-3

I have configured a openvpn connection from my debian pc to my remote debian server, and it works. In fact, I can ping 10.0.0.1 (address in vpn of the server).

Now I want to share this connection. I want my other clients on lan can access the server without openvpn client. How can I do it?

My lan standard address are 192.168.2.x. How can I set the 192.168.2.123 address to connect directly to remote server?

Salvosnake
  • 83
  • 10

1 Answers1

1

If I understand you correctly, you want to map the address 192.168.2.123 to the remotely accessable openvpn server 10.0.0.1

In order to do this, you will need to do two things

  1. Create an alias for the address 192.168.2.123 on your debian pc. A detailed how-to can be found here
  2. Setup your debian pc to rewrtite incoming traffic for 192.168.2.123 to the remote server 10.0.0.1.

In order to setup forwarding, you will need to enable it first as shown below.

echo 1 > /proc/sys/net/ipv4/ip_forward

Then setup specific firewall rules to actually forward your traffic. Here is an example how to do this.

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -t nat -A PREROUTING -d 192.168.2.123 -j DNAT --to-destination 10.0.0.1

Note: tun0 is supposed the interface of the tunnel your debian pc opened, eth0 the interface on your debian pc with ip address 192.168.2.123. The actual name of your interfaces may be sth. else. This will setup a NAT, effectively mapping the traffic from your LAN interface, to the address you have within the VPN. Also be aware, that this setup will require the clients in your LAN to initiate any connection with the remote debian server.

Another solution would be to simply forward the traffic of your LAN interface to your tunnel interface as shown below. Using this approach you will be able to access your remote debian server using it's internal VPN ip 10.0.0.1.

iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

Note: The VPN server on the other side does not know about the subnet, whose traffic is forwarded to it. In order to enable the server sending back responses you will need to tell it about being able to reach your LAN 192.168.2.x using the tunnel. Here is a explanation how this can be done. Also you will need to tell your client about the now additional route on the normal network interface.

Community
  • 1
  • 1
Marian
  • 325
  • 2
  • 12
  • Since I dont speak italian I will build on the the translation google translate provided. As I understand, you created the virtual interface, which is not working at the moment. Also you want to know whether it does make a difference which type of adapter you are using (tun/tap)? – Marian Feb 09 '16 at 14:48
  • I corrected my answer, since I got your problem wrong before. The first approach should be what you are looking for. To answer your question about the adapter type: you can use both (You need to adjust the interface specified in the rule ofc). Btw I also corrected the link for the IP alias, since i saw i accidentally provided the wrong one... – Marian Feb 09 '16 at 16:44
  • im so sorry i have writted in italian for mistake , my browser have translated in automatic the english to italian :/, i repeat: i have used tap0 interface , i have maked the virtual interfaces on debian server but i dont know how i can route the traffic,i have maked the virtual interface from /etc/network/interfaces file, now i try you solution :-) ... – Salvosnake Feb 09 '16 at 23:06
  • i have tryed , but i have some question, i have enabled virtual interface, i have setted the route with this 2 command: "iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE iptables -t nat -A PREROUTING -d 192.168.2.123 -j DNAT --to-destination 10.0.0.1" now what i still do? – Salvosnake Feb 10 '16 at 10:16
  • Are you using a tap or a tun interface for your vpn on both sides? If you use a tun interface you should be able to access your remote server by sending packets to the address 192.168.2.123 on your LAN. At least if the vpn connection on your debian pc is active and no other firewall rule is blocking it. Also ensure forwarding is active. – Marian Feb 10 '16 at 17:02
  • i use tap interface, i have used you config and use some comand of route tutorial, and all work now , thank you for you helping! – Salvosnake Feb 10 '16 at 17:08
  • No problem, I'm happy that I was able to help you – Marian Feb 10 '16 at 19:31
  • other question, if i not edit server.conf file with route configuration the comunication still work fine, is normal? – Salvosnake Feb 11 '16 at 07:45
  • What route configuration for which side do you mean exactly? – Marian Feb 11 '16 at 13:17
  • in server.conf of openvpn, i have removed all route command , the vpn work is ok but for my curiosity i want know :-) – Salvosnake Feb 12 '16 at 18:34
  • Basically what your doing is to swap the source address of your lan device with the vpn address of your debian pc and the destination address of the lan device being accessed to the vpn address of your remote server. Your lan device believes it's talking with another lan device, while your remote server thinks he's talking to your debian pc. Therefore neither your lan device nor your remote server has the need to know about any additional routes. I hope this answers your question. – Marian Feb 12 '16 at 19:12