Answer the question
In order to leave comments, you need to log in
How to forward ports from vds through ovpn channel to home pfsense to get static ip for home servers?
There is a bunch of configured Ovpn server (ubuntu16.04) on VDS -> pfsense -> tplink -> home server. On VDS, the vpn channel was raised to pfsense. It is required to make the static ip of the VDS become the static ip of my home network. But as soon as I forward ports to pfsens vpn through the ovpn channel, it stops working for my home network (sites stop opening), while the forwarding itself works and I see my local resources through IP VDS's. There are no errors in the logs. As far as I understand, this is my cant c iptables, but I can not understand what.
ptables -A FORWARD -i eth0 -o tun0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -P FORWARD DROP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0 .0.6
iptables -t nat -A POSTROUTING -o tun0 -p tcp --dport 80 -d 10.0.0.6 -j SNAT --to-source 10.0.0.1
apt install -y iptables-persistent
service netfilter-persistent start
service netfilter-persistent save
where eth0 - interface through which VDS receives internet
tun0 - vpn interface
10.0.0.6 - virtual ip pfsense issued by server
10.0.0.1 - ovpn interface on VDS
Server vpn config:
port 1194
proto udp
dev tun
ca ca.crt
cert blabla.crt
key blabla.key
dh dh2048.pem
tls-auth ta.key 0
cipher AES-128-CBC
server 10.0.0.0 255.255.255.0
keepalive 10 120
persist-key
persist-tun
client-config-dir blabla
status 123. log
log /var/log/123.log
verb 3
comp-lzo adaptive
sndbuf 0
rcvbuf 0
push "redirect-gateway def1"
push "dhcp-options DNS
8.8.8.8
"
ignore redirect-gateway so that by default all devices from home do not go through the vpn channel, but only to certain sites)
Answer the question
In order to leave comments, you need to log in
What specific sites stop working? VPN continues to work for you, because otherwise, by accessing the IP VDS, your sites would stop working.
Do you really need a default gateway in the tunnel? That is, there are clients for whom you plan to turn all traffic into a tunnel? If not, then push "redirect-gateway def1" should be removed, as well as the return of DNS settings. And to register only specific necessary routes.
Also, based on the rules, it follows that for some reason you are doing DST NAT in the IP of pfSense, and not in the IP of the home server. It turns out that you will have a quadruple NAT - DNAT at 10.0.0.6, then SNAT at 10.0.0.1, then pfSense will do DNAT and SNAT again? It's too much. Write in the OpenVPN routes that there is another mesh behind pfSense, and configure the DNAT rule so that the IP of the server is put down immediately, and not pfSense.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question