There is an OpenVPN server through which a number of computers are connected to a "local network" with addresses of the type 10.10.1.X

10.10.1.1 is the server address.

10.10.1.2 is the address of the machine on which I want to see the stream from the IP camera.

10.10.1.3 - this is Raspberry Pi 3, in eth0 of which the camera is connected. Assigned static IP on the camera (192.168.1.254) and on the Pi itself (192.168.1.2). The main gateway they registered 192.168.1.1.

Pi wlan0 connects to the Internet, tunV is created using OpenVPN (which receives the address 10.10.1.3).

With all devices, ping perfectly finishes up to Pi and back (inside the OpenVPN mesh). And I stalled on the "clutch" of interfaces.

As a result, I want to get so that by 10.10.1.3 Oc54 I could get an RTSP stream.

  • and port 554 is listening on all network interfaces? maybe in the configuration it is tied to 192.168.1.2? - AkaInq
  • Are you sure that Pi is broadcasting something? look for the stream at 192.168.1.254 and to get to it you need to register routes from 10.10.xx to 192.168.1.x. - Yura Ivanov

1 answer 1

I want to get that by 10.10.1.3 Down54 I can get an RTSP stream

on a machine with ip-address 10.10.1.3, you need to add two netfilter rules - for dnat and for snat . approximately like this:

$ iptables -A PREROUTING -i tun0 -p tcp -m tcp --dport 554 -j DNAT --to-destination 192.168.1.254 $ iptables -A POSTROUTING -o eth0 -p tcp -m tcp -j SNAT --to-source 192.168.1.2

the meaning of dnat is that all packets arriving at the interface tun0, port 554, are replaced with the destination address - by 192.168.1.254.

these packages will go through the eth0 interface, where the snat rule will work, replacing the source address - at 192.168.1.2. the point of this rule is that when the ip-camera sends response packets, it sends them to this address. netfilter will then change the destination and source addresses to “source” so that the response packet goes in the right direction and with the correct return address.

ah, yes, it is worth mentioning that packet transfer between interfaces must be allowed on the same machine. See, for example, the first paragraph of this answer .

  • Thank. It worked. And it is much easier than everything found on the Internet before. - Konstantin