F
F
FunMelon2019-03-26 06:39:57
linux
FunMelon, 2019-03-26 06:39:57

Setting up an OpenVPN tunnel to bypass NAT?

In general, I decided to make a tunnel according to this article: https://habr.com/ru/post/216101/
But since I'm too lazy to crawl with a router, I decided to eliminate it from this chain and directly send packets from the VPS to the computer. For the test, I took my PC (VPN client, it will be a web server), laptop with xubuntu (VPN server, it will be in the role of VPS) and phone (in the role of a regular client).
I connected everything in the local network of the router 192.168.0.1, that is, all my devices are on the same network.
I did everything according to the instructions, or rather: built a VPN tunnel between the laptop and the computer (I can easily send packets to each other), and also set up iptables on the same laptop as it is written in the article:


For example, this is how forwarding an ssh port to one of the machines on my home network looks like:
# Forward SSH port to server
iptables -t nat -A PREROUTING -d XX.XX.XX.XXX -p tcp --dport 666 - j DNAT --to-dest 192.168.1.200:22
iptables -t nat -A POSTROUTING -d 192.168.1.200 -p tcp --dport 22 -j SNAT --to-source 10.9.8.1

For my situation, I have this option:
iptables -t nat -A PREROUTING -d 192.168.0.180 -p tcp --dport 80 -j DNAT --to-dest 192.168.1.154:80
iptables -t nat -A POSTROUTING -d 192.168.0.154 -p tcp --dport 80 -j SNAT --to-source 10.9.8.1

192.168.0.180 - laptop
192.168.0.154 - computer
Everything happens on port 80 I
started the tunnel, the web server on my PC, and tried to connect to the laptop from the phone via ip and port 192.168.0.180:80, but nothing happened, what can be a problem?
Do I need to make any settings on the computer? The laptop and the computer can easily communicate with each other through the VPN, but the laptop does not let the phone go to the computer.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
H
hint000, 2019-03-26
@hint000

The laptop acts as a gateway, so do this on the laptop:
http://xgu.ru/wiki/Forwarding
If it doesn't help, then traceroute 192.168. tracing to the studio.

R
res2001, 2019-03-26
@res2001

As far as I understand, the option proposed in the article does not require that clients see each other, so this is not there. By default, clients do not see each other.
Add the following line to the VPN server config: client-to-
client NAT client requests will be passed by default and the corresponding responses from the server will be the same.
I would also set up keepalive and key-based authorization.
keepalive is needed not only to detect connection breaks in time, but also so that NAT "does not forget" the connection.
The article is not very, IMHO.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question