Allow client-to-client to work with SNAT and masquerade (#179)

Co-authored-by: Kyle Lexmond <[email protected]>
kyl191 · Dec 22, 2024 · a1ca87f · a1ca87f
1 parent 09aeb80
commit a1ca87f
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/tasks/iptables.yml b/tasks/iptables.yml
@@ -65,6 +65,7 @@
     table: nat
     chain: POSTROUTING
     source: "{{ openvpn_server_network }}/24"
+    destination: "! {{ openvpn_server_network }}/24"
     to_source: "{{ ansible_default_ipv4.address }}"
     jump: SNAT
     action: insert
@@ -77,6 +78,7 @@
     table: nat
     chain: POSTROUTING
     source: "{{ openvpn_server_network }}/24"
+    destination: "! {{ openvpn_server_network }}/24"
     jump: MASQUERADE
     action: insert
     comment: "Perform NAT readdressing"

diff --git a/tasks/ufw.yml b/tasks/ufw.yml
@@ -39,7 +39,7 @@
       # OpenVPN config
       *nat
       :POSTROUTING ACCEPT [0:0]
-      -A POSTROUTING -s {{ openvpn_server_network }}/24 -j SNAT --to-source {{ openvpn_lan_source_ip }}
+      -A POSTROUTING -s {{ openvpn_server_network }}/24 ! -d {{ openvpn_server_network }}/24 -j SNAT --to-source {{ openvpn_lan_source_ip }}
       COMMIT
   when: not openvpn_masquerade_not_snat
   notify:
@@ -54,7 +54,7 @@
       # OpenVPN config
       *nat
       :POSTROUTING ACCEPT [0:0]
-      -A POSTROUTING -s {{ openvpn_server_network }}/24 -j MASQUERADE
+      -A POSTROUTING -s {{ openvpn_server_network }}/24 ! -d {{ openvpn_server_network }}/24  -j MASQUERADE
       COMMIT
   when: openvpn_masquerade_not_snat
   notify: