I run on mine the following services: DHCP, local DNS, NAT, OpenVPN for road warriors, site-to-site IPsec VPN for my colleague, Let's Encrypt client, HAproxy, DynDNS client. I'm also using VLANs for internal network logical separation, and this VM is the router/firewall between them.

I prefer to avoid the new --client-nat OpenVPN's feature. Maybe I have to force routing with ip route? Or to loop twice into the network stack with veth? Note : I don't want to use masquerade. Only 1/1 NAT. EDIT : It's not possible with a regular openVPN setup. Because a packet from a remote site is indistinguishable from a packet from another Aviatrix OpenVPN® FAQs — aviatrix_docs documentation An Aviatrix OpenVPN® gateway performs a NAT function for the user’s VPN traffic, effectively masking out the VPN client’s virtual IP address assigned by gateway from the VPN CIDR Block. This does not affect profile based policy enforcement as the landing vpn gateway has the information of the virtual IP address before NAT is performed and GlobalSSH - Free Premium OPENVPN

Feb 07, 2019

May 15, 2020 OpenVPN server setup | easy-openvpn documentation

OpenVPN - Wikipedia

OpenVPN through double NAT Good afternoon, As with all ISP in France, mine requires to use their own modem/router to benefit from VoIP services (the phone is connected to their modem/router). Tunnel Your Internet Traffic Through an OpenVPN Server Import the new ruleset: iptables-restore < /etc/iptables/rules.v4 Apply the routing rule so that traffic can leave the VPN. This must be done after iptables-restore because that directive doesn’t take a table option:. iptables -t nat -A POSTROUTING -s 10.89.0.0/24 -o eth0 -j MASQUERADE A deeper look into OpenVPN: Security vulnerabilities - SD Apr 16, 2019 OpenVPN: Masquerading - Network - openmediavault