LXC with OpenVPN with port forwarding over LAN (help requested)

zyisrad · 2015-12-14 00:23:14

Hey there! This is my first post. Of course it's a request for help.

I've got a machine running an LXC. Inside the LXC I have a service accessible on port 8888. The service is accessible from other machines on the LAN when using these iptables rules on the host:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8888 -j DNAT --to-destination 10.0.0.102:8888
iptables -t nat -A POSTROUTING -s 10.0.0.100/32 -j MASQUERADE

So everything is fine there. But when I enable OpenVPN inside the LXC the service is no longer accessible over the LAN (though it is accessible from the host of the LXC). I have a finite grasp of iptables so I haven't been able to solve this. The requests go into the LXC but I assume the replies are being forced out of the OpenVPN tun0 interface.

Here's the setup:

# Host
eth0 192.168.1.5
br0 10.0.0.1

# LXC Config
lxc.network.type=veth
lxc.network.link=br0
lxc.network.ipv4=10.0.0.102
lxc.network.ipv4.gateway=10.0.0.1
lxc.network.flags=up
lxc.network.name=eth0
lxc.network.mtu=1500
...

Any help would be much appreciated.

samlung · 2015-12-19 03:16:58

what does

ip route

say in the guest

zyisrad · 2015-12-19 06:46:32

0.0.0.0/1 via 10.115.1.5 dev tun0
default via 10.0.0.1 dev eth0
10.0.0.0/8 dev eth0  proto kernel  scope link  src 10.0.0.102
10.115.1.1 via 10.115.1.5 dev tun0
10.115.1.5 dev tun0  proto kernel  scope link  src 10.115.1.6
128.0.0.0/1 via 10.115.1.5 dev tun0
<public IP> via 10.0.0.1 dev eth0

samlung · 2015-12-19 18:34:16

this is normal. DNAT will not change the source address from your local LAN (that the LXC container is to reply to) on the incoming packet.

with your route table, such packet does not go via eth0.

you can add a routing table entry to the LXC guest (edit: guest, not host) that sends 192.168.1.0/24 via dev eth0. see arch wiki on how to add routes.

there are other solutions involving the host (rinetd, maybe SNAT/MASQUERADE), this is just one.

Last edited by samlung (2015-12-19 18:43:17)

zyisrad · 2015-12-19 18:48:28

Awesome! I understand now.

Thank you for the information!

ip route add 192.168.1.0/24 via 10.0.0.1 dev eth0

SOLVED!

Last edited by zyisrad (2015-12-19 18:49:26)

Arch Linux

#1 2015-12-14 00:23:14

LXC with OpenVPN with port forwarding over LAN (help requested)

#2 2015-12-19 03:16:58

Re: LXC with OpenVPN with port forwarding over LAN (help requested)

#3 2015-12-19 06:46:32

Re: LXC with OpenVPN with port forwarding over LAN (help requested)

#4 2015-12-19 18:34:16

Re: LXC with OpenVPN with port forwarding over LAN (help requested)

#5 2015-12-19 18:48:28

Re: LXC with OpenVPN with port forwarding over LAN (help requested)

Board footer