I have an OpenVPN server installed on 192.168.0.3 as 10.10.10.1. I can connect from the Internet to my OpenVPN server, the connection is created. Now I have a server on the LAN with IP-address 192.168.0.11 and I'd like to expose it to the VPN als 10.10.10.11. How can I do that? I don't know beforehand what ports will be used by a client.
What I tried is this:
iptables -t nat -D PREROUTING -d 10.10.10.11 -j DNAT --to-destination 192.168.0.11
But if I try, on said OpenVPN server itself,
telnet 10.10.10.11 80
it doesn't work, whereas
telnet 192.168.0.11 80
connects.
I also activated IP-forwarding on the server, using
echo 1 > /proc/sys/net/ipv4/ip_forward
Any hints?? thanks!!
This will not work in principle as you are trying another use case. In case you are going directly from openVPN server the proper chain would be
iptables -t nat -I OUTPUT, whileiptables -t nat -I PREROUTINGwill be applied on forwarded traffic (e.g. openvpn clients). In case you would add also this rule it would work (at least partially).This approach could work in principle but you need to cover return path - both routing (@192.168.0.11) and firewall rules to allow the traffic (@192.168.0.3/ 10.10.10.1).
routing
static route on 192.168.0.11
As this rule would just change the destination IP and not the source the server 192.168.0.11 have to know how to reach the originator of the communication. One of the option would be to add static route on the host 192.168.0.11 for the subnet used for openVPN clients. Then it should work.
pushed configuration to openVPN client(s)
Other option would be not even rewrite the address and simply pass the route to the client. You can push just one IP (192.168.0.11/32):
or subnet 192.168.0.0/24
This depends on exact use case you need.
Note: In case you are using openVPN 2.3+ on server side you can use openvpn feature instead of iptables rules (it would be applied on openvpn traffic only):
firewall
or