Answer the question
In order to leave comments, you need to log in
Why won't OpenVPN start?
I set up a server (on a KVM VPS) and an OpenVPN client according to this manual. Then I connected as a client to the server, and in the server logs I saw the following line
primary virtual IP for client/ip_сервера:18766: 10.8.0.6
http://ip_сервера # 80 port
https://ip_сервера # 443 port
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.8.0.6:80
iptables -t nat -A PREROUTING -p udp --dport 80 -j DNAT --to-destination 10.8.0.6:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.8.0.6:443
iptables -t nat -A PREROUTING -p udp --dport 443 -j DNAT --to-destination 10.8.0.6:443
iptables -t nat -A POSTROUTING -j MASQUERADE
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 544/sshd
tcp 0 276 ip_сервера:22 37.45.244.85:48312 ESTABLISHED 771/1
tcp 0 0 ip_сервера:22 37.45.211.79:31138 ESTABLISHED 572/0
tcp6 0 0 :::22 :::* LISTEN 544/sshd
udp 0 0 0.0.0.0:1194 0.0.0.0:* 333/openvpn
Answer the question
In order to leave comments, you need to log in
I found a solution for myself by refusing to use iptables
All
manipulations were performed on VPS
1.
First I cleared iptables so that outdated rules would not affect future work in any way redirecting to a local server without a static IP
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
multi_accept on;
}
http {
sendfile on;
keepalive_timeout 15;
proxy_buffers 8 64k;
proxy_intercept_errors on;
proxy_connect_timeout 1s;
proxy_read_timeout 3s;
proxy_send_timeout 3s;
server {
listen 80;
server_name a.ru b.ru;
access_log /var/log/nginx/1.access_log;
error_log /var/log/nginx/1.error_log warn;
charset utf-8;
ssi on;
ssi_value_length 1024;
location / {
proxy_pass http://10.8.0.6:9000;
proxy_set_header X-Real-IP $remote_addr;
proxy_intercept_errors off;
proxy_read_timeout 5s;
proxy_send_timeout 3s;
gzip on;
gzip_min_length 1024;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/xml;
}
}
}
Packets going to the VPN cannot be hit. Add in POSTROUTING to the beginning of the rule for ACCEPT'a packets that should climb into the VPN.
Besides, where is the filtering by destination IP in SNAT rules? Otherwise, all HTTP/S traffic along with transit traffic (possibly excluding OpenVPN, but not really) will be sent to 10.8.0.6.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question