Fortunately I have found the answer in this ServerFault question.
Some configuration I took from this DigitalOcean tutorial.
Having port forwarding enabled in sysctl
I still needed to add some iptables
rules added to /etc/ufw/before.rules
, it looks something like this:
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 50100 -j DNAT --to-destination [Client-1's vpn address]:50100
-A PREROUTING -i eth0 -p udp -m udp --dport 50100 -j DNAT --to-destination [Client-1's vpn address]:50100
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
.
.
.
.
.
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# START OPENVPN RULES
-A FORWARD -d [Client-1's vpn address]/32 -p tcp -m tcp --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d [Client-1's vpn address]/32 -p udp -m udp --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# END OPENVPN RULES
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
With the sysctl
port forwarding enabled and the ip specific port forwarding iptables
rules, now the 50100 port is open and forwarded to Client-1's port.