I am working on a solution to expose a development stack that resides inside a Virtualbox guest up to the Internet through OpenVPN tunnels.
OpenVPN client fires up inside the guest VM and connects fine to an EC2 instance with a public IP.
I added a route on the EC2 box to include the LAN on the guest VM side. In reality the guest VM has the following interfaces:
Guest
eth0: 10.0.2.15 tun0: 10.8.0.2
EC2
tun0: 10.8.0.1 eth0: 10.254.254.234
I can ping from EC2 to tun0(10.8.0.2) on the guest side as well as to eth0(10.0.2.15)
Now the interesting part begins when on the EC2 side I include a DNAT rule to have SIP traffic directed from 10.254.254.234 to 10.0.2.15.
iptables -t nat -I PREROUTING -d 10.254.254.234 -j DNAT --to-destination 10.0.2.15
Because the proper route exists, the traffic is sent through the tunnel and I see the messages arriving at the other side (Virtualbox) when I use tcpdump over tun0. However the final destination of that packet is eth0 on the VM and it never gets forwarded from tun0 to eth0.
IP forwarding is enabled and no REJECT rules exist on the FORWARD chain in iptables.
Furthermore if I make the process (a SIP proxy) listen to the tunnel interface, even when I see the packets when snooping with tcpdump and the proxy binds to the IP of the tunnel, it never reports to receive the traffic on its logs.
Don't you mean
(the rule you have is two destination addresses)