NAT over OpenVPN tunnel
Quick NAT to use an existing VPN tunnel in Linux for an additional machine (Windows XP) on your LAN.
My Ubuntu notebook uses OpenVPN to access some other networks. It is also a host to various virtual machines. I wanted a Windows XP virtual machine to access resources on the remote network through my VPN tunnel.
The virtual machine uses "bridged" networking, so it has a separate IP on the LAN. So I guess the following would also work on a physically separate machine.
On the Linux VPN tunnel host:
- Declare variables for the network interfaces.
$lan
is your normal network adapter,$wan
is the VPN tunnel virtual adapter. - Reset iptables
- Enable forwarding
- Configure iptables to provide NAT masquerading
lan=wlan5; wan=tun0 iptables --flush iptables --table nat --flush ##not needed?:# iptables --delete-chain ##not needed?:# iptables --table nat --delete-chain sysctl -w net.ipv4.ip_forward=1 iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE iptables -A FORWARD -i $lan -j ACCEPT
(This is a minimal setup, without any security! Don't use this on a host visible to the Internet!)
On the Windows XP machine:
- Declare IP of your Linux VPN host, and name of your interface (can be seen with the
ipconfig
command) - Set the gateway and DNS to the Linux host
SET HOST=192.168.1.44 SET IFNAME=Local Area Connection 2 route change 0.0.0.0 mask 0.0.0.0 %HOST% netsh interface ip set dns name="%IFNAME%" static %HOST%
2 Comments:
hi.so let me get this straight.this are iptable rules to tunnel natting ip(hence all the computers behind the nat ip)through the vpn tunnel?
@eric: Yes, on the Linux host, it sets NAT masquerading between the LAN and the VPN tunnel. It would work for any machine on the LAN, as long as it is configured to use the host which has the VPN connection as it's default gateway (or as the gateway for some networks only). If you have several machines to route through the VPN, you have to change their gateway on each of them, otherwise they will just not know about the VPN, and continue using your normal router directly.
Post a Comment
<< Home