VPN + NAT Howto

From TekPedia

Jump to: navigation, search

Taken and slightly adapted from a forum post by lgopher :

http://www.tektonic.net/forum/showpost.php?p=2028&postcount=11


I figured out how to enable NAT on the VPS and here is small howto for VPN + NAT.

Assumptions: 

External IP on VPS 60.1.1.1
Internal IP on VPS (VPN) 192.168.1.1
Internal IP on notebook (VPN) 192.168.1.2

For debian install openvpn as usual: 

# apt-get install openvpn


Go to /etc/openvpn/ 

# cd /etc/openvpn


Generate static key (very simple example for 1 connection) 

# openvpn --genkey --secret static.key


If you want your VPN serverto be started at startup, edit /etc/default/openvpn and add 

AUTOSTART="openvpn"

Create /etc/openvpn/opevpn.conf, for example 

dev tun 
ifconfig 192.168.1.1 192.168.1.2 
secret static.key 
keepalive 10 60 
ping-timer-rem 
persist-tun 
persist-key 
persist-local-ip 
persist-remote-ip 
daemon 
port 15000 
proto tcp-server

Port 15000 and proto tcp-server is used to be able to connect from behind HTPP/HTTPS proxy.

Start openvpn 

# /etc/init.d/openvpn start

Now, VPN is configured and IPTABLES should be modified to NAT the traffic. For example:

Enable forwarding 

# echo 1 > /proc/sys/net/ipv4/ip_forward

Clear iptables rules 

# iptables -F; iptables -t nat -F; iptables -t mangle -F


Enable NAT 

# iptables -t nat -s 192.168.1.2 -A POSTROUTING -j SNAT --to 60.1.1.1

If you use the Virtuozzo firewall, you will also need to enable forwarding from and to your local IP (192.168.1.2).

Server configuration is now complete.

On notebook install openvpn as usual. Copy within secure channel your static.key from server, for example with ssh 

# scp root@60.1.1.1:/etc/openvpn/static.key .

Create local configuration openvpn.ovpn (for windows) 

remote 60.1.1.1 
dev tun 
ifconfig 192.168.1.2 192.168.1.1 
secret static.key 
keepalive 10 60 
proto tcp-client 
port 15000

If you want to route all traffic from the notebook through your VPN, please take a look at :

http://openvpn.net/howto.html#redirect

Note that you must use SNAT in your iptables NAT rule, because Masquerading is not possible with the current Virtuozzo version.

Retrieved from "http://www.tektonic.net/wiki/index.php/VPN_%2B_NAT_Howto"
Personal tools