0

I have 3 devices:

  1. A server, connected to Network1
  2. A laptop, connected to Network2
  3. A Raspberry Pi, also connected to Network2

There is also a openVPN server on Network1, plus port forwarding for accessing VPN.

I need the Raspi to recieve TCP requests(meant for the server) from the laptop and send them through the VPN to the server, then send the response from the server back to the laptop. Only one port will be used, but it would also be fine if all ports got forwarded. no software can be installed on the laptop. Also preferably no commands or such on the laptop.

I need some sort of "port forwarding" but into a vpn

Improve this question
2
  • You can add a route on the laptop via the pi. In Windows for example, it would look like route /p add [Network1] mask [mask] [Pi IP]. On the Pi, enable traffic forwarding in /etc/sysctl.conf, by setting net.ipv4.ip_forward=1. You may also need to configure NAT on the pi or add a matching route on the server, depending on your vpn configuration. Google "raspberry pi as a router" for more details
    – Cpt.Whale
    Commented Feb 29 at 19:53
  • Sorry, I meant without any handelings on the laptop. The laptop isn't mine, and I would like someone else to connect to my server, with only the pi on there network and nothing else.
    – jp_
    Commented Mar 1 at 6:18

1 Answer 1

Reset to default
0

Use literally the same "port forwarding", i.e. DNAT rules in the router's (RasPi's) firewall; it functions the same way regardless of network type.

That is, add DNAT iptables or nftables rules to the RasPi firewall for each "port-forward" that you need. (Don't forget to also add 'allow forward' rules – these are automatic in most routers, but not automatic in plain iptables or nftables.)

Your server must have a route back to Network2 through its VPN connection (in OpenVPN that likely means an iroute configuration). If that's difficult to set up, the alternative is to have the RasPi also do SNAT or MASQUERADE in addition to DNAT-ing. (The SNAT/MASQ option would be exactly the same kind of config as for "NAT hairpinning" in LANs.)

  • Example for nftables:

    table inet filter {
    chain forward {
        type filter hook forward priority filter;

        ip daddr <ServerIP> accept
    }
}

table ip nat {
    chain prerouting {
        type nat hook prerouting priority dstnat;

        iifname "eth0" ip daddr <RasPiIP> tcp dport 80 \
          dnat to <ServerIP>:80
    }

    chain postrouting {
        type nat hook postrouting priority srcnat;

        oifname "tun0" masquerade
    }
}

  • Example for iptables:

    -t filter -I FORWARD -d <ServerIP> -j ACCEPT

-t nat -I PREROUTING -i eth0 -d <RasPiIP> -p tcp --dport 80 \
    -j DNAT --to-destination <ServerIP>:80

-t nat -I POSTROUTING -o tun0 -j MASQUERADE

Alternative: Use a "reverse proxy" on the RasPi. Most reverse proxies are for HTTP/HTTPS, but any TCP or TLS protocol can be proxied. This won't work with UDP (not easily, at least) and needs additional software but has fewer routing requirements.

For HTTP/HTTPS services, Nginx or Apache httpd would be common choices; widely documented elsewhere. (In both, the option is called "proxy_pass" or "ProxyPass".)

Improve this answer
3
  • and... how do i do that?
    – jp_
    Commented Mar 1 at 6:47
  • That depends on which firewall you're currently using on the Pi?
    – grawity_u1686
    Commented Mar 1 at 6:49
  • i installed raspberry pi os lite(32 bit). none more
    – jp_
    Commented Mar 1 at 7:02

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .