NAT through openvpn tunnel

wessel

Hi,

I'm having trouble accessing a server behind an openvpn site-to-site tunnel.

My setup is:

A. pfsense 2.2.6 with openvpn server  <- tunnel -> B. pfsense 2.3.1 with openvpn client
        10.111..                                                          10.99..

The two networks can access each others servers fine so the tunnel is working.

But a NAT rule on A's internet address which forwards to a 10.99.* address does not work. If I telnet to this port from the outside I never get a response. I guess it's a firewall issue, but I can't find it.

I'm preparing a move from location A to location B, that's why I would like to pass some traffic through the tunnel.

Any help is welcome. Thanks. Wessel

viragomann

I presume your sites B pfSense has a WAN gateway defined.
So if you forward packets from site A over VPN, response packets from B will be directed to the WAN gateway, since this is the default route.

@wessel:

I'm preparing a move from location A to location B, that's why I would like to pass some traffic through the tunnel.

So it will be okay to change the default route to the VPN server, I think. This can be done by checking "Redirect Gateway" in the OpenVPN server settings at site A.
If you do that ensure, that you have an outbound NAT rule at site B to translate source IPs to interface IP on OpenVPN interface.

If you don't want to route the whole upstream traffic over VPN from B, you can either route back the traffic to A or do NAT. But I think, routing will not be an option, since you're not able to differ which destinations to be route over VPN.

To NAT, just add an outbound NAT rule at site A for OpenVPN interface with destination = the subnets at B and tranlation = interface address. But with that, any access that comes over VPN seems to come from the VPN server itself and you have no availability to determine the origin source address at site B.

wessel

@viragomann:

To NAT, just add an outbound NAT rule at site A for OpenVPN interface with destination = the subnets at B and tranlation = interface address. But with that, any access that comes over VPN seems to come from the VPN server itself and you have no availability to determine the origin source address at site B.

You are a genius!

This outbound NAT rule (+ Hybrid Outbound NAT rule generation option) fixed it.
I can now access the SMTP ports on the new B location via the ip address & ports on the old A location!

This will make my migration much easier (there are quite some domains running on it).

Thanks al lot!

regards, Wessel

necron

Hi wessel and viragomann,

Hope you have some time to help me with a similar issue.
When I create a new (2nd) OpenVPN server (peer-to-peer with shared key) the option 'redirect gateway' disappears.
Furthermore, where did you create an outbound NAT rule?

Hope to hear from you!
Cheers.

Edit: Let me clearify some elements.

SiteA with WAN 1.1.1.1 and LAN 192.168.10.0/24
SiteB with WAN 2.2.2.2 and LAN 192.168.20.0/24
@SiteA I want to portforward SMTP to a machine located at SiteB (192.168.20.11).

With the OpenVPN p2p connection established I can telnet from a SiteA machine to the STMP port in SiteB, routing works.
However, I can not do so from an external host via SiteA 1.1.1.1:25 which is NAT'd to 192.168.20.11:25.
When I create an Outbound NAT rule (with Hybrid NAT as wessel pointed out) I cannot telnet anymore, not even internally.

viragomann

@necron:

When I create a new (2nd) OpenVPN server (peer-to-peer with shared key) the option 'redirect gateway' disappears.

"Redirect gateway" isn't necessary for P2P. At each site, server and client, you can add "Remote Networks" to be routed to the other site.
Requirement to function: Both nodes must be the default gateway.

@necron:

However, I can not do so from an external host via SiteA 1.1.1.1:25 which is NAT'd to 192.168.20.11:25.
When I create an Outbound NAT rule (with Hybrid NAT as wessel pointed out) I cannot telnet anymore, not even internally.

This only works with NAT. An outbound NAT rule at site A like wessels should do the job.
Is the route to 192.168.20.11 set correctly at A? This also requires the B node to be the default gateway at 192.168.20.11.

necron

Thanks for your reply viragomann.

I 'kind of' got it working, however, the first connect fails but the second succeeds (every time…)
Setup now:

Site A, 192.168.10.0/24, OpenVPN Server p2p with a tunnel network of 10.0.8.0/24 and a remote network of 192.168.20.0/24. Def GW 192.168.10.1.
Site B, 192.168.20.0/24, OpenVPN Client p2p with same 10.0.8.0/24 as tunnel and a remote nework of 192.168.10.0/24. Def GW 192.168.20.1

Site A has an outbound NAT rule for OpenVPN interface, source any, destination 192.168.20.0/24 for OpenVPN address
Site B has an outbound NAT rule for OpenVPN interface, source 192.168.10.0/24 with any sourceport, dest and destport for OpenVPN address.

I think it has something to do with the 10. range being used for the p2p connection, but I'm no routing expert.
What would be the advice here?

meluvalli

@viragomann:

I presume your sites B pfSense has a WAN gateway defined.
So if you forward packets from site A over VPN, response packets from B will be directed to the WAN gateway, since this is the default route.

@wessel:

I'm preparing a move from location A to location B, that's why I would like to pass some traffic through the tunnel.

So it will be okay to change the default route to the VPN server, I think. This can be done by checking "Redirect Gateway" in the OpenVPN server settings at site A.
If you do that ensure, that you have an outbound NAT rule at site B to translate source IPs to interface IP on OpenVPN interface.

If you don't want to route the whole upstream traffic over VPN from B, you can either route back the traffic to A or do NAT. But I think, routing will not be an option, since you're not able to differ which destinations to be route over VPN.

To NAT, just add an outbound NAT rule at site A for OpenVPN interface with destination = the subnets at B and tranlation = interface address. But with that, any access that comes over VPN seems to come from the VPN server itself and you have no availability to determine the origin source address at site B.

I know this an old post and I apologize for replying in it, but was hoping you could help a little more on this…

I have the exact same setup.  I am doing this for a mail server, so I must know the origin source from site A.

Is this possible?  Right now it's showing everything is coming from my VPN server address.

viragomann

@meluvalli:

I have the exact same setup.  I am doing this for a mail server, so I must know the origin source from site A.

Is this possible?  Right now it's showing everything is coming from my VPN server address.

And like wessel you have forwarded internet traffic from A to a server behind B and also want to access it from other devices in A LAN network?
And B has also its own upstream gateway?

meluvalli

@viragomann:

@meluvalli:

I have the exact same setup.  I am doing this for a mail server, so I must know the origin source from site A.

Is this possible?  Right now it's showing everything is coming from my VPN server address.

And like wessel you have forwarded internet traffic from A to a server behind B and also want to access it from other devices in A LAN network?
And B has also its own upstream gateway?

On site A I have:
    Firewall NAT–> B.
    Outbound Mappings (2 of them):
        Interface: OpenVPN
        Destination: 10.99.0.0 (B Network)
        Nat Address: OpenVPN Address

Interface: WAN
        Source: 10.99.0.0 (B Network)
        Nat Address: Interface Address

Then on site B I have:
        Default Gateway Set for VPN

This all works, but anything coming from site A to 10.99.. shows from my VPN address (192.168..)

viragomann

Deactivate or delete the first one of the outbound NAT rules you've listed.

What was the reason for adding that rule? Since the S2S VPN is the default gateway on B you won't need it.
Ensure that the vpn routes are set correctly (Local network, Remote network).

meluvalli

@viragomann:

Deactivate or delete the first one of the outbound NAT rules you've listed.

What was the reason for adding that rule? Since the S2S VPN is the default gateway on B you won't need it.
Ensure that the vpn routes are set correctly (Local network, Remote network).

When I remove the first Outbound rule, then it doesn't work at all.

I think I may have this really mixed up…  I'm re-looking at your original answer...
@viragomann:

So it will be okay to change the default route to the VPN server, I think. This can be done by checking "Redirect Gateway" in the OpenVPN server settings at site A.
If you do that ensure, that you have an outbound NAT rule at site B to translate source IPs to interface IP on OpenVPN interface.

From looking at that response, it appears I should have default gateway set for VPN on Site A's network (Not Site B's).
And then the outbound NAT Rule would be on Site B.

Again, I am trying to forward incoming connection from Site A to Site B.

So would this be correct?  I have the Default Gateway set for the VPN on Site B (Not site A).  And I have the Outbound Rule on Site A (Not Site B)…

viragomann

@meluvalli:

When I remove the first Outbound rule, then it doesn't work at all.

What exactly??
A LAN > B LAN
Internet > A WAN > B LAN
both?

If your routes are set well and B uses the VPN as defautlt gateway, there is no need for natting between A and B. You only need an additional outbound NAT rule at A WAN for the B sites LAN, only for upstream connections.

meluvalli

@viragomann:

@meluvalli:

When I remove the first Outbound rule, then it doesn't work at all.

What exactly??
A LAN > B LAN
Internet > A WAN > B LAN
both?

If your routes are set well and B uses the VPN as defautlt gateway, there is no need for natting between A and B. You only need an additional outbound NAT rule at A WAN for the B sites LAN, only for upstream connections.

NAT A -> B is what doesn't work.

Both A & B can get out fine.  But incoming connections from site A won't go to site B.  When I add back in that top outbound route, it works, but all traffic coming from A -> B shows as my VPN IP instead of the actual address of who's coming in.

Derelict

https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269

Pay close attention to assigning an interface on the destination server side and that the rules passing the traffic there cannot match on the OpenVPN group tab but must match on the assigned interface tab instead.

meluvalli

@Derelict:

https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269

Pay close attention to assigning an interface on the destination server side and that the rules passing the traffic there cannot match on the OpenVPN group tab but must match on the assigned interface tab instead.

Derelict:  I have made sure I don't have allow all on both OPT1 and OpenVPN tab.  Still have same issue.  Anything coming in from site A to site B show as my OpenVPN server's IP instead of coming from true IP of Client on WAN side.

:(

Derelict

Then you are still performing NAT there. Turn that off.

meluvalli

Ok!  Got it working finally!

Thank you both for your help!  I tried to give thanks to both, but system wouldn't let me :(  Can only give thanks to one of you :(

Ok, so it turns out you were both right.    I needed the firewall setup for the opt1 and not the OpenVPN.  This was part of the fix.

The other part of the fix was removing the first Outbound rule as suggested by viragomann.  When I tested this before, it wasn't working….  Come to find out, it doesn't work if I telnet from A to B back to A.  I had to test it from an outside source and it worked.  I was thinking it was broken because i couldn't telnet into it from A's pfSense box...  pfSense doesn't like going out from A to B and back to A for some reason, but I'm ok with this!

I'm just VERY thankful it works and wanted to say thank you to the both of you!!!!!

akron

@meluvalli:

Ok!  Got it working finally!

Thank you both for your help!  I tried to give thanks to both, but system wouldn't let me :(  Can only give thanks to one of you :(

Ok, so it turns out you were both right.    I needed the firewall setup for the opt1 and not the OpenVPN.  This was part of the fix.

The other part of the fix was removing the first Outbound rule as suggested by viragomann.  When I tested this before, it wasn't working….  Come to find out, it doesn't work if I telnet from A to B back to A.  I had to test it from an outside source and it worked.  I was thinking it was broken because i couldn't telnet into it from A's pfSense box...  pfSense doesn't like going out from A to B and back to A for some reason, but I'm ok with this!

I'm just VERY thankful it works and wanted to say thank you to the both of you!!!!!

I have the exact same setup as you and also facing the issue of removing the First Outbound rule from site A, the NAT stops working.

I can live with all my traffic showing as coming from the VPN but wanted to know how did you achieve the clean NAT from Site A to site B without the first outbound rule on the VPN interface

Cheers

akron

@Derelict:

Then you are still performing NAT there. Turn that off.

Would you be able to explain?

Thank you