How to NAT through a OpenVPN connection to my LAN

boeingpilot

Pretty sure my issue is routing, but not sure how to accomplish.

Here's the scenario. I have pfSense running on a VPS with a static public address. It then connects via OpenVPN to my home network, which is on a dynamic public address. I can ping either side local network from the other.

My goal is to have a server on the home LAN accessible via the public address on the VPS.

Public VPN Server (222.222.222.12)--- VPS LAN (10.0.1.0) ----- HOME LAN (10.0.2.0) ----- HOME SERVER (10.0.2.10)

Transport subnet for OpenVPN 172.16.20.0/24

Thoughts?

viragomann

@boeingpilot said in How to NAT through a OpenVPN connection to my LAN:

It then connects via OpenVPN to my home network, which is on a dynamic public address.

Why don't you use a dynamic DNS for the service instead forwarding?

What is the home OpenVPN endpoint? Is it a router?

boeingpilot

@viragomann

I am trying to install a new email server at home. My ISP blocks this. The goal is to have a static IP on my VPS which is open to the email server, tunnel this back to my home network and server.

bingo600

@boeingpilot
Sounds like you want your VPS to be an e-mail "Smarthost server" , and then just set your private e-mail server to use the VPS server as "Smarthost".

*** TLDR **

I once had an ISP that made a neat e-mail blocking trick, allowing private servers , but not the direct connection to them.

They had an ISP public reachable e-mail (caching) server : "ispmailserver.isp.com" , that would accept e-mails from/to "everyone".

And i had my "privatemailserver.mydomain.com"

The trick was to make two MX records for the e-mail domain.
Where your private server had a higher MX priority than the ISP server.

privatemailserver.mydomain.com MX 10
ispmailserver.isp.com MX 20

Now when an external e-mail server tries to connect to privatemailserver.mydomain.com , the access was blocked , and after some time the external server would try the lower priority server (MX 20) , and succeed.
The ISP server would then try to deliver the e-mail , and lookup the servers for the ,ail domain and use the higer priority (private) server (that was reachable on the ISP Internal net) , and forward the e-mail to the private server.

I always thought of this as a neat trick.

Edit:
Another trick i have used (when my ISP blocked TCP 25, outbound) , and i had an own controlled external e-mailserver , was to set linux iptables (on the external server) to forward port 25 to 2525 , that wasn't blocked on the ISP net.

Then i could just use port 2525 on my local e-mail clients , and still contact the external e-mail server on that port.
The external server didn't need any additional config , as all 2525 traffic was rerouted to 25 , before the external e-mail server saw the traffic.

/Bingo

viragomann

@boeingpilot
What is the VPN endpoint at home? The SMTP server itself?

To get for the forwarding work properly your home site has either to direct the whole upstream traffic over the VPN (default route) or the VPN has to be managed by a Multi-WAN capable router device like pfSense.

boeingpilot

@viragomann Home is a pfSense firewall. So, as a recap - I have a pfSense router running on a VPS (I use this as my VPN when I travel out of the US). It connects via peer-to-peer to my home router. As stated, I can ping 'lan' of each router to the other no problem.

bingo600

@boeingpilot
Ah ... i misunderstood your req.
What is your VPN IP address , when connecting to the VPS "VPN" ?

Can you ping "Home Lan" when connected to the VPS pfSense "VPN" ?

boeingpilot

@bingo600 I am not currently routing 'public' VPN on VPS to my home. That said, there is a peer-to-peer link between the two.

so -- If I'm on the GUI on the VPS pfSense, I can use the ping utility to ping my home network. Likewise, if I'm on a computer on my home network, I can ping the 'lan' IP of the VPS pfSense. So basic connectivity between the two is established.

I'm sure this is a basic routing issue, and that is where my knowledge is at it's weakest.

Just to recap - I would like to have all the necessary ports to run my email appear at the public IP of the VPS pfSense, and route back via NAT to my email server on my home LAN.

(not that it makes a difference, but the home email service with be Zimbra OSE collaboration server)

In case anyone is wondering why I'm going through this tom foolery....

I was fortunate enough 10+ years ago to snag a free Google for Domains account, and have had my personal email (my own domain) hosted on Google for free. Google has announced that they are bringing that to an end. Not the end of the earth, but I'm running 5 or so email boxes on my domain for family. Don't really want to purchase email hosting (yes I'm 'frugal'). Since I'm running Zimbra for several businesses, I'm fairly comfortable with the product, and it's easy enough to gin up another instance as a VM on one of my project PCs. The rub is, I'm on a residential internet connection, and besides that email servers are blocked, it's a dynamic address. By tunneling from my legitimate static public address on the VPS, I bypass their blocking, and all my email comes and goes via that static address

bingo600

@boeingpilot
I seem to be constantly missing your target/goal:

My goal is to have a server on the home LAN accessible via the public address on the VPS.

Technically (As you have pfSense handling the public ip on the vps ?)
You should be able to NAT/Portforward ie. your VPS-Public-IP - "Port xxx" to "Home-Server-IP" - "Port xxx"

That would be done on the VPS pfSense

If you can ping "Home-Server" from the pfSense VPS , i'd expect the routing to be ok.

You might have to allow some firewall rules along the interfaces, where traffic passes.

viragomann

@boeingpilot
Okay. What you didn't say is if you want to use the VPS as default gateway. But I'm assuming, you don't

So on the VPS you can simply forward the traffic to the SMTP server at home, since the route is already working.

On the home pfSense you have to assign an interface to the OpenVPN instance, if you didn't that already.
This will bring up a new firewall rule tab. On this you have to add a rule for allowing the incoming traffic form the remote site. Consider that the source has to be "any" as these are packets from public sources.

On the OpenVPN tab you have to modify the rule so that does not match to the forwarded traffic.
As I got you, you want to use the same OpenVPN server for accessing your private network form remote. So you can set the source in the pass rule to your tunnel network, which is sufficient for your needs.

Ensure that not pass rule on the OpenVPN tab and as well no floating pass rule must match the forwarded traffic.

Edit:
Have to add, that your home pfSense has to be on 2.5.2. There was a bug in the former release which would cause this to fail.

boeingpilot

@viragomann Yes, that's along the lines I was thinking. I'm traveling this week. Tried that, but then it took out my remote access to my home network (oops!). Fortunately I was able to remote back in through a different point-to-point (I have multiple to support multiple offices) and undo that.

I'm traveling for the next week, but once I'm back home will get back on the issue. At least if I'm physically at home, if I totally screw it up I don't necessarily lock myself out or crash the home firewall.

viragomann

@boeingpilot
Also consider the option to set up a second OpenVPN connection. I'm thinking to run the server on the VPS, since it has a static IP.
However, the rule setup I mentioned above has to be exactly the same.

I was assuming, you need incoming connections only on the SMTP server. If you also need outbound using the VPS IP, you have to configure a CSO for the VPS client on the home pfSense, when using only one (multi purpose) server to let OpenVPN know the proper route. And you will have to policy route the servers outbound connections to the remote site.
Additionally on the VPS you would need an outbound NAT rule for the SMTP server.