OpenVPN config to publish internal services behind NAT

Question

How can I publish 2 internal IP's behind a NAT firewall (router with dynamic firewall)?

I have 2 external IP's, 99.52.156.5 and 46.113.5.88, and I would publish two separate internal services on port 443(behind my home network, NAT, dynamic IP) over the external IP's.

My opinion is, that I should setup a OpenVPN server on a Linux machine with the 2 IP's (99.52.156.5, 46.113.5.88) assigned.
Also I must setup a local OpenVPN client Linux machine. That client should connect to the remote OpenVPN server.
Then all traffic from the 2 IP's (99.52.156.5, 46.113.5.88) should be routed through the VPN tunnel.

• My local network is a 10.0.0.0/8 network
• The NAT router has the IP 10.254.254.254
• The local OpenVPN client has the IP 10.200.100.50
• The local service 1 who should response to the external IP 99.52.156.5 has the IP 10.200.100.80
• The local service 2 who should response to the external IP 46.113.5.88 has the IP 10.200.100.90

Can anybody show me a working OpenVPN configuration. Sorry, but I am not a admin... Only a developer.

Many thanks!

Answer 1

This is not easy and will likely require a good knowlage of networking to set up.

First step is the VPN itself. That should be the easy bit but get it working before you move on.

Then comes setting up some IP routing. The VPN server will need to have a route to send packets down the VPN to your internal servers.

Then Make sure IP forwarding is enabled on the remote server and add some DNAT rules to change the destination address on the packet to point at the internal servers.

Finally you need to get replies from the internal servers to go back down the VPN. The easiest way to do this is to add a MASQURADE rules on the VPN server and client so that the traffic appears to come from the previous box in the chain. Downside is that you lose the original source IP of the traffic. There are other soloutions but they are likely much harder to set up.