Nat Openvpn-Clients through a linux machine

Some essential steps to get openvpn-roadwarrior-clients to use the openvpn-server as a default gateway for internet access (using centos):

set ip_forward to 1 on the server to enable traffic forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

poke some holes and paths into iptables:
(assuming your openvpn-server is bound to and eth0 is your server´s inet-interface)
(make sure your openvpn uses network adresses no one other uses otherwise you get routing problems when your clients are in a wlan that uses the same ip´s as your tunnel)

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

make those iptables rules survive reboot:
put rules in


make dns requests beeing answered by your server to the clients: install dnsmasq
put openvpn ip in dnsmasq config as listening interface

modify openvpn.conf (forget server.conf) on the server, add the following if not yet present:
(the following assumes you got a working server-conf already! push-command will modify clients routing tables)

#assign ip and port to server
port 1234
#ping clients to avoid tunnel breakdowns which would lead to traffic changing ip all of a sudden
keepalive 10 120
#not sure which one of those two is effecitve, so left both
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
#make clients use dnsmasq 
push "dhcp-option DNS"
#make clients use vpn-server as network gateway; this avoids the need to fidle with your clients routing tables, if redirect-gateway didnt do what it should
push "route"
#add the following if your clients should be able to reach each other
#following are disabled, many suggest some of them, dont know if really useful
#tun-mtu 1492
#fragment 1300
#adjust following to your needs - a lot is logged in /var/log/messages anyway
status /var/log/openvpn.log
verb 4

simple client config for openvpn (windows) or tunnelblick (mac) suffices:

#never tcp, tcp over tcp is bullshit
proto udp 
dev tap 
ns-cert-type server
remote <ip of server> <port of server>
ca <path/file>
cert <path/file>
key <path/file>

if using android as a client (cyanogenmod got openvpn built in) be sure to convert your keys to a p12 file by converting and renaming to .p12, for win i.e.:
(first import certificate into certmgr then export then rename to .p12)
or this in linux
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name client -out certs.p12
my cyanogenmod 7.1 need a “modprobe tun” to make openvpn work (even when using tap), so be sure to make that on boot:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s