DigitalOcean

Report this

What is the reason for this report?
Question

How to forward inbound (Internet) traffic hitting eth0 over OpenVPN tun0?

Posted on May 21, 2017
Ubuntu 16.04
VPN
Firewall
dropletjjs

By dropletjjs

This isn’t my exact case but it is the easiest way I could think to explain my situation. If someone’s home ISP blocks port 80 but they still want to self-host a web server, they could do so over a VPN. Most tutorials I found don’t cover this.

I’m about 90% of the way there but missing something. I have Ubuntu droplet running OpenVPN server (community) and pfSense connected to it as client. I have a couple servers on the pfSense side that I’d like to be able to access via my droplet’s public IP address (over the VPN). So for example, I’d like http://my-droplet-ip.com to hit my web server and ftp://my-droplet-ip.com to hit my ftp server.

My droplet has eth0 with public IP and tun0 for VPN. I can connect to the VPN and get out but when I try to resolve my-droplet-ip.com:80 it times out. I think this is a UFW & iptables issue but everything I find is NAT solutions without IP addresses (NAT 80 to 8080). I just want to send port 80 from eth0 to tun0, over VPN tunnel to VPN client (pfSense) and then on to my servers. I can sort client side but can’t get past UFW & iptables right now. Been looking at this: https://www.digitalocean.com/community/tutorials/how-to-forward-ports-through-a-linux-gateway-with-iptables tutorial but not sure it is exactly what I need. I’d also like to keep source IP info. I have a server that others will log into and I want to know the source IP addresses as it does me no good if my logs state that every person who accessed the server was my DO droplet (or the other side of my VPN tunnel.

Hope that makes sense. Thanks.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Bobby
Bobby
June 13, 2023

Hi there,

In order to route incoming traffic from your droplet’s public IP over the OpenVPN connection to your home server, you’ll need to setup IP forwarding and port forwarding on the Ubuntu droplet.

Here’s a broad step-by-step guide to configure the forwarding:

  1. First, ensure that your system allows IP forwarding. You can check the status by running:

    sysctl net.ipv4.ip_forward

    If this returns a 0, you’ll need to enable it by editing the /etc/sysctl.conf file:

    sudo nano /etc/sysctl.conf

    Then, find the line that says #net.ipv4.ip_forward=1, uncomment it (remove the #), save, and close the file. Apply the changes with:

    sudo sysctl -p

  2. Setup the iptables rules to forward the traffic from the public interface to the VPN interface. Here’s a generic format:

    sudo iptables -t nat -A PREROUTING -p tcp -i eth0 --dport <your_desired_port> -j DNAT --to-dest <VPN_internal_IP>:<destination_port>
sudo iptables -A FORWARD -p tcp -d <VPN_internal_IP> --dport <destination_port> -j ACCEPT

    Replace <your_desired_port> with the port you want to forward (80 for HTTP, 21 for FTP, etc.), <VPN_internal_IP> with the internal IP address of the pfSense VPN client, and <destination_port> with the actual port of the service on the server side (usually the same as <your_desired_port> unless you have a specific port mapping).

    Here’s an example for forwarding HTTP traffic:

    sudo iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-dest 10.8.0.2:80
sudo iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 80 -j ACCEPT

    Repeat this for every service you want to forward, changing the ports accordingly.

  3. To keep the source IP information intact, you should avoid masquerading the packets on your droplet. Instead, on your home server (pfSense), set up a static route back to the source network (internet) over the OpenVPN tunnel.

  4. Make the rules persistent across reboots. You can use iptables-persistent or manually write a script to reapply the rules at boot time. If you want to use iptables-persistent, install it with:

    sudo apt-get install iptables-persistent

    During installation, it will ask if you want to save the current iptables rules. If you’ve set up everything correctly, you should choose “Yes”. If you need to update the rules in the future, you can do so by running:

    sudo iptables-save > /etc/iptables/rules.v4

You need to ensure that your OpenVPN server configuration allows client-to-client communication if you have more than one client and they need to communicate with each other.

Best,

Bobby

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.