Hi all!


We have a setup of three computers;
Machine A (eth0) -> Machine B (eth0, hso0, tun0) -> Machine C (eth0, tun0)

hso0 is the packet interface of a 3G modem, it behaves like a normal network interface.

Machine B and C are connected in a VPN using openVPN (TCP). Machine A is a client that receives Network-configuration using DHCP from Machine B automatically.

Machine A eth0 : DHCP
Machine B eth0 : 192.168.2.1
Machine B hso0 : Static IP addr, Internet use
Machine B tun0 : 10.11.0.10 (openVPN client)
Machine C eth0 : Static IP addr, Internet use
Machine C tun0 : 10.11.0.1 (openVPN server)

OpenVPN (server) is configured to allow Internet-traffic to its clients. Code in server.conf:
# Make sure clients traverse tun0 when accessing Internet
push "redirect-gateway def1"
# Push a DNS server (handled by openVPN)
push "dhcp-option DNS 10.11.0.1"

We’re having issues to make Machine C release Internet traffic from Machine A. Note that we have setup masquerading on Machine B using iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE.
Currently Iptables on Machine B and Machine C have a policy of ACCEPT.

We have managed to make traffic from Machine A reach Machine C, but only with the internal IP of 192.168.2.48 (DHCP).
OpenVPN drops those packets (as it should!) because they come from 192.* and not 10.*

Is there a way to solve this? Thank you!

Before making NAT for -o eth0 you give
iptables -t nat -I POSTROUTING -p 50 -j ACCEPT
Here 50 is protocol number for ipsec-ESP
You may require to add similar iptable for --proto 51 i.e. ipsec-AH