Linux – OpenVPN server to forward incoming connection to client

linuxnetworkingopenvpnport-forwardingwindows

Scenario:

Server on the internet has OpenVPN server running.
Client-1 at home has app running on port 5000 (UDP and TCP), connecting to Server on it's OpenVPN (app binds to 0.0.0.0).
Client-2 at work want's to connect to Client-1's app through the internet, without connecting to the same OpenVPN network.
Both Clients are using Windows and Server uses Linux (Ubuntu).

Client-1 <===TUN0===> SERVER <===ETH0===> Client-2

Question:

How can I configure OpenVPN to forward incoming connection requests coming to it's eth0 interface's port 5000 to Client-1's tun0 interface's 5000 port, so Client-1's app can serve content back to Client-2 both on UDP and TCP?

Best Answer

Fortunately I have found the answer in this ServerFault question.

Some configuration I took from this DigitalOcean tutorial.

Having port forwarding enabled in sysctl I still needed to add some iptables rules added to /etc/ufw/before.rules, it looks something like this:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#


# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i eth0 -p tcp -m tcp --dport 50100 -j DNAT --to-destination [Client-1's vpn address]:50100
-A PREROUTING -i eth0 -p udp -m udp --dport 50100 -j DNAT --to-destination [Client-1's vpn address]:50100

# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES


# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
.
.
.
.
.
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT


# START OPENVPN RULES
-A FORWARD -d [Client-1's vpn address]/32 -p tcp -m tcp --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d [Client-1's vpn address]/32 -p udp -m udp --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# END OPENVPN RULES


# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

With the sysctl port forwarding enabled and the ip specific port forwarding iptables rules, now the 50100 port is open and forwarded to Client-1's port.

In short: The solution

Create a new routing table:

ip route add default via 192.168.1.5 dev eth0 table 7
ip rule add fwmark 0x55 priority 1000 table 7
ip route flush cache

Where 192.168.1.5 is the IP of your external interface (eth0). Now add this to your wg0.conf:

FwMark = 0x55

Now you will be able to connect to your home-server via WireGuard even when it's OpenVPN tunnel is open.

A longer explanation

When you start your OpenVPN tunnel, a new route is set into the main routing table. This route might look like this: 0.0.0.0/1 via 10.8.8.1 dev tun0 and mean, that all your internet-traffic should be sent out through the tunnel.

This is great, but whenever you want to communicate with your routing machine over the unprotected interface, the answers of your machine would also be sent into the tunnel. That is why you can no longer reach your server over https, even if you had forwarded port 443 to it. It's answers would simply be sent into the tunnel and be lost.

Whith setting up a second routing table which can be viewed via ip route show table 7 and the 0x55-rule we've basically told your machine to route every marked packet over the normal, unprotected eth0 interface. The rest will still be sent into the tunnel.

What else could be done?

OpenVPN-server

I actually found the solution back then when I hadn't even heared of WireGuard. I wanted to connect to my home network via OpenVPN at the time and was unable to do that, when the server had it's tunnel up. However, my own OpenVPN-server was listening on Port 993 so I marked every packet with "0x55" that passed through that port:

sudo iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 993 -j MARK --set-mark 0x55

That made a VPN-connection to my VPN-connected server possible.

E-Mail Ports not protected

My VPN-provider does not allow sending mails through it's VPN because there had been SPAM problems. This rule would route the connection to my mail-accounts without passing them through the tunnel:

iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 0x55

MAC-addresses without VPN

You might want a complete device being "unprotected". If you where using a swedish server and don't want to see swedish youtube ads on your tablet, you might want to do this:

iptables -t mangle -A PREROUTING -m mac --mac-source 4c:h7:9f:0l:17:k1 -j MARK --set-mark 0x55

you'd have to use your tablet's MAC address of course.

Linux – How to make a Google Cloud VM forward Minecraft traffic to an OpenVPN client

I think the problem might be, you are not masquerading the packets that are routed to the pi and not all traffics from the pi are made to be routed into the tunnel.

This means while packets from the outside world can reach the pi but when the pi replies to them, the response packets are not routed to the Google VM first (but are probably directly sent to the clients (as in, via its Internet gateway), which hence won't be recognized by the clients).

Also if the pi has firewall filtering incoming packets from the tunnel (such that only packets from other VPN hosts are accepted), packets that are not masqueraded as from the VM will be filtered.

Therefore, you might need:

iptables -t nat -A POSTROUTING -d 10.8.0.x -o tap0 -j MASQUERADE