1

I have two servers.

First one is from a local datacenter. OpenVPN is installed on Ubuntu 22.04. Clients connect to this server and get an IP from 10.8.0.0/8 pool. Clients are configured to redirect their default network gateway through the VPN (push "redirect-gateway def1 bypass-dhcp")

There's another server from Linode with one public IP address. It's a defualt Ubuntu 22.04. Nothing special is installed on it and firewall is not active.

I want all clients connected to the first server to access Internet from the Linode machine over its public IP.

My current configuration of first server is as below:

ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether fa:16:3e:90:ac:8e brd ff:ff:ff:ff:ff:ff
    altname enp3s0
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 500
    link/none

sudo sysctl -p

net.ipv4.ip_forward = 1

/etc/ufw/before.rules

....
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
....

/etc/default/ufw

....
DEFAULT_FORWARD_POLICY="ACCEPT"
....

I know this is some kind of routing magic but I'm just a newbie so please assist.

Omid Shojaee
  • 131
  • 1
  • 1
  • 6
  • Is there a reason you want to do it this way rather than, say, connecting over SSH to the second server directly and so have that act as exit node without having the ingress node? – pbhj Nov 27 '22 at 22:18
  • 1
    For reasons beyond this topic the local datacenter either blocks outbound SSH or disconnects it every few seconds. – Omid Shojaee Nov 28 '22 at 07:21

2 Answers2

1

See the answer to this question: https://askubuntu.com/a/461003/1157587

  • First server: Configured as the access point that clients connect to. (Local datacenter)
  • Second server: Egress point for data. (Hosted on Linode)

Start by installing openvpn on the second server; it will be used as the server for the first. A helpful script to do this can be found here: https://github.com/angristan/openvpn-install. Connect from the first server to the second server.

An alternative is to use Tailscale and it's Exit Node feature. I have this running on 5+ machines and all of their traffic goes out a Linode box. It's a polished experience for sure.

Lucas Burlingham
  • 56
  • 4
  • 1
    That question is about how to connect to OpenVPN which I already know. Installing OpenVPN on the second server won't work because outbound OpenVPN traffic is blocked in local datacenter. I think what I need is a few ```iptables``` rules. – Omid Shojaee Nov 28 '22 at 07:20
0

I suggest the following:

  1. For the first server you need only to change the routing table so that the second server is the default gateway, maybe the only gateway, if you want that also requests forwarded to internal subnets to go through it. See: Default gateway changing

  2. The second server needs to be configured as a router, which includes configuring a few component, but there are a few guides online. This one looks decent: https://kifarunix.com/configure-ubuntu-20-04-as-linux-router/

ofirule
  • 533
  • 1
  • 6
  • 19