OPENVPN route local net to remote server [closed]

2019-06-14 20:25发布

问题:

I have configured a openvpn connection from my debian pc to my remote debian server, and it works. In fact, I can ping 10.0.0.1 (address in vpn of the server).

Now I want to share this connection. I want my other clients on lan can access the server without openvpn client. How can I do it?

My lan standard address are 192.168.2.x. How can I set the 192.168.2.123 address to connect directly to remote server?

回答1:

If I understand you correctly, you want to map the address 192.168.2.123 to the remotely accessable openvpn server 10.0.0.1

In order to do this, you will need to do two things

  1. Create an alias for the address 192.168.2.123 on your debian pc. A detailed how-to can be found here
  2. Setup your debian pc to rewrtite incoming traffic for 192.168.2.123 to the remote server 10.0.0.1.

In order to setup forwarding, you will need to enable it first as shown below.

echo 1 > /proc/sys/net/ipv4/ip_forward

Then setup specific firewall rules to actually forward your traffic. Here is an example how to do this.

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -t nat -A PREROUTING -d 192.168.2.123 -j DNAT --to-destination 10.0.0.1

Note: tun0 is supposed the interface of the tunnel your debian pc opened, eth0 the interface on your debian pc with ip address 192.168.2.123. The actual name of your interfaces may be sth. else. This will setup a NAT, effectively mapping the traffic from your LAN interface, to the address you have within the VPN. Also be aware, that this setup will require the clients in your LAN to initiate any connection with the remote debian server.

Another solution would be to simply forward the traffic of your LAN interface to your tunnel interface as shown below. Using this approach you will be able to access your remote debian server using it's internal VPN ip 10.0.0.1.

iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

Note: The VPN server on the other side does not know about the subnet, whose traffic is forwarded to it. In order to enable the server sending back responses you will need to tell it about being able to reach your LAN 192.168.2.x using the tunnel. Here is a explanation how this can be done. Also you will need to tell your client about the now additional route on the normal network interface.