Route local network through VPN, assign multiple external IPs

networking linux iptables vpn openvpn

I have a network like this:

Diagram

And I need each Black box to operate from a sepcific IP of Server B.
Both server run Debian 9. I can only change network settings (IP/Gatway etc) but nothing else on those blackboxes. How do I do this?

Something around this? Setting gateway of the boxes to 192.168.1.100

Server A 

iptables -A FORWARD -s 192.168.1.0/24 -o tun0 -j ACCEPT  
iptables -t nat -A POSTROUTING -s 192.168.1.101  -j SNAT --to 10.8.0.9  
iptables -t nat -A POSTROUTING -s 192.168.1.102  -j SNAT --to 10.8.0.13  
iptables -t nat -A POSTROUTING -s 192.168.1.103  -j SNAT --to 10.8.0.18  
iptables -t nat -A POSTROUTING -s 192.168.1.104  -j SNAT --to 10.8.0.22

Server B 

iptables -A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT  
iptables -t nat -A POSTROUTING -s 10.8.0.9  -j SNAT --to xxx.xxx.xxx.xxx
iptables -t nat -A POSTROUTING -s 10.8.0.13  -j SNAT --to yyy.yyy.yyy.yyy

Solution 1:

I can only change network settings (IP/Gatway etc) but nothing else.

Then it is not possible. Your question doesn't specify if you need 2-way connections (i.e. having "black boxes" accessible from the Internet) or not, but anyways this would require at least iptables for SNAT and advanced policy-based routing with iproute2.

Added after original question was edited:

Yes, something like this could work. But that is strongly dependent on your OpenVPN settings. Those local IPs from the VPN subnetwork (10.8.0.0/24) should be set up on your Server A and routed through VPN tunnel. Also do not forget to allow related packets coming back. This is usually done with something like this rule:

iptables -A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

On Server A. And the respective rule for -i eth0 on Server B. And you have to set Server A as default gateway for "black boxes".

But instead of doing overhead of double SNAT, you might also consider setting up your OpenVPN to allow to route 192.168.1.0/24 subnetwork directly to and from Server B. There are multiple tutorials on the Internet on this configuration.

Related

Redirect port / port 10000 to https apache
MySQL maximum possible memory usage above installed RAM
pptp cannot connect
`yum upgrade git` centos
Restore old Backup Exec tapes with NTbackup
SQL Server 2008 R2 memory limit per instance or server?
Move Raidset from HP Smart Array P400 to E200
What is the fastest horse in Mount and Blade Warband?
Mad Scientist Interaction with duplicate secrets
If I want to run an application in Linux without using a package manager, is my only option to compile it from source?
Can colonists auto change clothes when worn below 50% instead of complaining?
gcloud: The resource 'projects/<PROJECT_NAME>/zones/<ZONE>/targetInstances/<INSTANCE>' was not found