On Fri, Aug 23, 2013 at 12:36:58PM +0000, Bonno Bloksma wrote: > I have been following this and I think it is getting clear what you are doing > but I have lost what the problem is we are trying to resolve. > > If I understand it right your setup is something like: > > VPS has network 1.2.3.0/24 (mask 255.255.255.0)
i Bonno. This is true for the private network used by openvpn. From what you say below, it seems you are assuming this is the case for the public network. Unfortunately, my public subnet is only a /29. Getting a /24 (assuming I can in the first place) would be quite expensive! On the one hand, having a public /24 means I would be wasting a lot of IP addresses. This is particularly important given that we're close to running out of them! On the other hand, having a public /24 means I could subdivide that, and use a part of those addresses for openvpn. In that case, the laptop could get a public address, and it would just be a trivial routing issue at that point, problem solved. > > Somehow you have made sure client always gets same 10.1.1.x number, for > instance 10.1.1.3 Yes. I have a directory with per client configuration files for openvpn. I can use that to push a specific IP address to the laptop using the common name from its certificate. > > Via iptables you make sure any traffic coming in on the VPS server with > destination 1.2.3.3 is going to the VPN ip of the laptop > And vice versa any traffic coming from the laptop vpn ip get sent out with > the source 1.2.3.3 > openvpn server iptables > iptables -t nat -A PREROUTING -d 1.2.3.3 -j DNAT --to 10.1.1.3 > iptables -t nat -A POSTOUTING -s 10.1.1.3 -j SNAT --to 1.2.3.3 > Exactly. > What is it that is not working? If you think we can solve the problem better > by supplying the real configs then please do so. > As I already said, everything is working. The problem is solved. If there is interest, I can paste the openvpn configs from server/client, and the interfaces file with relevant iptables rules from the server to show how I'm doing what I'm doing. Thanks again to everyone for your help. Greg -- web site: http://www.gregn..net gpg public key: http://www.gregn..net/pubkey.asc skype: gregn1 (authorization required, add me to your contacts list first) -- Free domains: http://www.eu.org/ or mail dns-mana...@eu.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130823214417.ga10...@gregn.net