Use literally the same "port forwarding", i.e. DNAT rules in the router's (RasPi's) firewall; it functions the same way regardless of network type.
That is, add DNAT
iptables or nftables rules to the RasPi firewall for each "port-forward" that you need. (Don't forget to also add 'allow forward' rules – these are automatic in most routers, but not automatic in plain iptables or nftables.)
Your server must have a route back to Network2 through its VPN connection (in OpenVPN that likely means an iroute
configuration). If that's difficult to set up, the alternative is to have the RasPi also do SNAT
or MASQUERADE
in addition to DNAT-ing. (The SNAT/MASQ option would be exactly the same kind of config as for "NAT hairpinning" in LANs.)
Example for nftables:
table inet filter {
chain forward {
type filter hook forward priority filter;
ip daddr <ServerIP> accept
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat;
iifname "eth0" ip daddr <RasPiIP> tcp dport 80 \
dnat to <ServerIP>:80
}
chain postrouting {
type nat hook postrouting priority srcnat;
oifname "tun0" masquerade
}
}
Example for iptables:
-t filter -I FORWARD -d <ServerIP> -j ACCEPT
-t nat -I PREROUTING -i eth0 -d <RasPiIP> -p tcp --dport 80 \
-j DNAT --to-destination <ServerIP>:80
-t nat -I POSTROUTING -o tun0 -j MASQUERADE
Alternative: Use a "reverse proxy" on the RasPi. Most reverse proxies are for HTTP/HTTPS, but any TCP or TLS protocol can be proxied. This won't work with UDP (not easily, at least) and needs additional software but has fewer routing requirements.
For HTTP/HTTPS services, Nginx or Apache httpd would be common choices; widely documented elsewhere. (In both, the option is called "proxy_pass" or "ProxyPass".)
route /p add [Network1] mask [mask] [Pi IP]
. On the Pi, enable traffic forwarding in/etc/sysctl.conf
, by settingnet.ipv4.ip_forward=1
. You may also need to configure NAT on the pi or add a matching route on the server, depending on your vpn configuration. Google "raspberry pi as a router" for more details