4

Scenario:

  • Server on the internet has OpenVPN server running.
  • Client-1 at home has app running on port 5000 (UDP and TCP), connecting to Server on it's OpenVPN (app binds to 0.0.0.0).
  • Client-2 at work want's to connect to Client-1's app through the internet, without connecting to the same OpenVPN network.
  • Both Clients are using Windows and Server uses Linux (Ubuntu).

Client-1 <===TUN0===> SERVER <===ETH0===> Client-2

Question:

How can I configure OpenVPN to forward incoming connection requests coming to it's eth0 interface's port 5000 to Client-1's tun0 interface's 5000 port, so Client-1's app can serve content back to Client-2 both on UDP and TCP?

Improve this question
2
  • This is the OpenVPN Howto, with the solution of your problem, openvpn.net/index.php/open-source/documentation/…
    – MariusMatutiae
    Commented Jun 15, 2015 at 11:20
  • Sorry @MariusMatutiae, that is not about what I have described. Think of the scenario if you would have a dumb router that cannot do port forwarding and you cannot reach inside to Client-1's port from Client'2. Then you would grab a VM out there, set up Openvpn to connect clients and also do the port forwarding for Client-1's specific port.
    – Ikon
    Commented Jun 15, 2015 at 11:33

1 Answer 1

Reset to default
4

Fortunately I have found the answer in this ServerFault question.

Some configuration I took from this DigitalOcean tutorial.

Having port forwarding enabled in sysctl I still needed to add some iptables rules added to /etc/ufw/before.rules, it looks something like this:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#


# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i eth0 -p tcp -m tcp --dport 50100 -j DNAT --to-destination [Client-1's vpn address]:50100
-A PREROUTING -i eth0 -p udp -m udp --dport 50100 -j DNAT --to-destination [Client-1's vpn address]:50100

# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES


# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
.
.
.
.
.
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT


# START OPENVPN RULES
-A FORWARD -d [Client-1's vpn address]/32 -p tcp -m tcp --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d [Client-1's vpn address]/32 -p udp -m udp --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# END OPENVPN RULES


# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

With the sysctl port forwarding enabled and the ip specific port forwarding iptables rules, now the 50100 port is open and forwarded to Client-1's port.

Improve this answer
5
  • I have the same setup running OpenVPN on Debian, following DO's tutorial. But I am still not able to forward the port using your method above.
    – braincomb
    Commented Apr 20, 2017 at 4:29
  • To extend the accepted answer, you may need to add an enable to your server.conf file: push "redirect-gateway def1 bypass-dhcp"
    – 6rak0
    Commented Apr 25, 2017 at 16:28
  • But does this forward through the VPN?
    – ki9
    Commented Jul 30, 2018 at 20:01
  • @Ikon, please tell me what address 10.8.0.0 is there -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
    – Vas Mil
    Commented Oct 6, 2018 at 17:32
  • @VasyaMilovidov If I remember correctly, that is the address range of the OpenVPN network used. It should match your network in your setup.
    – Ikon
    Commented Oct 6, 2018 at 20:59

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .