1

Topic: To deliver VPN the server and port forward with artful adjustments

All greetings.
It is necessary to implement such circuit - VPN the server with exterior IP and VPN the client without exterior IP. On VPN the server to adjust port forward so that at reversal from the outside on a certain port packets went on VPN the client.
The task, apparently, simple, but, it is necessary to adjust translation of addresses so that VPN the client saw calls not with exterior IP, and with IP from VPN servers. How it to make?
Is - server Ubuntu 14.04 (which will be VPN the server), and a router which will be VPN the client.

2

Re: To deliver VPN the server and port forward with artful adjustments

Alexey Agafonov wrote:

the Task, apparently, simple, but, it is necessary to adjust translation of addresses so that VPN the client saw calls not with exterior IP, and with IP from VPN servers. How it to make?

besides port-forward-inga more and more and  it is necessary to adjust.

3

Re: To deliver VPN the server and port forward with artful adjustments

bga83;
So port-forwarding or nat? I suppose, for my task something one

4

Re: To deliver VPN the server and port forward with artful adjustments

Alexey Agafonov wrote:

bga83;
So port-forwarding or nat? I suppose, for my task something one

is not present, both that and another simultaneously

5

Re: To deliver VPN the server and port forward with artful adjustments

Interesting. Well, probably, you also are right, but why?

6

Re: To deliver VPN the server and port forward with artful adjustments

That ' port-forwarding ' that '  ' - all these rules are in one table of rules which is called nat (means iptables). Difference only that rules for port-forwarding will be in a chain dstnat, and rules for address change at reversal to the vpn-client - in a chain srcnat.
Something can turn out like it:
port on the vpn-client ($WAN_IP - the exterior address of the vpn-server, $vpn_client_ip - the address of the vpn-client)

iptables-t nat-A PREROUTING - dst $WAN_IP-p tcp - dport 80-j DNAT - to-destination $vpn_client_IP

To change the address at reversal to the vpn-client ($WAN_IFACE - the interface on the server which looks in the Internet, tun1 - the virtual interface for that client):

iptables-t nat-A POSTROUTING-i $WAN_IFACE-o tun1-j MASQUERADE

And still it will be necessary to check up the table forward that the traffic to vpn-clients there would be resolved.

7

Re: To deliver VPN the server and port forward with artful adjustments

fortress, thanks, the first command worked, packets walk on vpn the client. And in the second it is not fulfilled

 root> iptables-t nat-A POSTROUTING-i venet0-o ppp0-j MASQUERADE
iptables v1.4.21: Can't use-i with POSTROUTING

I removed-i and it earned!

 root> iptables-t nat-A POSTROUTING-o ppp0-j MASQUERADE
iptables v1.4.21: Can't use-i with POSTROUTING

Certainly, there is a question how to substitute IP the address ONLY from the certain entering interface, but it is more for , as in my case only one.

8

Re: To deliver VPN the server and port forward with artful adjustments

Alexey Agafonov wrote:

I removed-i and it earned!

Really, checked up itself now - it does not turn out to specify the input interface for traffic, if a rule in a chain srcnat.

Alexey Agafonov wrote:

it is finite, there is a question how to substitute IP the address ONLY from the certain entering interface, but it is more for , as in my case only one.

As the interface to specify it does not turn out, it is possible to specify a subnet of addresses (which are on this interface) for which this rule it will be applied, for example:

iptables-t nat-A POSTROUTING - src 187.187.197.0/24-o ppp0-j MASQUERADE

I.e. if remote client users can be carried to one subnet (for example, 172.16.0.0/24) the vpn-client sees their requests as though they from the vpn-server.
On the other hand, if clients from casual subnets, it is possible to try such rule:

iptables-t nat-A POSTROUTING - src 0.0.0.0/0-o ppp0-j MASQUERADE

Then for any address of the client address substitution, even for clients from a local network will be fulfilled. If not  and the local network has it  192.168.1.0/24 it will be more correct to use a following rule:

iptables-t nat-A POSTROUTING - src! 192.168.1.0/24-o ppp0-j MASQUERADE

I.e. to fulfill substitution of the address for all clients, except a local network.
Now a picture made out, there it is written that the vpn-client should see requests as from 192.168.1.1, thus the vpn-client has the address for vpn connections 192.168.10.2. If I correctly understand operation vpn the server for communication c vpn-clients will use 192.168.10.1 address (for example, at  vpn-clients from the server). It I all to that at usage in a rule of action MASQUERADE, the address of requests to the vpn-client will be replaced with the vpn-server address on the ppp-interface, i.e. on 192.168.10.1. If it is necessary that the vpn-client saw requests from 192.168.1.1 it is possible to try such rule:

iptables-t nat-A POSTROUTING - src 0.0.0.0/0-o ppp0-j SNAT - to-source 192.168.1.1

Thus vpn-clients should know about how to get to a subnet 192.168.1.0/24, to answer requests. If vpn connection for them is also  as the gateway by default problems should not be. Otherwise it will be necessary to register manually on them  to a subnet 192.168.1.0/24 through vpn-connection.

9

Re: To deliver VPN the server and port forward with artful adjustments

fortress, thanks for detailed answers. Besides that that already suited me after that answer as works, I nevertheless will think about  the table that was and it is beautiful and is transferred :-)

10

Re: To deliver VPN the server and port forward with artful adjustments

In due time I was helped fine by article on opennet'e to understand with iptables.