I'm trying configure a test VPN setup to route pings to an instances public IP. A corporate vendor we are connecting to has reserved all private space on their side. I'm not sure what NAT rules I need to get traffic from VPN router instance our side to forward traffic to the corrosponding instance behind it based on its public address, rather than private.
I have topology like
A-Server <-> A-VPN <--internet--> B-VPN <-> B-Server.
VPN tunnel is established and I'm able to ping either side via private IP without issue. Pinging public IP does get to the VPN machine at the 'other' side but stops there (indicated by activity in "$ ip xfrm monitor" I think?).
Both VPN instances have the A-Server Public IP/32 in its allowed subnets on the left/right sides where suitable.
Following NAT rules on A-VPN instance don't appear to work and I'm not sure if I am misusing them or how to debug further.
iptables -t nat -A POSTROUTING -s <A-Server PRIVATE IP>/32 -d <B-Server PRIVATE IP>/32 -j SNAT --to-source <A-Server PUBLIC IP>
iptables -t nat -A PREROUTING -s <B-Server PRIVATE IP>/32 -d <A-Server PUBLIC IP>/32 -j DNAT --to-destination <A-Server PRIVATE IP>
Current rules on A-VPN:
# iptables-save
# Generated by iptables-save v1.4.21 on Fri Feb 15 11:12:15 2019
*nat
:PREROUTING ACCEPT [2:168]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [21:1848]
:POSTROUTING ACCEPT [23:2016]
-A PREROUTING -s 172.31.24.75/32 -d <A-Server PUBLIC IP>/32 -j DNAT --to-destination 10.0.10.15
-A POSTROUTING -s 10.0.0.34/32 -d 172.31.24.75/32 -j SNAT --to-source <A-Server PUBLIC IP>
COMMIT
# Completed on Fri Feb 15 11:12:15 2019
# Generated by iptables-save v1.4.21 on Fri Feb 15 11:12:15 2019
*filter
:INPUT ACCEPT [104381:64450743]
:FORWARD ACCEPT [189:13956]
:OUTPUT ACCEPT [89586:3506732]
COMMIT
# Completed on Fri Feb 15 11:12:15 2019