Keith C. Perry on 28 Sep 2014 09:58:34 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OpenVPN Question

Ok, I actually have some similar things going on here too.  I run 3 inbound VPN instances (tun0 - tun2) on server that also runs 2 customers vm.  One on the public bridge (br0) interface and one on the private interface (br1).

My NAT rules allow VPN clients to go into the private or public net so I can use the MASQUERADE targets of each of their nets.

This server also acts as the gateway for the private network so it has a MASQUERADE rule for that.

If I brought up a tun3 for outbound use and wanted to route either of those vm's out that way, as far as I know, the only thing I have to do is use a SNAT target rule to the tun3 IP endpoint (i.e the far side) for the IP of the vm I want routed out.  I don't think I have to do anything inside the vm (container).

The only difference I see is that you are putting NAT rules inside the container to begin with.  This might be a case of context- either they ALL go on the host or they ALL go inside the containers.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
Keith C. Perry, MS E.E. 
Owner, DAO Technologies LLC 
(O) +1.215.525.4165 x2033 
(M) +1.215.432.5167

----- Original Message -----
From: "Rich Freeman" <>
To: "Philadelphia Linux User's Group Discussion List" <>
Sent: Sunday, September 28, 2014 7:43:59 AM
Subject: Re: [PLUG] OpenVPN Question

On Sat, Sep 27, 2014 at 10:42 PM, Keith C. Perry
<> wrote:
> Also, I'm not sure how these "containers" fit into the equation.
> Sounds like a docker or VM thing- are you trying to NAT (actually port
> forward would be the term) traffic to certain "containers" once the
> OpenVPN connection is established?

Imagine a physical linux box with one NIC eth0 - IP is
You launch openvpn and now you have tun0 with IP of

I want to forward all traffic received on eth0 to tun0.

Now, imagine that this isn't a physical box, but just a container.
So, instead of eth0 the "NIC" is a virtual interface vb-vpn which is
connected to a bridge interface brhost on the host which is connected
to the eth0 on the host.  brhost has the IP which the incoming
connections from the router happen to be coming in on.

So, within the container the iptables rules should NAT all connections
from vb-vpn to tun0.  Outside of the container the iptables rules on
the host should not interfere with traffic bound for containers (which
have their own IPs), but they should ensure that reply traffic coming
in for the host goes out to the real router and not to the vpn
container running on the host.

I believe Lee actually does something similar but he is doing it with
vmware and he wouldn't have anything running on the host as a result
other than whatever kind of management interface it has, and whatever
solution vmware has for virtual networking isn't going to work for
linux in general.

My "real" router is still running openwrt (which is also based on
linux).  It does fine, but the CPU is underpowered for putting 50Mbps
over the VPN.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --