OpenVPN clients can access the internet through your server, but by default, they can’t access your local network.
Let’s say your OpenVPN server is running on a machine with IP address 192.168.1.100, your OpenVPN tunnel network is 10.8.0.0/24, and your local LAN is 192.168.1.0/24.
First, you need to enable IP forwarding on your server. Edit /etc/sysctl.conf and uncomment or add the line:
net.ipv4.ip_forward=1
Then, apply the change:
sudo sysctl -p
Now, let’s set up the iptables rules. We’ll assume your main network interface is eth0.
Allowing OpenVPN clients to access the internet:
This rule tells iptables to masquerade (NAT) traffic originating from the OpenVPN tunnel network and going out through your server’s main network interface (eth0).
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-t nat: Specifies that we’re working with the NAT table.-A POSTROUTING: Appends this rule to the POSTROUTING chain, which is processed just before packets leave the server.-s 10.8.0.0/24: Matches packets originating from your OpenVPN client subnet.-o eth0: Matches packets destined to leave via theeth0interface.-j MASQUERADE: The target action. This tellsiptablesto rewrite the source IP address of the packets to be the IP address ofeth0, making it appear as if the traffic is coming directly from the server.
Allowing OpenVPN clients to access your local network:
This rule allows traffic from the OpenVPN tunnel network to reach your local LAN.
sudo iptables -A FORWARD -s 10.8.0.0/24 -d 192.168.1.0/24 -j ACCEPT
-A FORWARD: Appends this rule to the FORWARD chain, which handles packets being routed through the server.-s 10.8.0.0/24: Matches packets originating from your OpenVPN client subnet.-d 192.168.1.0/24: Matches packets destined for your local LAN subnet.-j ACCEPT: The target action. This allows these packets to pass through.
Allowing return traffic from your local network to OpenVPN clients:
This is crucial for established connections. It allows replies from your local network back to the OpenVPN clients.
sudo iptables -A FORWARD -s 192.168.1.0/24 -d 10.8.0.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
-s 192.168.1.0/24: Matches packets originating from your local LAN.-d 10.8.0.0/24: Matches packets destined for your OpenVPN client subnet.-m state --state RELATED,ESTABLISHED: This is a stateful matching module. It only allows packets that are part of an existing connection or are related to an existing connection. This prevents unsolicited traffic from your LAN to your VPN clients.
Allowing traffic from OpenVPN clients to your server’s IP:
If you want OpenVPN clients to be able to connect to services running on the OpenVPN server itself (e.g., SSH on 192.168.1.100), you need to allow that traffic.
sudo iptables -A FORWARD -s 10.8.0.0/24 -d 192.168.1.100/32 -j ACCEPT
-d 192.168.1.100/32: Matches packets destined specifically for the server’s IP address.
Making the rules persistent:
iptables rules are lost on reboot by default. To make them persistent, you can use iptables-persistent.
sudo apt update
sudo apt install iptables-persistent
During installation, it will ask if you want to save current IPv4 and IPv6 rules. Say yes. If you’ve already added rules and want to save them later:
sudo netfilter-persistent save
This command saves the current iptables rules to /etc/iptables/rules.v4 (for IPv4) and /etc/iptables/rules.v6 (for IPv6), which are then loaded automatically on boot.
You can view your current rules with:
sudo iptables -L -v -n
sudo iptables -t nat -L -v -n
The most surprising thing about iptables is how its chains are processed in a specific order. Packets traverse PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING chains. Understanding this flow is key to debugging why a rule might not be working as expected.
The next hurdle is often configuring firewall rules on the OpenVPN server itself to allow specific ports for OpenVPN traffic (UDP 1194 by default) and potentially other services you want to expose.