Developers Club geek daily blog

4 years, 8 months ago
 we Lift the VPN-tunnel from the world home bypassing NAT

I want to tell to you about that as having on the Internet the VPS-server it is possible to lift the tunnel in a home network. And not to pay thus for static IP to the provider, and even being for NAT, all the same to make accessible on the Internet the house services.

Initial data

  • VPS the server on debian with static real IP
  • a router with insertion OpenWRT which is for provajderskim NAT
  • a home network with computers and the virtual machines in

tunnel Adjustment

First of all we install and we adjust OpenVPN the server on ours VPS:
  apt-get update
apt-get install openvpn

Let's edit a configuration file:
  dev tun0

Here 10.9.8.x there will be our VPN-network, in which address we naznachem to the VPN-server, and address to the VPN-client.

Still we will need to generate a key with which to be connected to the server our router:
  openvpn - genkey - secret static.key

Also it is possible to launch a demon:
  service openvpn start

Now we install OpenVPN on our router with which we will initialize VPN-connection:
  opkg update
opkg install openvpn

Let's copy a key on ours ruter, ispoljuzuja scp :

Let's edit an interface configuration:
dev tun0

Also we muster, whether all at us earns:
  openvpn - config/etc/openvpn/tun0.conf 

If all ok we launch and we add OpenVPN a demon in a StartUp:
 /etc/init.d/openvpn start
/etc/init.d/openvpn enable

Some words about NAT

Because the router at me is for provajderskim NAT after tunnel start, and at absence what or activity after, the joint simply ceased to work for me until from client side to the server one any packet does not come at least.

Therefore I decided to send ping on the address of my VPN-server each 30 seconds. It it appeared enough, but in connection with absence of understanding of a key-i at ping command my OpenWRT-router it was necessary to write small skriptik:
 #!/bi n/sh
while true; do
        ping-c 1
        sleep 30

Then I made its executed
  chmod +x/bin/

Also added in/etc/rc.local a line for a StartUp:
 /bin/ &

It is necessary to Add before exit 0 without forgetting & in the end of a line, it forces not to expect the termination of performance of our script at router start, as it at us in a scraper


Now we adjust routing.

That we VPS would know that the way to our home network lies through a router, it the vpn-client, it is necessary to add statischesky an itinerary:
  route add-net netmask tun0

To register it it is possible in the same /etc/rc.local on VPS the server

That our router would pass our server in a home network, and machines from a home network passed to the server, it is necessary to add following rules on a router.

Let's create a file and we write down in it these rules:
 #!/bi n/sh

#Allow forwarding via tunnel
iptables-I INPUT-i tun +-j ACCEPT
iptables-I FORWARD-i tun +-j ACCEPT
iptables-I OUTPUT-o tun +-j ACCEPT
iptables-I FORWARD-o tun +-j ACCEPT

As we make its executed:
  chmod +x/bin/

Also we add it in /etc/rc.local for a StartUp:

Basically all is ready.
Our networks are connected, all machines perfectly each other see and exchange packets.
Now, at desire, it is possible to adjust probros ports with exterior on an address within the block.

Here so, for example, looks probros ssh port on one of machines at me on a home network:
 # Forward SSH port to server
iptables-t nat-A PREROUTING-d XX.XX.XX.XXX-p tcp - dport 666-j DNAT - to-dest
iptables-t nat-A POSTROUTING-d tcp - dport 22-j SNAT - to-source

Where XX.XX.XX.XXX ≈ exterior IP servers, ≈ IP my machine in a home network, 666 ≈ port at reversal to which I get on this machine

PS: If something is impossible to you be convinced that on yours VPS is and all units of a kernel necessary for it
are connected


At paper writing, I used the information from following sources:

This article is a translation of the original post at
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here:

We believe that the knowledge, which is available at the most popular Russian IT blog, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus