2

I'm connecting two Debian 9 x64 machines with OpenVPN:

Server
(ens3 public-ip x.x.x.222)
tun0 10.8.0.1
-> Services:
   * Samba - udp137, udp138, tcp139, tcp445
   * Webserver - tcp80

Client
ens33 192.168.162.157
tun0 10.8.0.6

So I want to forward Samba and Webserver to the client LAN-IP 192.168.162.157 that other LAN-clients in 192.168.162.x can reach this services.

I tried to define NAT-rules with iptables on the client with all the information I found on the internet, but I wasn't successful:

sysctl -w net.ipv4.ip_forward=1

iptables -t nat -A PREROUTING -i ens33 -p udp --dport 137 -j DNAT --to 10.8.0.1:137
iptables -t nat -A PREROUTING -i ens33 -p udp --dport 138 -j DNAT --to 10.8.0.1:138
iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 139 -j DNAT --to 10.8.0.1:139
iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 445 -j DNAT --to 10.8.0.1:445

iptables -A FORWARD -i ens33 -p udp --dport 137 -d 10.8.0.1 -j ACCEPT
iptables -A FORWARD -i ens33 -p udp --dport 138 -d 10.8.0.1 -j ACCEPT
iptables -A FORWARD -i ens33 -p tcp --dport 139 -d 10.8.0.1 -j ACCEPT
iptables -A FORWARD -i ens33 -p tcp --dport 445 -d 10.8.0.1 -j ACCEPT

iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j DNAT --to 10.8.0.1:80
iptables -A FORWARD -i ens33 -p udp --dport 80 -d 10.8.0.1 -j ACCEPT

Both, Webserver and Samba are reachable if I connect on 10.8.0.1 directly on the client, but not in the LAN over 192.168.162.157.

Can someone help me with the iptables? :)

Netzmeister
  • 21
  • 1

1 Answers1

1

Your problem is probably the way back.

Does the server know to route packets to your client subnet through the VPN client? If not, you will need SNAT / masquerading as well (or a matching routing entry on the server).

Then for your server the packets would originate from your VPN client and would find their way back.

Enno Gröper
  • 292
  • 1
  • 3