linux – Help with setting up iptables for OpenVPN

Question:

There is a system with centos 7. I'm trying to raise OpenVPN on it. There was a question with configuring iptables. Install by manual

iptables is up and running.

In the manual, they suggest driving in the rule

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

But in the end, it was not possible to get a working VPN.

Another manual suggested using the rules:

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to SERVER-IP
iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT

They killed the server altogether, the OS had to be reinstalled.

I rummaged through the Internet and realized that the necessary rules are not universal and depend on which server is a dedicated or VPS, which virtualization technology is hen or OpenVZ.

Tell me what rules for iptables I need to add in order to open port 1194 and the VPN to work correctly on my VPS with centos 7 and Virtualization Type OpenVZ.

Answer:

The rule from the manual will definitely not work, in the OpenVZ container you need to use SNAT. These are the rules that killed the server:

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to SERVER-IP
iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT

exactly working and correct. You need to check if tun / tap is allowed inside the container or not (more often, by default, not). Do you have a venet0 interface exactly?

Scroll to Top