TransWikia.com

How can I do site-to-site OpenVPN routing without NAT

Server Fault Asked by melka on January 24, 2021

I have two OpenVPN servers at different location.
Each machine in one location can ping and connect to every machine in the other location.

My problem is when I use SSH to connect from machine A in location 1 to machine B in location 2 and check machine B‘s auth.log, I see the connection is come from the location 2 OpenVPN IP (10.0.0.2).

This are my OpenVPN settings and network structure.

Firewall rules:
Machine A

iptables -t filter -A FORWARD -i tun0 -o eth1 -j ACCEPT  
iptables -t filter -A FORWARD -i eth1 -o tun0 -j ACCEPT 
iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.0.0.1
iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

Machine B

iptables -t filter -A FORWARD -i tun0 -o eth1 -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.0.0.2
iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

Both OpenVPN servers have two physical interface; eth0-external & eth1-LAN, as well as OpenVPN tun0.

I think my problem is that I use NAT but I don’t know how to route correctly. I need the real source machine IP.

So, in the case above, I would like to see the LAN IP (10.3.0.100) of machine A in machine B‘s auth.log when A is connecting to B.

Thank you for your help!

One Answer

I solved my problem and now it's work for me. I changed the iptables rules both machine to this:

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE
iptables -t filter -A FORWARD -i tun0 -o eth1 -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o tun0 -j ACCEPT

Answered by melka on January 24, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP