iptables – Configure OpenVPN to be used through Squid and for specific IPs

I would like to set up OpenVPN such that

  1. it only tunnels such traffic through OpenVPN that belongs to the data flow between client and server, and
  2. such that it goes through a Squid proxy (between OpenVPN client (from now on machine A) and
    OpenVPN server (from now on machine B)).

I have one machine (machine A) in my private network that communicates directly with other private IP addresses. However, this machine also has to reach another machines (machine B), which is hosted externally with a public IP address. Given our network policies, machine A can only access machine B through an existing Squid proxy. For the specific communication between machine A and machine B an additional OpenVPN tunnel needs to be configured.

Thus, machine A should only tunnel traffic that is destined for machine B and use direct connections for any other data flow. Moreover, this specific OpenVPN tunnel shall go through an existing Squid proxy. The same situation applies from the perspective of machine B, i.e. it shall connect to machine A via OpenVPN but use direct connections to any other machine. However, it should be noted that the communication between A and B are always initiated by machine A.

Machine A will have the OpenVPN client installed whereas Machine B will have the OpenVPN server installed. Let’s assume the following fictional IP addresses:

  • Machine A (Red Hat Enteprise Linux 7.5):
  • Squid proxy:
  • Machine B (Ubuntu 18.04):

I installed OpenVPN according to this tutorial, except for for 1st and 2nd optional step (right after step 5).

Regarding requirement 1 (only using OpenVPN for specific connections) my approach is to put the following instructions in thee client.conf on Machine A following this suggestion:

Machine A:


Regarding requirement 2 (tunneling OpenVPN connections through the Squid proxy), I have no exact idea, but my approach is to implement an iptables prerouting rule following this post:

iptables -A PREROUTING -t nat -i -p tcp --dport 80 -j DNAT --to

I couldn’t really test too much because both involved machines are operational and I don’t want to break them. Thus, I am asking you in advance for your advice.