OpenVPN MASQUERADE Workaround
Configure OpenVPN NAT without MASQUERADE on OpenVZ VPS.
Table of Contents
OpenVZ Limitation
The MASQUERADE module is not supported by OpenVZ. Instead, you must use SNAT (Source NAT).
Understanding the Issue
When setting up OpenVPN on OpenVZ, you may encounter errors related to the MASQUERADE iptables target. This is because OpenVZ containers don't support the MASQUERADE module that's commonly used in OpenVPN configurations.
The Solution: Use SNAT Instead
Instead of using MASQUERADE, you need to use SNAT (Source Network Address Translation) with your server's specific IP address.
Replace MASQUERADE Rules
Find any iptables rules in your OpenVPN configuration that look like this:
# DON'T USE THIS ON OPENVZ
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADEAnd replace them with SNAT rules using your server's IP address:
# USE THIS INSTEAD
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source YOUR_SERVER_IPExample
If your server IP is 192.0.2.100, the rule would be:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.0.2.100Finding Your Server IP
To find your server's primary IP address:
ip addr show | grep 'inet ' | grep -v '127.0.0.1'
# or
hostname -IMaking Rules Persistent
To ensure your iptables rules persist after reboot:
# Debian/Ubuntu
apt-get install iptables-persistent
netfilter-persistent save
# CentOS/RHEL
service iptables saveVerification
After applying the SNAT rule, verify it's in place:
iptables -t nat -L POSTROUTING -n -v