IPTables and Port Forwarding on an OpenVPNAS Server

Question

I have a new OpenVPNas server running on CentOS 7 (Not married to CentOS 7). That I working on replacing an expensive Commercial VPN that has a Public Static IP. Being that the OpenVPNas server is what amounts to my private VPN Server I just need to forward a couple of ports to a static internal VPN address to replace the Commercial Server.

I have the VPN Client setup and I can ping from the Server to the Client's static IP and from the Static IP to the server's Public IP and beyond.

I want the following ports on the server's IP forwarded/NAT'd/Masqueraded to the internal VPN.

Public TCP 80  ie Server Public's:80  -> 172.28.28.28:80
Public UDP Ports 2074-2093
Public TCP Ports 15425-15427
Public UDP Ports 5198-5200
Public TCP Ports 5198-5200

I have tried different route / iptables commands, but I have yet to figure out the magic bullet. I believe it's a simple process but the solution is eluding me. Via SSH the server can connect to the VPN port 80 and I get the client's via the VPN's web interface. So the basic routing is working as expected.

I can't figure out the magic routing a packet destined for port 80 in the server's page to Forwarding

[root@vpn ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1 

[root@vpn ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         209.182.218.1   0.0.0.0         UG    0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
172.27.224.0    0.0.0.0         255.255.252.0   U     0      0        0 as0t0
172.27.228.0    0.0.0.0         255.255.252.0   U     0      0        0 as0t1
172.27.232.0    0.0.0.0         255.255.252.0   U     0      0        0 as0t2
172.27.236.0    0.0.0.0         255.255.252.0   U     0      0        0 as0t3
172.28.28.28    0.0.0.0         255.255.255.255 UH    0      0        0 as0t0
209.182.218.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0

[root@vpn ~]# ip route list
default via 209.182.218.1 dev eth0 
169.254.0.0/16 dev eth0 scope link metric 1002 
172.27.224.0/22 dev as0t0 proto kernel scope link src 172.27.224.1 
172.27.228.0/22 dev as0t1 proto kernel scope link src 172.27.228.1 
172.27.232.0/22 dev as0t2 proto kernel scope link src 172.27.232.1 
172.27.236.0/22 dev as0t3 proto kernel scope link src 172.27.236.1 
172.28.28.28 dev as0t0 proto static 
209.182.218.0/24 dev eth0 proto kernel scope link src 209.182.218.187 

[root@vpn ~]# ifconfig
as0t0: flags=4305  mtu 1500
        inet 172.27.224.1  netmask 255.255.252.0  destination 172.27.224.1
        inet6 fe80::4da2:53e9:7fba:8f11  prefixlen 64  scopeid 0x20
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 219  bytes 13438 (13.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 250  bytes 202093 (197.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t1: flags=4305  mtu 1500
        inet 172.27.228.1  netmask 255.255.252.0  destination 172.27.228.1
        inet6 fe80::d557:1adc:c34c:4954  prefixlen 64  scopeid 0x20
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t2: flags=4305  mtu 1500
        inet 172.27.232.1  netmask 255.255.252.0  destination 172.27.232.1
        inet6 fe80::be1a:bfd3:3c25:20f9  prefixlen 64  scopeid 0x20
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t3: flags=4305  mtu 1500
        inet 172.27.236.1  netmask 255.255.252.0  destination 172.27.236.1
        inet6 fe80::bfed:3f81:6938:bbc7  prefixlen 64  scopeid 0x20
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163  mtu 1500
        inet 209.182.218.187  netmask 255.255.255.0  broadcast 209.182.218.255
        inet6 fe80::216:3eff:fecc:ddf3  prefixlen 64  scopeid 0x20
        ether 00:16:3e:cc:dd:f3  txqueuelen 1000  (Ethernet)
        RX packets 11673  bytes 1350674 (1.2 MiB)
        RX errors 0  dropped 14  overruns 0  frame 0
        TX packets 5295  bytes 1099520 (1.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 9  bytes 748 (748.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 748 (748.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Answer 1

Assuming that your OpenVPN-AS has a dynamic or static public IP assigned to interface eth0, we will use interface name when creating firewall rules. This way will make sure that the rule work in both situations. In this case, you need to configure Destination NAT

If your VPN server has a tunnel interface tun0 with an IP of 172.28.28.1 and the internal webserver with an IP of 172.28.28.28 listening on port 80

$ sudo iptables -t nat -A PREROUTING -p tcp -m tcp   -d eth0   --dport 80 -j DNAT --to-destination 172.28.28.28
$ sudo iptables -t nat -A POSTROUTING -o tun0  -p tcp -m tcp   -d 172.28.28.28  --dport 80 -j SNAT --to-source 172.28.28.1