Configuring OpenVPN to listen and forward yunohost traffic

I wasn’t sure if I should put this under support or here, but being cautious.

I have a yunohost hosted on RaspberryPi 4. My ISP is blocking most ports from looks of it. So I decided to use the vpn client. (I am using the test version as the release one doesn’t connect to my server for some reason)

I have an openvpn server (community edition) is hosted on a vps that I know allows has ports open. (I host a yunohost on a vps there with no problems)

I am completely confused as to how to forward the ports on server side. The vpn-server app seems to be very much abandoned, and I cannot tell how to adapt wireguard tutorial to my use case. Has anyone done this before or could offer some advice for a newbie?

Thanks in advance for all help and advice. :slight_smile:

The VPN is already working with vpnclient ? I mean you have an ip on your tun0 interface ?
I guess it’s a private IP.

So you need to activate forwarding:

sysctl -w net.ipv4.ip_forward=1

And there you have 2 cases

1 public IP for each client

If you have a dedicated public IP on your vpn server for each VPN Client, so you can do like this:

And add some rules to make it works

iptables -t nat -A PREROUTING -d PUBLIC_IP_FROM_VPN_SERVER -j DNAT --to-destination PRIVATE_IP_OF_THE_CLIENT
iptables -t nat -A POSTROUTING -s PRIVATE_IP_OF_THE_CLIENT/32 ! -d PRIVATE_IP_OF_THE_CLIENT/32 -j SNAT --to-source PUBLIC_IP_FROM_VPN_SERVER

I made this test on a server with 2 public IP : one for the server and another dedicated to the VPN CLIENT. The second one is called PUBLIC_IP_FROM_VPN_SERVER

Just 1 Public IP for all the server (and clients)

In this case i think the rules could be like:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination PRIVATE_IP_OF_THE_CLIENT:443
iptables -A FORWARD -p tcp -d PRIVATE_IP_OF_THE_CLIENT --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

And do this for each port you need to redirect.

And maybe

iptables -t nat -A POSTROUTING -s PRIVATE_IP_OF_THE_CLIENT -o eth0 -j MASQUERADE

But it’s totally untested so it probably doesn’t work ^^

2 Likes

Precision: those commands should be done on the vpn server side.

Thank you very much I wasn’t able to try this today, but will try and get back with feedback. :slight_smile:

Alright so unfortunately these commands somehow manages to block completely the internet connection of the yunohost (and anyone else connected to that VPN). I am not entirely sure why. However, thanks very much for taking the time to try to help :slight_smile:

Also as a side note, based on what ljf wrote I also tried some of the postUp.sh commands from here that seems to be work a bit better, but I am beginning to run into the issue that all 443 traffic (including those that are going to other clients) also gets redirected. (I think)

To the risk of asking something stupid, is this supposed to happen?

Without more info on your openvpn / network setup it’s quite difficult to create generic rules…

1 Like

I think part of the issue is that I don’t understand what my setup is enough to explain (I set up my vpn with the help of angristan’s github script) or to know what to share to help explaining. :slight_smile:

Your comment did help through, enough to help me narrow down what I need to look into. So again, thanks :slight_smile:

I am in a similar situation as you. We should collaborate, In the end, I will write up the documentation that is missing. I setup my VPS with OpenVPN for a layer of obscurity and protection that many people should like to use.

2 Likes

One of my goals reaching out was also making sure there was a tutorial out there, or documentation. Definitely. :slight_smile: Lets collaborate.

Sorry to get back so late. Maybe you have made progress since then. I think the problem I had was with the firewall configuration on the server. Then I realized that Wireguard client is now available in Yunohost apps. So I am doing that now. I am learning as I go but will document what I learn here .

2 Likes

If you want to use OpenVPN install the OpenVPN Access server on your VPS so you can access your Yunohost behing a restrictive firewall. It’s very easy to accomplish what you need. I did this a while ago.

the problem is that not everyone’s use case fits that. Open access is not entirely free for example (unless I am mistaken). Still thanks for the suggestion.

1 Like

Bithost I too got distracted with other work. California evening time is unfortunately very late night for me, but I will check the written progress and share here when I have a chance to test things :slight_smile:

Correct. You can only have 2 concurrent users connected to an OpenVPN Access Server (for free!).