iptables forward port range through OpenVPN

Question

I have a VPN server (the "host" - 10.8.1.1) on a public VPS instance running OpenVPN. The second instance I am running (the "client" - 10.8.1.2) is a local ESXi instance connected to the host vpn server. Both servers are running CSF (hardened iptables frontend essentially). Also, both servers have 27015:27050 UDP allowed IN/OUT in their csf.confs.

I am attempting to forward traffic on the host on the port range 27015-27050 (UDP) through the OpenVPN tunnel to the client. From there, all response traffic must go back through the tunnel to the host (I'm assuming via an SNAT).

I have tried every variation of every possible command I was able to find on Google, and the farthest I've got is the initial packet to get forwarded through the tunnel to the client, but nothing back to the host.

Here's what I have in my csfpost.sh on the host (the script run after csf finishes starting):

iptables -t nat -A PREROUTING -p udp -i eth0 --dport 27015 -j DNAT --to-destination 10.8.1.2:27015
iptables -A FORWARD -p udp -d 10.8.1.2 --dport 27015 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Since the commands I've tried on the client haven't worked so far, I doubt they would help to see.

The commands I've shown above only affect port 27015, but my end goal is to have the port range 27015-27050 forwarded

Thanks for any help or suggestions!

Answer 1

I agree with kasperd.

If you want to make sure the reply packet is sent along the same route, you either have to implement some fancy policy routing on the receiving box (using connmark to mark connections incoming on the vpn interface, then --restore-mark on outgoing reply packets, and an ip(8) rule to cause marked packets to be forwarded using a routing table whose default gateway is the vpn peer); or just SNAT the packets to the vpn IP of the NAT box.

I.e. add something like

iptables -t nat -A POSTROUTING -p udp -o vpninterface --dport 27015 -j MASQUERADE