Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: OpenVPN NAT and some iptables

OpenVPN NAT and some iptables 4 years 9 months ago #37732

  • Bublitz
  • Bublitz's Avatar
  • Offline
  • Senior Member
  • Posts: 301
  • Thank you received: 3
  • Karma: 2
Ok I have a multi site-to-site OpenVPN setup. I got this working in a test environment and for some reason am having trouble in our rackspace environment.

Here's what is working.
Both client networks can ping the Openvpn Server running Fedora core 15. So the tunnels are up and running. So my config files are good I feel. The openvpn server can also ping the client networks.

Here's whats not working
The windows server on the openvpn server side cannot connect to the networks. I have routes defined on the windows server that any traffic that needs to go to the client networks goes to the openvpn server LAN interface.

The only difference in this setup from the test environment is that the openvpn server is directly connected to the internet. Before It had a single interface so a router did the firewall/nat. So i'm going to make the assumption that I have iptables/nat messed up. Do I need to use nat when sending traffic though an openvpn tunnel? Or does the tunnel interface package the packets up and send it down the tunnel as it self?
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1195 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

For nat i've tried. eth0 is Public, eth1 is Private

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I assume i'm missing something although this config for iptables worked in the test environment...

I've also enabled ipforwarding on the openvpn server. My knowledge of iptables is weak and I assume I don't have the NAT correct.
The Bublitz
Systems Admin
Hospice of the Red River Valley
The administrator has disabled public write access.
Time to create page: 0.070 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup