There is a system with centos 7. I am trying to raise OpenVPN on it. There was a question with setting up iptables. I install on the manual

iptables is up and running.

The manual suggests to drive a rule

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

But in the end, to achieve a working VPN failed.

In another manual it was suggested to use the rules:

 iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to SERVER-IP iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT

They even killed the server, I had to reinstall the OS.

I rummaged through the Internet and realized that the necessary rules are not universal and depend on which server is dedicated or VPS, which is hen virtualization technology or OpenVZ.

Tell me what rules for iptables I need to add to open the 1194 port and correctly earned a VPN on my VPS with centos 7 and Virtualization Type OpenVZ.

    2 answers 2

    The rule from the manual does not work exactly, in the OpenVZ container you need to use SNAT. These rules that killed the server:

     iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to SERVER-IP iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT

    exactly working and correct. You need to check if the use of tun / tap inside the container is allowed or not (more often, by default, not). Do you have the exact venet0 interface?

      Here is a design workable

       iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to abcd iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT

      but you need to check that the interface names are correct (venet0 and tun0). For tun, you should most likely ask the hoster to allow usage inside the container.