IPTABLES - Expert Advice Required


New Member
Sep 13, 2021
Reaction score
Hi all,

I have been battling trying to get something working for a while now. I'm close to just giving up as I just can't seem to make it work exactly how I want.

I am trying to set up iptables on an Ubuntu Server 20.04 LTS to accept traffic from the LAN and route through a VPN tunnel that is running on the server. Just to be clear, the Ubuntu Server is running the OpenVPN client and connecting up to NordVPN. It is not acting as a VPN server, just a client. There seems to be some confusion with terminology when trying to explain this, but the way I would explain it is that it's an Ubuntu Server, running an OpenVPN client with a connection to NordVPN (could be any other VPN provider), and acting as an optional "VPN Gateway" for my LAN.

The server running the OpenVPN client lives at I would like to refer to this as "The VPN Gateway".

The idea is that on an ad-hoc basis, I can decide that another device on the LAN requires an encrypted and private connection to the internet, and so reconfigure that device's IP configuration accordingly to use the "VPN Gateway" as its default gateway, rather than the router (Unifi UDM-PRO).

For example, I have a device on If I leave it on DHCP, its default gateway would be which is my router. Its connection to the internet is not tunnelled through the VPN. However, if I were to set the IP config to static and assign the default gateway to ("The VPN Gateway"), its connection to the internet should be tunnelled through the VPN.

There are lots of articles out there on this subject, all of which differ slightly in approaches. I have tried a lot and also a mixture of them all with varying levels of success.

I'm at a stage where I can make it work, but when the VPN tunnel is connected, I lose all SSH access to the VPN Gateway. I also lose SSH access to any devices that are configured to use the VPN Gateway as its default gateway. I also lose access to any web services these devices may be running.

Any help would be greatly appreciated. Please ask for any config details. I can provide whatever is required.



Hmm. I've never attempted to use the standard client to route other devices traffic, but to do this. You would definitely have to setup the Linux machine to act as a router if this is even possible and probably enable masquerading also.

I'm not even going to pertend to know I can help you, but I will provide you with information that I do know.

You will need to ensure you enable ipv4 forwarding. Check the status.
[user@localhost ~]$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forawrd = 0
[user@localhost ~]$ cat /proc/sys/net/ipv4/ip_forward
You will need to set it to 1 (0 disabled, 1 enabled)
[user@localhost ~]$
sysctl -w net.ipv4.ip_forward=1
[user@localhost ~]$echo 1 > /proc/sys/net/ipv4/ip_forward

Once you've done that, you can ensure it took affect.
[user@localhost ~]$ sysctl -p

Now, you will likely need masquerading too. You said you are using iptables, but you might be using firewalld. (yes, same but also different) I suggest you verify which one you're using and then follow howtos on enabling masquerading.
Last edited:
Oh, you will likely need to setup static routes for those remote connections also.

Thanks for taking the time to look at this.

I have finally found the solution... I have this working as I want now.

It was to do with the static routes yes.

My iptables config was actually fine. I already had IP forwarding enabled too.

Found the solution in this post...

Had to add a couple of things to the iptables and then some routes.

# set "connection" mark of connection from eth0 when first packet of connection arrives
sudo iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

# set "firewall" mark for response packets in connection with our connection mark
sudo iptables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

# our routing table with eth0 as gateway interface
sudo ip route add default dev eth0 table 3412

# route packets with our firewall mark using our routing table
sudo ip rule add fwmark 4321 table 3412

Members online