Two clients behind NAT on a single VPN connection, exting on two separate public IPs

I am looking for a way to forward outgoing traffic on separate IPv4 addresses for different clients connected through the same VPN tunnel, behind NAT.

Right now I am forwarding port 44158 from multiple public IPv4 addresses on VPS server X to multiple clients connected through a single VPN connection - from a router behind NAT. The input port 44158 on the receiving public IPv4 addresses cannot be changed, and the clients behind the router receive the data on the correct port 44158 since the router is set up to forward to the correct port for each client at the destination.

This is done like so:

iptables -t nat -A PREROUTING -d 103.143.72.84 -p tcp --dport 44158 -j DNAT --to-destination 192.168.52.2:44158
iptables -t nat -A PREROUTING -d 103.143.72.25 -p tcp --dport 44158 -j DNAT --to-destination 192.168.52.2:44159
iptables -t nat -A POSTROUTING -s 192.168.52.0/24 -j MASQUERADE

Where 192.168.0.2 is the router at the destination which forwards packets to its internal NAT to the clients, from 44158 to 192.168.0.12:44158 and from 44159 to 192.168.0.13:44158.

What am I trying to achieve is to make all outbound traffic from 192.168.0.12 exit through 103.143.72.84, and all outbound traffic from 192.168.0.13 exit through 103.143.72.25. Is there a way to do this with iptables on VPS server X ?

I have this hardware setup which I cannot change, Clients A (192.168.0.12) & B (192.168.0.13) connect to router N on LAN and are on a NAT network 192.168.0.0/24. Router N connects through a VPN to VPS server X and obtains IP 192.168.52.2. Server X has multiple IPv4 public addresses (103.143.72.84 and 103.143.72.25). And I would like to assign each client IP a separate outbound public IP on server X.

  • IPs used are for example purposes;
  • for the sake of simplicity I kept the example with two clients, but there are way more involved.

Outgoing traffic use iptables -t nat -A POSTROUTING ...

And to specify source address use -j SNAT ip

iptables -t nat -A POSTROUTING -s 192.168.0.12 -j SNAT 103.143.72.84
iptables -t nat -A POSTROUTING -s 192.168.0.13 -j SNAT 103.143.72.25

Note that these must be before global MASQUERADE if you have it for that range.

If all IPs are linear ranges then there is other ways to NAT the range.