So what I have right now:
- A working VPN server that clients can connect to running under ubuntu 22.04
- Enabled
ip_forward
on the server
What I don't have is clients being able to access the Internet, using NAT on the VPN server. In other words, if I use redirect-gateway
option, the clients can access the resource inside the private network, but have no internet access otherwise.
Here is the network configuration (replaced two first octets):
root:~# ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.42.0.1 netmask 255.255.255.0 destination 10.42.0.1
inet6 fe80::dd0b:2f12:6907:258d prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
venet0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP> mtu 1500
inet 127.0.0.1 netmask 255.255.255.255 broadcast 0.0.0.0 destination 127.0.0.1
inet6 ::2 prefixlen 128 scopeid 0x80<compat,global>
inet6 2a02:7b40:6deb:474e::1 prefixlen 128 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC)
venet0:0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP> mtu 1500
inet 555.777.71.78 netmask 255.255.255.255 broadcast 555.777.71.78 destination 555.777.71.78
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC)
venet0:1: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP> mtu 1500
inet 666.777.71.78 netmask 255.0.0.0 broadcast 666.255.255.255 destination 666.777.71.78
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC)
Now, I'm trying to set up iptables rules for NAT based on what I've found in the Web. My current iptables setup is as it was when I got the VPS:
root:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
root:~# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
I've tried:
-A POSTROUTING -s 10.42.0.0/24 -o venet0 -j SNAT --to-source 555.777.71.78
I've also tried this ruleset
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o venet0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-t nat -A POSTROUTING -s 10.42.0.0/24 -o venet0 -j MASQUERADE
Neither seems to have an effect. If I understand correctly, rules should have an effect immediately after being added, but will not persist after reboot unless saved explicitly. So is there an up-to-date tutorial covering this particular case, or if not, where should I start reading to figure this one out?
push dhcp-option DNS 1.1.1.2
,push dhcp-option DNS 1.0.0.2
, andpush dhcp-option NTP 129.6.15.30
(can be specified in the client config by removingpush
, however it's cleaner to have the server config push as many settings as possible)push "dhcp-option DNS 10.42.0.1"
as I have a DNS server set up on the same host as VPN server, and it's listening and responding on that interface. But why would it matter? When I dotracert -d 8.8.8.8
on a windows client I'm testing with, the first hop is 10.42.0.1 as expected (so client routes are set up correctly), but then it fails. I take it that it's routing misconfiguration of the server machine.iptables
rules don't allow routing traffic like that by default from VPN server interface → LAN interface → WAN interface. It can be manually configured to do so, but it's usually not the default way external WAN side traffic is routed from the VPN because it's more efficient to route external WAN traffic from the VPN server interface directly to WAN, versus pushing it through LAN first, which can also have security concerns depending on usage