3

I have OpenVPN and PPTP installed on a VPS. I'm having a few questions that I can't seem to get a firm answer on.

I want to install OpenVPN on 1.1.1.1 (eth0, public IP address) and PPTP on 1.1.1.2 (eth0:1, public IP address). I was able to achieve this with SNAT. However, from all the tutorials I've been reading it recommends forwarding ppp+ to eth0 and vice versa and the same situation for the tun interface.

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT

My setup is CentOS, dedicated server.

For some reason I'm assuming iptables will route all traffic from eth0 to tun0 and stop at that.

  1. Will these forward rules conflict with each other?
  2. Will I need to forward the ppp+ to eth0:1 instead to avoid confliction? Is it even possible? I haven't figured out a way yet.
  3. Is iptables smart enough to route traffic that is specific to tun and ppp through these rules?
Improve this question

1 Answer 1

Reset to default
2

If I understand correctly, you want an OpenVPN tunnel and a PPTP tunnel, each that will route tunneled traffic out eth0, but each with it's own IP.

If I'm wrong in that, try to clarify and I'll do what I can to help. But, I believe this script will do what you're asking for.

#!/bin/bash

# This enables forwarding in the kernel.
echo 1 > /proc/sys/net/ipv4/ip_forward

# This will allow all return traffic to pass back to the originating socket
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# This permits forwarding traffic that came in either tunnel and bound out eth0.
# Note: This does not explicitly permit forwarding between tunnels.
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT

# This blocks all forwarding that is not explicitly permitted.
# Removing this line would be unsafe.
iptables -A FORWARD -j DROP

# These lines will SNAT the traffic coming from each tunnel to the
# appropriate IP address.
iptables -t nat -A POSTROUTING -i tun0 -o eth0 -j SNAT --to-source 1.1.1.1
iptables -t nat -A POSTROUTING -i ppp+ -o eth0 -j SNAT --to-source 1.1.1.2

Running this script multiple times will cause rules to build up. The following script will flush your firewall rules and disable forwarding. I generally include this at the beginning of my firewall scripts, but I don't know if it's safe for you to do so, so I've included it separately.

#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t filter -F
iptables -t nat -F
Improve this answer
2
  • I was wondering, what's the point of iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT? Is it even necessary? Commented Apr 8, 2013 at 8:53
  • Because PPTP tunnels use ppp interfaces. OP wants to support OpenVPN and PPTP tunnels simultaneously. Also the next line is -j DROP. Commented Apr 8, 2013 at 22:56

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.