search

angristan / openvpn-install

Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.
https://stanislas.blog
MIT License
13.49k stars 2.95k forks source link

Forward port from eth0 to tun0 #498

Open dschense opened 4 years ago

dschense commented 4 years ago

First of all, nice script. Its working good here. I just have a question if iam doing this the right way:

I am running the openvpn server on a debian 9 vps with one public ip "123.123.123.1" on eth0.
the vps is connected to my home network over tun0 "10.8.0.0/24". the vps has ip "10.8.0.1" and home network client has "10.8.0.2". the vpn is connected and the machines can ping each other. So far so good.

Now i want to use the public ip of the VPN server on eth0 for the client machine inside the tunnel network. The best way Ive found, is to forward the ports to the client machine.

so Iam using this way:

iptables -t nat -A PREROUTING -p tcp --dport 80 -d 123.123.123.1 -j DNAT --to-destination 10.8.0.2:80

iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE

iptables -t nat -A OUTPUT -p tcp --dport 80 -d 123.123.123.1 -j DNAT --to-destination 10.8.0.2:80

after this its possible to access the nginx webserver running on the client machine inside the tunnel network over the dns http://dns-of-vps.com pointing to the public ip of the VPS.

and to get the rules on boot, I changed the add-openvpn-rules.sh to

#!/bin/sh
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o eth0 -j MASQUERADE
**iptables -t nat -A PREROUTING -p tcp --dport 80 -d 123.123.123.1 -j DNAT --to-destination 10.8.0.2:80
iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
iptables -t nat -A OUTPUT -p tcp --dport 80 -d 123.123.123.1 -j DNAT --to-destination 10.8.0.2:80**
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 1194 -j ACCEPT

and the rm-openvpn-rules.sh to

#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -D PREROUTING -p tcp --dport 80 -d 123.123.123.1 -j DNAT --to-destination 10.8.0.2:80
iptables -t nat -D POSTROUTING -p tcp --dport 80 -j MASQUERADE
iptables -t nat -D OUTPUT -p tcp --dport 80 -d 123.123.123.1 -j DNAT --to-destination 10.8.0.2:80
iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -D INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
iptables -D INPUT -i eth0 -p udp --dport 80 -j ACCEPT
iptables -D INPUT -i eth0 -p udp --dport 25565 -j ACCEPT

The only problem with this setup is, on the client side I get the source ip from the server side in the logs. for example accessing the http://dns-of-vps.com pointing to the vps ip, the logs on the client side get the source ip of the vps at the tunnel side -> "10.8.0.1" and not the real source ip of the user. Is there a way to pass the real source ip through the tunnel?

Is this the right way of doing this, or is there a better way? Ive searching for this for hours and days, but the tutorials are not clear enough.

randshell commented 4 years ago

I have an idea. Install nginx on the vps and configure it as a reverse proxy

location / {
    proxy_pass http://10.8.0.2:80/;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

The source IP of the user will be in the X-Real-IP header. I added X-Forwarded-For for proxies but it's not necessary.