Sunday, February 12, 2012

NAT over OpenVPN tunnel

Quick NAT to use an existing VPN tunnel in Linux for an additional machine (Windows XP) on your LAN.

My Ubuntu notebook uses OpenVPN to access some other networks. It is also a host to various virtual machines. I wanted a Windows XP virtual machine to access resources on the remote network through my VPN tunnel.

The virtual machine uses "bridged" networking, so it has a separate IP on the LAN. So I guess the following would also work on a physically separate machine.

On the Linux VPN tunnel host:

  • Declare variables for the network interfaces. $lan is your normal network adapter, $wan is the VPN tunnel virtual adapter. 
  • Reset iptables
  • Enable forwarding
  • Configure iptables to provide NAT masquerading
lan=wlan5; wan=tun0
iptables --flush
iptables --table nat --flush
##not needed?:# iptables --delete-chain
##not needed?:# iptables --table nat --delete-chain
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE
iptables -A FORWARD -i $lan -j ACCEPT

(This is a minimal setup, without any security! Don't use this on a host visible to the Internet!)

On the Windows XP machine:

  • Declare IP of your Linux VPN host, and name of your interface (can be seen with the ipconfig command)
  • Set the gateway and DNS to the Linux host
SET IFNAME=Local Area Connection 2
route change mask %HOST%
netsh interface ip set dns name="%IFNAME%" static %HOST%


Labels: , , , , ,


Anonymous eric said... let me get this straight.this are iptable rules to tunnel natting ip(hence all the computers behind the nat ip)through the vpn tunnel?

10 June, 2015 18:58  
Blogger mi25 said...

@eric: Yes, on the Linux host, it sets NAT masquerading between the LAN and the VPN tunnel. It would work for any machine on the LAN, as long as it is configured to use the host which has the VPN connection as it's default gateway (or as the gateway for some networks only). If you have several machines to route through the VPN, you have to change their gateway on each of them, otherwise they will just not know about the VPN, and continue using your normal router directly.

10 June, 2015 19:57  

Post a Comment

<< Home