enable IP forwarding

sysctl -w net.ipv4.ip_forward=1


more info

enable NAT

To have internet access for clients.

sudo iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

accept incoming connections

sudo iptables -I INPUT -i eth0 -p tcp --dport 51321 -j ACCEPT

sudo iptables -I INPUT -i eth0 -p udp --dport 51321 -j ACCEPT

port forward

Credits to this post.

sudo iptables -t nat -A PREROUTING -p udp --dport 51321 -j DNAT --to-dest

sudo iptables -t nat -A PREROUTING -p tcp --dport 51321 -j DNAT --to-dest

Set up source NAT (SNAT) so that from your VPN client’s perspective, the connection is coming from the VPN server.

sudo iptables -t nat -A POSTROUTING -d -p udp --dport 51321 -j SNAT --to-source

sudo iptables -t nat -A POSTROUTING -d -p tcp --dport 51321 -j SNAT --to-source

The reason for SNAT is because otherwise the VPN client will send its return packets straight to the host which initiated the connection (z.z.z.z) via its default gateway, and not via the VPN interface. Thus the source IP address on the return packets will be default gateway address, and not x.x.x.x. This causes all sorts of problems, since z.z.z.z really initiated the connection to x.x.x.x.

save iptables

sudo service iptables save

list rules

sudo iptables -t nat -L

ping test on client side

ping using the specified interface.

ping -I tun

check network connections

sudo netstat -p

route side

policy based routing

See OpenWRT website for more info.

add routing table

vim /etc/iproute2/rt_tables

200   btvpn

create routing rules

ip rule add from table btvpn

create routable rules for table

ip route add default via dev tun1 table btvpn
# allow traceroute
ip route add dev tun1 table btvpn
# flush cache
ip route flush cache


# show rules
ip rule list

# show routing table
ip route show table btvpn

open Firewall

  1. allow input from tun1 and output to tun1
  2. enable Masquerading and MSS claming