bit

I finally managed to replicate your setup almost exactly. The only difference is that i used wireguard instead of openvpn. The most notable thing in this setup is rp_filter. I was not aware of it and thus spent multiple weeks figuring it out. Anyone following these directions: Do not customize AllowedIPs thinking you will tighten security - you will break packet routing. Do not forget rp_filter part. You do not have to run windows instance in a VM. Could simply connect windows server to same network using TunSafe client. eressea thanks for initial guide. it was absolutely essential in making transparent proxying happen for me :) #### Setup +--+-------------------+------+ +----------------------------+ | | | | | | | | VM (10.20.0.100) <---------------------+ Proxy: 10.21.0.101 (wg21) | | | | | | y.y.y.y (eth0) | | +-------------------+ | | | | | +----------------------------+ | Router: 10.20.0.1 (virbr0) | | 10.21.0.1 (wg21) | | x.x.x.x (eth0) | | | +-----------------------------+ #### Server wg21.conf [Interface] Address = 10.21.0.1/24 Table = off SaveConfig = true ListenPort = 43832 PrivateKey = <...> [Peer] PublicKey = <...> AllowedIPs = 0.0.0.0/0 # Required for preserving original source ip Endpoint = y.y.y.y:43832 iptables # enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # prevent packets with original source from being dropped echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter echo 1 >/proc/sys/net/ipv4/conf/eth0/rp_filter wg-quick up wg21 # transparent proxying ip rule add fwmark 101 table 101 ip route add default via 10.21.0.101 table 101 iptables -t mangle -A PREROUTING -i wg21 -p tcp -m multiport --dport $gs_ports -j CONNMARK --set-mark 101 iptables -t mangle -A PREROUTING -i virbr0 -p tcp -m multiport --sport $gs_ports -j CONNMARK --restore-mark # forwarding iptables -t filter -I FORWARD -i wg21 -o virbr0 -p tcp -d $gs -m multiport --dports $gs_ports -j ACCEPT iptables -t filter -A FORWARD -i wg21 -j ACCEPT iptables -t filter -A FORWARD -o wg21 -j ACCEPT #### Proxy wg21.conf [Interface] Address = 10.21.0.101/32 Table = off SaveConfig = true ListenPort = 43832 PrivateKey = <...> [Peer] PublicKey = <...> AllowedIPs = 0.0.0.0/0 # Required so that packets can reach 10.20.0.100 Endpoint = x.x.x.x:43832 iptables wg-quick up wg21 ip route add 10.20.0.100 dev wg21 # Routing to VM ip route add 10.21.0.0/24 dev wg21 # Routing to vlan iptables -A FORWARD -i wg21 -j ACCEPT iptables -A FORWARD -o wg21 -j ACCEPT # forward incoming packets to VM iptables -t nat -A PREROUTING -i $eth0 -p tcp -m multiport --dport $gs_ports -j DNAT --to 10.20.0.100 iptables -t nat -A POSTROUTING -s 10.21.0.0/24 -o eth0 -j MASQUERADE

Ah right, when proxy connects to router it gets default gateway set. Well truth is im not doing 100% replica of this setup. I swapped openvpn with wireguard. Things work differently with wireguard. Now it all makes sense. Thanks!

eressea trying to replicate your exact setup. im banging my head here. sure you did not forget anything about proxy setup? you set DNAT to IP of l2server, however here on my end proxy does not know where to route such packet because l2server is on different subnet than openvpn proxies. any ideas?

Actually i figured it out. Take a look. Linux proxy server runs OpenVPN server. OpenVPN network IP of proxy: 10.200.0.1 Windows connects to OpenVPN server, gets IP 10.200.0.10 AuthD/Server both listen on address 10.200.0.10 Do not set default gateway on windows server to 10.200.0.1 This is irrelevant. OpenVPN client does it automatically. $ip as always - external IP of proxy server Proxy firewall setup: iptables -A INPUT -s 10.200.0.0/24 -d 10.200.0.1 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -s 10.200.0.0/24 -d 10.200.0.10 -j SNAT --to $ip iptables -t nat -A PREROUTING -i eth0 ! -s 10.200.0.10 -p tcp -m multiport --dport 2106,7777 -j DNAT --to 10.200.0.10 To my surprise this setup server can see real client IP address. Also if default gateway is not set on windows everything still works and windows server can still access internet. Can not try it with ppp yet because live server, but i suspect there would be no difference (except for lan IP addresses ofc). Edit: Turns out windows server indeed can not access internet. Still trying to figure out how to fix openvpn routes so internet works as well as proxied server. Edit: K i finally figured out how to make internet connection and forwarded server work as well. This is rather dirty solution but it works. Key requirement is that you set default gateway to OpenVPN adapter on windows server. For some reason it is not done automatically. Add following settings to your OpenVPN.ovpn client config file: route-nopull script-security 2 up-delay up "setgw.bat" Remove "redirect-gateway" option if you have it. Create setgw.bat script in openvpn config folder with content: start cmd /c "timeout 10 && netsh interface ipv4 set address %1 static %4 255.255.255.0 %5" This file will sleep a bit and set default gateway to openvpn network adapter. If you know better solution please share, because this one sucks.

Would this work with single proxy and no router machine? I am kind of banging my head here trying to make that setup work. My setup: 1 linux proxy running ppp server. Proxy ppp0 interface with ip 192.168.0.1, windows server client with ip 192.168.0.234. $ip in the commands is external proxy server ip. iptables -t nat -A PREROUTING -p tcp -m multiport --dport 2106,7777 -j DNAT --to-dest 192.168.0.234 iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport --dport 2106,7777 -m tcp -j CONNMARK --set-mark 101 iptables -t mangle -A PREROUTING -i ppp0 -p tcp -m multiport --sport 2106,7777 -m tcp -j CONNMARK --restore-mark ip rule add fwmark 101 table 101 ip route add default via $ip table 101 Any idea what i do wrong here? This works, but server sees proxy IP as player IP: iptables -t nat -A PREROUTING -p tcp -m multiport --dport 2106,7777 -j DNAT --to-dest 192.168.0.234 iptables -t nat -A POSTROUTING -j MASQUERADE By the way first post has some typos. Chain is missing in commands with "--restore-mark"