On 30.07.23 20:55, Jason Long wrote: > I found that I need to add the following iptables rule for virtual > NICs to my iptables rules: > iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -j SNAT > --to OpenVPN_NIC_IP > > I have another question. For each public IP address, I must to rewrite > all the iptables rules, because each public IP has its own "Tun name", > "Port number" and "IP Range" in its configuration. > Am I right?
First and foremost: *Why* do you want to do this (SNAT all the clients' "through traffic" to the *one* IP assigned to the OpenVPN instance the client is connected to)? OpenVPN doesn't care, and iptables might well be less likely to run into resource limitations when SNATing VPN clients to *any* of the N public IPs the server has (it means that iptables has N*63k IP-port-combos available to SNAT the new connection to, instead of just 1*63k when the IP is nailed down). Having that said, the iptables rules could be *somewhat* simplified with well-planned subnetting and interface naming (and giving up a bit of protection against quite nontrivial fakery). Example: VPN A4 listens on public IP A port X, assigns 10.1.4.0/24 on tun14 VPN A5 listens on public IP A port Y, assigns 10.1.5.0/24 on tun15 VPN B4 listens on public IP B port X, assigns 10.2.4.0/24 on tun24 VPN B5 listens on public IP B port Y, assigns 10.2.5.0/24 on tun25 (Note "A" consistently corresponding to "1" in subnet and interface name, and "B" to "2".) Then you need only one SNAT rule for each public IP, in spite of running *two* (or more) OpenVPN instances on each: iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -j SNAT --to A iptables -i nat -A POSTROUTING -s 10.2.0.0/16 -j SNAT --to B (Similarly "-i tun1+ -s 10.1.0.0/16" and "-i tun2+ -s 10.2.0.0/16" if you need similar matching in ingress or filter rules.) Hello, Thank you so much. Did you forget the PORT rule? Excuse me, I'm thankful if you reply to this question: Suppose I have set two IP addresses on the enp0s3 network card and on each IP address you want to launch three server.conf: # IF_MAIN=enp0s3 # IF_TUNNEL=tun2 # YOUR_OPENVPN_SUBNET=IP/16 # iptables -I INPUT -p udp --dport PORT -j ACCEPT # iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT # iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE # iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -j SNAT --to $IF_MAIN How many times should you repeat the above rules? Kind regards, -- Jochen Bern Systemingenieur Binect GmbH _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
