Right away my setup, in order to clearly understand:
My router has no static route option, indeed by direct Windows VPN I can let clients communicate but they can't go over internet by the VPN DNS, so they just connect and use the local VPN unless they use DNS from own ISP connection.
Anyway, apart from this, I would like to understand how let a VM work as guest and openvpn server inside:
1) Router IP 192.168.1.1
2) Host Windows 10, IP 192.168.1.91
3) CentOS 7 installed as guest, openvpn server installed on guest
What are the correct network settings to let users from outside access the GUEST VPN and also ping and internet access...?
And to what IP address the router has to open port since I can't port forward for an IP different than 192.168.1.x?
At first I tried to set bridged network for the virtualbox guest, ok everything is fine and the guest also obtains a local IP address (eg. 192.168.1.244) but even if I open port 1195 (eg.) for the 192.168.1.244, I can't connect to the VPN (no route to host)
Then, instead, I chose 2 network cards into Virtualbox and not bridge only, so NAT + Host-only
but I can't understand how to open the port on router...Do I need to port forward from Virtualbox or what else?
And I can't ping the guest from host, so how it could work if host doesn't "see" the guest? Impossible...
Also tried paravirtualized by NAT but it seems to be working as Guest → Host direction only and not the opposite.
These are the iptables rules when bridged (and paravirtualized, is it good?)...in this case network card is eth0 while when NOT paravirtualized has another name (eg. enp0s3)
Code: Select all
# Generated by iptables-save v1.4.21 on Mon Sep 16 01:48:51 2019
*mangle
:PREROUTING ACCEPT [807:112829]
:INPUT ACCEPT [807:112829]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [326:44491]
:POSTROUTING ACCEPT [337:47046]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Mon Sep 16 01:48:51 2019
# Generated by iptables-save v1.4.21 on Mon Sep 16 01:48:51 2019
*nat
:PREROUTING ACCEPT [78:15365]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [12:912]
:POSTROUTING ACCEPT [12:912]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Sep 16 01:48:51 2019
# Generated by iptables-save v1.4.21 on Mon Sep 16 01:48:51 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [47:7428]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1195 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Mon Sep 16 01:48:51 2019