A AS0_IN_ROUTE -j ACCEPT
-A AS0_OUT -j AS0_OUT_POST
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_POST -j DROP
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_WEBACCEPT -j ACCEPT
COMMIT
# Completed on Tue Aug 2 05:18:22 2022
# Generated by iptables-save v1.8.7 on Tue Aug 2 05:18:22 2022
*nat
:PREROUTING ACCEPT [3273:165446]
:INPUT ACCEPT [3268:165034]
:OUTPUT ACCEPT [224:15606]
:POSTROUTING ACCEPT [225:15658]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -d {WAN-IP}/32 -p tcp -m tcp --dport 667 -j DNAT --to-destination 172.27.200.2:22
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -d 172.27.200.2/32 -p tcp -m tcp --dport 667 -j SNAT --to-source {WAN-IP}
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A AS0_NAT -o ens3 -j SNAT --to-source {WAN-IP}
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
-A AS0_NAT_PRE -d 169.254.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
-A AS0_NAT_TEST -d 172.27.200.0/24 -j ACCEPT
-A AS0_NAT_TEST -d 172.27.224.0/20 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Tue Aug 2 05:18:22 2022
EDIT2: I got it to work using the three rules indicated in this post on a completely reset, unmodified server instance: https://unix.stackexchange.com/questions/449853/port-forwarding-using-openvpn-client
iptables-save
instead.172.27.232.1
on the server instead of172.27.200.1
? Does the default route of the server lead to the VPN tunnel (i.e. "redirect-gateway
" or equivalent)?--dport 22
and--to-source {VPS VPN-IP}
instead.