Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


What am I doing wrong? iptables + port forwarding + openvpn
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

What am I doing wrong? iptables + port forwarding + openvpn

nandikanandika Member
edited March 2016 in Help

Hi!
I have faced the following situation. I have an openvpn VPS which is called 1.2.3.4
I have a LAN box with ubuntu which connects to this OpenVPN server. This should be 192.168.1.15 and when it connects to the openvpn it receives ip 10.8.0.2 for tun interface
I have a DVR which is 192.168.1.77.
What I want to do is the following:

Forward the openvpn server's port (1.2.3.4:7000) to a LAN DVR 192.168.1.77:7000.

I was able to forward the openvpn SSH port to my LAN box, and it works, but doing the additional forwarding to the LAN DVR does not work.
I used the following commands on the OpenVPN server:

iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 7000 -j DNAT --to-dest 10.8.0.2:7000

iptables -t nat -A POSTROUTING -d 10.8.0.2 -p tcp --dport 7000 -j SNAT --to-source 10.8.0.1

(the same commands do work for SSH port forwarding)

I used the following commands on the LAN box:

sudo iptables -t nat -A PREROUTING -d 10.8.0.2 -p tcp --dport 7000 -j DNAT --to-dest 192.168.1.77:7000

sudo iptables -t nat -A POSTROUTING -d 192.168.1.77 -p tcp --dport 7000 -j SNAT --to-source 10.8.0.2

Please let me know what I'm doing wrong here.

I want to do:
OpenVPN Server -> LAN BOX -> DVR

Thank you!

Comments

  • exception0x876exception0x876 Member, Host Rep, LIR

    sudo iptables -t nat -A POSTROUTING -d 192.168.1.77 -p tcp --dport 7000 -j SNAT --to-source 10.8.0.2

    it seems the above line is wrong, 192.168.1.77 does not have a route to 10.8.0.2, so you have to do SNAT to the 192.168.1.15

    sudo iptables -t nat -A POSTROUTING -d 192.168.1.77 -p tcp --dport 7000 -j SNAT --to-source 192.168.1.15

  • nandikanandika Member
    edited March 2016

    This still not solved the problem:(
    When I try to connect I receive timeout.

    When I try to telnet from the lan box:
    a@ubuntu:~$ telnet 10.8.0.2 7000
    Trying 10.8.0.2...
    telnet: Unable to connect to remote host: Connection refused
    a@ubuntu:~$ telnet 192.168.1.77 7000
    Trying 192.168.1.77...
    Connected to 192.168.1.77.
    Escape character is '^]'.

    Telnetting directly works. Telnetting from outside does not.

  • exception0x876exception0x876 Member, Host Rep, LIR
    edited March 2016

    why do you try to connect to 10.8.0.2 on your LAN box? as you described your LAN box has IP address 10.8.0.2, so its PREROUTING chain rule won't be used for local connections

Sign In or Register to comment.