0

So what I have right now:

  • A working VPN server that clients can connect to running under ubuntu 22.04
  • Enabled ip_forward on the server

What I don't have is clients being able to access the Internet, using NAT on the VPN server. In other words, if I use redirect-gateway option, the clients can access the resource inside the private network, but have no internet access otherwise.

Here is the network configuration (replaced two first octets):

root:~# ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.42.0.1  netmask 255.255.255.0  destination 10.42.0.1
        inet6 fe80::dd0b:2f12:6907:258d  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)

venet0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet 127.0.0.1  netmask 255.255.255.255  broadcast 0.0.0.0  destination 127.0.0.1
        inet6 ::2  prefixlen 128  scopeid 0x80<compat,global>
        inet6 2a02:7b40:6deb:474e::1  prefixlen 128  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)

venet0:0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet 555.777.71.78  netmask 255.255.255.255  broadcast 555.777.71.78  destination 555.777.71.78
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)

venet0:1: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet 666.777.71.78  netmask 255.0.0.0  broadcast 666.255.255.255  destination 666.777.71.78
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)

Now, I'm trying to set up iptables rules for NAT based on what I've found in the Web. My current iptables setup is as it was when I got the VPS:

root:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

root:~# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

I've tried: -A POSTROUTING -s 10.42.0.0/24 -o venet0 -j SNAT --to-source 555.777.71.78

I've also tried this ruleset

-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o venet0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-t nat -A POSTROUTING -s 10.42.0.0/24 -o venet0 -j MASQUERADE

Neither seems to have an effect. If I understand correctly, rules should have an effect immediately after being added, but will not persist after reboot unless saved explicitly. So is there an up-to-date tutorial covering this particular case, or if not, where should I start reading to figure this one out?

Improve this question
5
  • Are DNS and NTP settings configured in the VPN server config via push dhcp-option DNS 1.1.1.2, push dhcp-option DNS 1.0.0.2, and push dhcp-option NTP 129.6.15.30 (can be specified in the client config by removing push, however it's cleaner to have the server config push as many settings as possible)
    – JW0914
    Commented Nov 29, 2023 at 18:38
  • @JW0914 I do have push "dhcp-option DNS 10.42.0.1" as I have a DNS server set up on the same host as VPN server, and it's listening and responding on that interface. But why would it matter? When I do tracert -d 8.8.8.8 on a windows client I'm testing with, the first hop is 10.42.0.1 as expected (so client routes are set up correctly), but then it fails. I take it that it's routing misconfiguration of the server machine.
    – Vindicar
    Commented Nov 30, 2023 at 15:17
  • You normally need to specify an external DNS for Internet access, as the internal is only for resolving internal LAN traffic between the VPN and LAN interface, whereas the external DNS is for resolving VPN to WAN traffic
    – JW0914
    Commented Nov 30, 2023 at 18:45
  • @JW0914 Sorry, what? DNS is only needed to transform human-readable domain names into IP addresses, it has nothing to do with routing. =\
    – Vindicar
    Commented Nov 30, 2023 at 20:23
  • Normally, if OpenVPN is configured on a router and external DNS servers aren't specified in the VPN server config, internet access won't work, as the iptables rules don't allow routing traffic like that by default from VPN server interface → LAN interface → WAN interface. It can be manually configured to do so, but it's usually not the default way external WAN side traffic is routed from the VPN because it's more efficient to route external WAN traffic from the VPN server interface directly to WAN, versus pushing it through LAN first, which can also have security concerns depending on usage
    – JW0914
    Commented Dec 1, 2023 at 11:50

1 Answer 1

Reset to default
0

Okey, so two things that helped me out. First, I switched to legacy iptables:

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

Maybe it's not the smartest idea, but there must be some difference in behaviour that I'm not equipped to figure out.

Then I used the following rules:

iptables --table nat --append POSTROUTING --out-interface venet0 -j MASQUERADE
iptables --append FORWARD --in-interface venet0 --out-interface tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables --append FORWARD --in-interface tun0 --out-interface venet0 -j ACCEPT

That worked.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .