Hi ecanmaster,
[QUOTE=ecanmaster;28309]The server is an SLES 11, which also acts as openvpn server
we use this server to create the vpn connection
I connect to this server with openvpn and use putty to login to the servers
I can connect with RDP to this server when I am on the same subnet, but when using a vpn connection, I am not able to connect with rdp,
I can ping the server, but RDP is not working
The above server with the iptables rules - is that a VPN terminator? In other words, is your setup as follows?
A: laptop (local subnet) RDP server
B: laptop (some VPN) VPN terminator (local subnet) RDP server
A works, B doesn’t, correct?
Correct A works, but B doesnt ( I tried the A solution so I would be sure the RDP is working)
I can ping the server, but RDP is not working
If pinging the server from the VPN client works (I assume no other NAT rules apply) and you hence can reach the RDP server, why have you added the DNAT?
I am not sure if I understand your question, but let me explain:
When connecting to this server, I use a VPN connection.
Once I have the vpn connection, I can ping the server, create a putty session without any issue’s.
The RDP connection to this server is just not working.
I am not sure about the DNAT, I have seen similiar rules with DNAT and thought it should be used, but I am not sure if this is correct.[/QUOTE]you ought to get familiar with the basics of what you’re doing here, quickly. Setting wrong / bad rules can severely wreck your server connectivity 
NAT is “network address translation” and the statement you entered means “re-write the destination address of any packet, crossing this server and heading for port 3389, to 192.168.201.15”. You would do this if the sender of the packet cannot originally use the proper destination address… bu since you can ping the server etc, you can use the address already when sending out the packets from your client, so no need to re-write the target address.
[QUOTE=ecanmaster;28309]
iptables -A FORWARD -j ACCEPT -p tcp --dport 3389
that rule will allow traffic to the RDP server cross the VPN terminator - what about the traffic from the RDP server?
# iptables -A FORWARD -p tcp --dport 3389 -d 192.168.201.15 -j ACCEPT
# iptables -A FORWARD -p tcp --sport 3389 -s 192.168.201.15 -j ACCEPT
(I left out conntrack for simplicity’ sake)
What you are saying sounds logical and I just tried this rule set, but it’s not working.
Do I need to remove the other rule first in order for this to work?
Should I give you more information regarding the current iptable setup?[/QUOTE]
No, you need to figure out where the packets are flowing and why they’re not reaching their target.
As you can ping the server from your client via the VPN tunnel, the RDP server seems to know how to send back the return packets to your VPN terminator. I suggest to run “tcpdump” on the LAN interface of the VPN terminator box to determine if the client’s packets properly leave your VPN terminator (in direction to the RDP server) and if return packets are received (coming from the RDP server, targeted at the client). Follow the white rabbit… which masks as “TCP packets” in this movie 
Well, getting the iptables basics straight is something you should learn truly short-term, to be able to set up and diagnose your installation…
BTW: How’s your TCP/IP background, you’ll need some fundamentals to hunt this problem down.
Regards,
Jens