Forward VPN traffic to another server

Question

I have 2 servers:
server A: Public IP --> 104.x.x.x
server B: Public IP --> 188.x.x.x

server A has 2 VPN servers:
Openvpn --> tun0
Wireguard --> wg0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        inet6 fe80::ae7d:f7ab:615b:a78a  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 304 (304.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.9.0.1  netmask 255.255.255.0  destination 10.9.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 22563  bytes 14268224 (14.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20017  bytes 15166196 (15.1 MB)
        TX errors 0  dropped 6 overruns 0  carrier 0  collisions 0

I want that if any clients connect to openvpn or wireguard, instead of connecting to internet from server A, use server B internet connction

Clients (Openvpn or wireguard) --> Server A --> Server B --> Connect to internet

How can I make in possible? (using ssh or other way to forward traffic from server A to server B)

Thank you,
Best regards

The usual way to forward traffic is through routing. Are **server A** and **server B** on a common private network? — Piotr P. Karwasz, Dec 25 '19 at 13:10
You need to use policy based routing (so you can select a routing table based on something other then destination - usually a source IP, or a QoS mark which can be set based on interface using iptables). — davidgo, Dec 25 '19 at 19:35
Hello there,actually server A is in usa and Server B is in france and using public ip — user3289412, Dec 27 '19 at 01:27

Piotr P. Karwasz · Accepted Answer · 2019-12-29T11:51:52.097

2

First you need to establish a VPN link between server A and B, let's say server B will get 10.10.0.1 as address, server A 10.10.0.2 and the virtual interface on server A will be called tun1. You can use whichever technology you fill more comfortable.

Then, as remarked by davidgo, you need to use policy based routing on server A. In order to do so:

Add a new routing table to the file /etc/iproute2/rt_tables:
```
200 vpn
```
Add a selection rule to use the routing table vpn for all traffic coming from the private network:
```
ip rule add from 10.0.0.0/8 table vpn
```

Fill the routing table

ip route add 10.8.0.0/16 dev tun0 src 10.8.0.1 table vpn
ip route add 10.9.0.0/16 dev wg0 src 10.9.0.1 table vpn
ip route add 10.10.0.0/16 dev tun1 src 10.10.0.2 table vpn
ip route add default via 10.10.0.1 dev tun1 table vpn

edited Dec 29 '19 at 11:51

answered Dec 28 '19 at 22:52

Piotr P. Karwasz

5,748
2
11
21

you mean that I have to create tun1 interface with ip 10.10.0.1 on server A that connected to server B and then set Iptables rules on server A? Thank's – user3289412 Dec 29 '19 at 09:28
Yes, you must establish a VPN tunnel between server A and server B, e.g. OpenVPN you are already familiar with. The policy based routing table is for server A, while I assume server B will have a private IP `10.10.0.1`. You can obviously assign different IP's and have different virtual `tun*` interfaces. – Piotr P. Karwasz Dec 29 '19 at 10:18
I set `10.0.0.100` on interface **tun1** on server A and with `ssh -w` command, create establish connection from server B to server A (server A private IP `10.0.0.200`) but can't connect to internet can you help me more please? – user3289412 Dec 29 '19 at 11:44
On server B you need a `SNAT/MASQUERADING` rule in the `nat` table of iptables (`iptables -t nat -nvL POSTROUTING` to list the rules). **ssh** is a bad choice as VPN tunnel since it uses TCP (all packets are sent in order, packets lost are resent, etc.). Start debugging by pinging server B's private address. – Piotr P. Karwasz Dec 29 '19 at 11:55
Actually I have to use ssh due some restriction I can ping private ip from both servers `10.0.0.100` from server B and `10.0.0.200` from server A – user3289412 Dec 29 '19 at 12:02
So you just need something like `iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j MASQUERADE` on server B and you can test with `ping -I 10.0.0.100 8.8.8.8` on server A. – Piotr P. Karwasz Dec 29 '19 at 12:17
unfortunate I can't ping If there is no problem, Can I have your email to send you full detail about servers and configuration? Thank you, Best regards – user3289412 Dec 29 '19 at 13:04
The question you asked solves half your problem (the policy base routing for clients). I don't use ssh tunnels, check [this question](https://serverfault.com/questions/782220/how-to-make-ssh-based-vpn) to set it up or ask a new question (linking this one) if it does not solve all your problems. – Piotr P. Karwasz Dec 29 '19 at 14:40

Forward VPN traffic to another server

1 Answers1

Linked